FloCon 2019

Both successful intruders and internal abusers of computer networks seek to move laterally in an enterprise network, to discover other sources of valuable information; detection of lateral movement remains a valuable analytic for cybersecurity analysts. We calculate maximum independent set, an NP-hard graph kernel, on a graph composed of point-to-point (e.g., ssh and RDP) connections, to detect lateral movement. In addition to assessing whether the atypical lateral movement is tree-like and suspect, we display it in the network graph context so an analyst can judge the likely risk. We seek data with known lateral movement to validate the analytic. This work extends the cybersecurity trend of applying more computing to a smaller fraction of the data, such as O(n^2) analytics like betweenness centrality. This trend anticipates the rapidly growing computational performance of early quantum computers from D-Wave Systems, enabling use of graph kernels with exponential computational cost on small (by cyber standards) datasets. We discuss the implications of using these more compute-intense kernels.

Attendees will Learn: 

• How a set of analytic kernels that detect global characteristics and that analysts may not have considered are useful
• Add an additional tool to the analytic toolbox

In the cyber security arena, many events of interest occur in conjunction with network connection events. For example, a connection to a suspected malware command and control node might proceed a hidden process disabling security logging on a compromised computer. Associating such malicious events with their related connections is a critical task in network forensics. Often times a suspicious connection can tip off investigators to previously overlooked events and vice versa. However, in many cases, associating events with corresponding connections is difficult due to network layering, dynamic addressing, or gaps in sensor coverage. Inevitably, the investigator will invoke timestamps to help correlate events with possible connections. In this presentation, we discuss automating this approach with a Time Based Correlation big data analytic that uses a statistical approach to gauge independence in events and possibly related connections. We include the results of a validating discrete event simulation that identifies under which conditions this approach provides the best performance and fewest false positives. We discuss scaling this analytic to the DoD enterprise level and its use in helping detect various anomalies.

Attendees will learn:
Attendees will learn how to automate the use of statistics to help link events and connections in a timeline during an incident or forensic investigation. This includes under which conditions time can be definitive in linking events and when it must be combined with other methods.

A quantum approach to malware eradication addresses the needs of organizations, which are facing a shortage of cybersecurity staff and resources, to tackle the increasing and dynamic cyber threat they are facing in a distributed and mobile computing environment. This approach closes the existing security gap and provides entities with a layer of security and protection between end-user and the Internet. It also provides a new sensing capability to provide a novel vantage point for threats in near real-time while sharing that visibility through standardized methodologies. The quantum approach to malware eradication inverts current common practices through the rewrite of binaries and documents to drive inbound and outbound files into compliance with permitted behaviors—an organization’s pre-established file risk parameters. This approach borrows from a variety of reductionist models introduced over the last few decades across the physical, biological and social sciences to analyze, describe and at times control the emergent properties of complex adaptive systems at their most fundamental, constituent levels. Positing that a file, including its content and behavior, emerges from the complex interactions of its constituent parts, the approach reduces it to predictable building-blocks and then regenerates them in accordance with a controlled, pre-established rule set without an impact to content, but with risk-based behavior controls. Interdicting files before they reach an endpoint, the quantum approach offers the opportunity to significantly reduce the vulnerability introduced into enterprises by the human user who is susceptible to a variety of social engineering attacks. It is the ultimate “left of boom” method that eliminates as much malware as all retroactive detection methods combined with no human interaction. Combining these methods is the future. It is scalable such that small- and medium-sized organizations can afford it, and it is flexible such that it can be applied across multiple use-cases.

Attendees will Learn:
​​​​Quantum rewrites of binaries and documents to support permitted behaviors is the inverse of malware response where content needs to be detected, analyzed and/or detonated. It is the ultimate “left of boom” method that eliminates as much malware as all retroactive detection methods combined with no human interaction. The goal is to inform the attendees that using a 'pass only known good' methodolgy through a quantum approach simplifies the solution and the future of information security will benefit from an inverted approach to security.