10:30 |
Opening Remarks
Roberto Rodriguez @Cyb3rWard0g, Principal Threat Researcher, Microsoft
|
10:45 |
Keynote - The MSTICPy Journey - the road to creating functionality to support notebooks in Infosec
The talk charts the journey from raw code in notebooks to a PyPI package: why we did this, how we decided on features to implement, the challenges of a continually growing package. We’ll finish by looking at current priorities - primarily the goal to refactor functionality to make it easier to find and use.
Ian Hellen @ianhellen, Principal Developer and Security Engineer, Microsoft
|
11:25 |
Break
|
11:35 |
Your first graph neural network: Detecting suspicious logins with link prediction
Graph neural networks are Science’s official breakthrough of the year, and we can now use them to automatically answer basic behavior questions like which user login events are suspicious. Especially exciting, new graph autoML libraries let us use these techniques with just a bit of knowledge of Python and Pandas. We will use winlogs data as an example to walk through, and describe how to use the same idea on other user logs: - What a graph neural network is and what problems they are good for - How to automatically transform logs to graphs with hypergraphs - Automatically visualizing the event graph, and as a bonus, as UMAP embeddings auto-tuned to whatever features we are examining - Preparing the graph for AI using automatic feature engineering… in one line of code - Training a GNN link prediction model on the graph using a prebuilt popular architecture - Scoring historic and new log events based on the model - Using the scores to visually understand typical behavior and visually audit surprises - How the same GNN process can be applied to other common cybersecurity and anti-fraud scenarios like account takeovers and suspicious transactions The notebook and workflow will use free OSS tools (Pandas, DGL/PyG, PyGraphistry[AI]) on free data. For participants with access to GPU notebooks, the workflow is accelerated on GPUs, and CPU-only will work too.
Leo Meyerovich @lmeyerov, CEO & Founder, Graphistry
|
12:15 |
Exploratory Threat Analytics using Jupyter Notebooks
Using Jupyter notebooks to Conduct Data analysis and tie different Actions & Tools Together.This Talk aims to Demonstrate how Notebooks could be used as a Canvas to paint your analytics/research over data and Complete a lifecycle of Alert-Investigation or Threat Analytics Objectives: 1. Calling Alerts/Data from SIEM (Elasticsearch) 2. Utilizing Data Analysis Frameworks and Libraries like Pyspark/Pandas 3. Utilizing APIs of Different Tools (EDR/Case management) all from a single Place. 4. Call VirusTotal/OSINT APIs for Reputation and Other Data Enrichment functions 5. Exploratory Analysis and Visualization Capabilities using Frameworks like Plotly 6. Create a Case for Escalated Incident-Response action As end result shows how this cycle has produced An Investigation Report. An Exploratory Hunt-Notebook A Repetitive Notebook as Re-usable component.
Saksham Tushar, Threat Detection Engineer, CRED India
|
12:55 |
Break
|
13:30 |
Magic Tricks Revealed: Demystifying IPython Magics
Jupyter notebooks support a feature called “magic commands” (aka “IPython magics”) that use a special syntax (%) for calling utility functions. This talk explains how magics work and how to write custom magics that make security analysis and research tasks more efficient. The live demo is a proof-of-concept magic command that integrates the Azure CLI with pandas for convenient evidence collection and analysis in Jupyter notebooks. The PoC code will be open-sourced under the MIT license prior to the talk.
Ryan Marcotte Cobb @detectdotdev, Principal Security Researcher, SecureWorks
|
14:10 |
Establish attacker footprint with Microsoft Defender Threat Intelligence
Microsoft Defender for Threat Intelligence, formerly RiskIQ, is a Threat Intelligence Engine that collects masses of data from the internet and crawls the internet to derive additional data creating a dense interconnected web of internet observations that can be used as signals in the art of threat intelligence, this gives the ability to see a lot of how the attacker operates. Investigations on this data are incredibly powerful allowing the discovery of infrastructure connections that could not have been seen or considered before. This visibility makes it harder for the attacker to go unidentified and theoretically making the playing field of the attacker bigger and the goal smaller! So how do you limit this scope and classify what belongs to an attacker or not? Especially when the attacker is using the same infrastructure that a normal company may use to support their needs. How do we make this large, interconnected web of threat intelligence actionable to an analyst? In this talk, we will present a notebook that address this challenge: Walking in the footsteps of attackers - Profiling compromised infrastructure using Machine Learning.
