Profile picture
J. @CxOSidekick
, 13 tweets, 5 min read Read on Twitter
Great talk by @ram_ssk : most talks are only about what worked in machine learning, but what about the experiments that failed?
Problem 1 : on lateral movement, once lateral movement goal is attained, hard to identify attackers as they are under the radar. Lots of data to start with...
Questions to narrow down if this is a service account; then as red teams love to go after these, when they get one, time intervals for events change
Using RankNet to look to see if benign session ranks lower than malicious session. On prem worked great. Not so much for cloud...
Reason for change was different environment ; no domain controller as a central brain; have to look for different crown jewls as no longer looking at physical machines ; win event logs still valuable but other sources of logs needed to get to 'version of truth'
Mapping the kill chain to the cloud meant expanding logs to brains that controls important stuff in the cloud
Problem 2 : powershell : started by asking 'what is the probability of unusual sequences?'
Problem was obfuscation of attacks
Solution was to turn command sequences into images for analysis : this was an example of changing detection strategy as threat landscape changed with rise of powershell obfuscation
Problem 3 : Geo anomaly detection : last 10 login locations cached and challenge users if a new current location but rules based system did not account for complexity of travel patterns and company proxies, vpns and cell phone networks
Some thoughts on solving : look at peers and look at frequency of counts
Then look at reachability score based on time of travel and reachability of location based on last login; 70x improvement on false positives by doing this
Great summary on all the people who need to get involved in developing industry grade data science 👍👍
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to J.
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!