Chi Nguyen, Product Manager, Microsoft
Amritpal Singh, Security Data Scientist, Microsoft
James Duncan, Security Cloud Solutions Architect, Microsoft
|
14:50 |
Break
|
15:05 |
Cybersecurity: data holds the answer
The talk is about our new book “Cybersecurity: data holds the answer” which has our latest findings in cybersecurity data science. The book contains a set of eight research projects, which seek to guide the reader on how to use artificial intelligence in defensive and offensive perspectives. On the defensive approximation, the book includes precise experiments to develop models for detecting malware on Android devices, cryptojacking, deepfakes, and malicious botnets. In the offensive approach, models for the generation of non-legitimate multimedia content are explored, and the concept of secure learning and the application of adversarial machine learning is introduced as an approach to find the values that allow biasing the results of a machine learning model. Each project was done using Jupyter notebooks and a research methodology that allows the person to replicate the results. Finally, the code and the results can be found in the next URL i2tResearch/Ciberseguridad_web URL book: https://www.icesi.edu.co/editorial/ciberseguridad-datos/
Christian Camilo Urcuqui Lopez, Data Scientist, None
|
15:30 |
Extending MSTICPy - building your own queries and pivot functions
Alongside public/common data sources like VirusTotal, MS Sentinel, etc. SOC analysts use their own crafted queries, Python scripts and external packages to support their workflows. This session gives a quick introduction into extending MSTICPy to support this by: adding custom queries, then and adding these queries as well as custom and third-party Python functions as entity-based Pivot functions. mp.IpAddress.your_function_here()
Ian Hellen @ianhellen, Principal Developer and Security Engineer, Microsoft
|
15:55 |
Data Mining Threat Intelligence Reports
There is an ever-increasing set of threat intelligence reports produced by an ever wider number of providers. Keeping up with these reports can be a full-time job - understanding the value they provide, extracting the relevant elements and applying those to the defence of an organization an even bigger ask. In this talk we will cover how we can use Notebooks to help automate this task for us - from parsing reports, to extracting data of value, to validating it, and operationalizing it.
Pete Bryan @MSSPete, Something about security, Microsoft
|
16:20 |
Break
|
16:35 |
Analyzing billions of passwords from Breach compilation dataset using Jupyter notebook
Data breaches along with dump of sensitive information including passwords, social security and other business critical information is becoming norm in today`s digital world. This stolen information is often sold in underground community forums. This information can be further abused by the buyers in several forms such as buying goods with stolen credit card information, holding social media accounts data for ransom etc. In this presentation, we will take a look at old database dump of 1.4 billion clear text credentials which was compilation of several data breaches including sites such as yahoo.com, LinkedIn etc. The complete database is an archive of 41 GB with around 1980 files. We will take a look at how this dataset can be loaded for scalable data analysis using python and perform common data cleaning and preparation steps. We will then analyze the dataset to extract interesting insights and password trends. We will also visualize the summarized dataset. The goal of this presentation is to demonstrate how one can take real world large dataset, clean, enrich and perform data analysis at scale to extract interesting insights using Jupyter notebook.
Ashwin Patil @ashwinpatil, Senior Program Manager, Microsoft
|
17:00 |
Fun with securitydatasets.com and the Kestrel PowerShell Deobfuscator
The Kestrel Threat Hunting Language provides a composable way for conceiving and sharing threat hunts. We will walk the audience through the procedure to create huntbooks in a public Kestrel cloud sandbox (binder environment) and conduct threat hunting on data from securitydatasets.com. In this session, we will first introduce the basic Kestrel concepts and how to use the Kestrel cloud sandbox. Then we will start a Jupyter notebook using the Kestrel language kernel and exercise the Kestrel PowerShell Deobfuscator using adversarial emulation logs from securitydatasets.com. We will hunt step-by-step and explain the analytics used in the hunt. Next, we will (maybe another huntbook?). Lastly, we will show how to integrate Kestrel into existing workflows by using its Python API in a Python notebook. References: - Kestrel home repo: opencybersecurityalliance/kestrel-lang - Kestrel huntbooks: opencybersecurityalliance/kestrel-huntbook - OCA blog on Kestrel cloud sandbox: https://opencybersecurityalliance.org/try-kestrel-in-a-cloud-sandbox/ - OCA blog on PowerShell Deobfuscator: https://opencybersecurityalliance.org/fun-with-securitydatasets-com-and-the-kestrel-powershell-deobfuscator/
Paul Coccoli, Senior Software Engineer, IBM
|
17:35 |
Closing Remarks
Roberto Rodriguez @Cyb3rWard0g, Principal Threat Researcher, Microsoft
|
