Team Threat Hunting with AI and Automation

Unknown: All right, thanks everybody for staying with us throughout the day, and we're going to stop promptly at seven, maybe eight, so hopefully you brought supper. I'm just kidding. We'll do a 20 minute lightning talk, so I'll do about 10 minutes presentation, and then hopefully I can switch over to a demo, and we'll kind of dive into threat hunting and using AI. And then afterwards, we can go over to the aquarium and swim with the sharks, I think, taking my kids over there. So a little bit about me. I work for Red Hat, but I am a technologist, so I love talking technology, and one of the things that I'm doing threat hunting is building a container

where we can use it on Kubernetes mini cube, tan zoo rancher. It doesn't matter what it is. My current project that I'm working on applies to my doctorate, and what I'm trying to do with threat hunting, I have a practicum, which is a project and the dissertation. So this team threat hunting is a project that I'm working on building out my documentation on why it's important, how it's useful. So I say I'm a technologist, even though I work for Red Hat. The key is I can take this threat hunting Kestrel as a service, and I can run it anywhere. So I have different deployment models. And so let's go ahead and dive in a little bit. I wanted to make sure to

show this slide, even though it has some of the abstract on the left hand side, it talks about threat hunting and IBM and their thoughts on the 20% versus 80% so that goes into threat intelligence and threat hunting. And when we think of our security operations centers, they are getting more sophisticated, throwing in AI automation, but there's still that maybe 20% maybe 10% we just don't know that. Still have to have an hypothesis so as to be examined, and that's where the threat hunting comes in, and looking at those sophisticated attacks that may be occurring. We want to make sure that we know what's going on and network or systems. And so we we do want

to thank some from the red team aspect, the blue team aspect, we do want to make sure that we can build hunts and know whether it's a suspicious process or not, and when I talk Red Team, Blue Team, course, I'm not talking the election and everything going on. I'm just talking about cyber. So the takeaways that I want you to have today when I go through this talk, I want you to be able to understand the importance of threat hunting, understand what Kestrel is with the deployments, so that the takeaway three, you can go run tutorials and use a threat hunting language and deploy it the container, whether it's the Ubuntu based One or the Red Hat based one, and you can

deploy it, pod man, AI, as I said, other vendor, Kubernetes platform. So open source, Kubernetes open shift, etc. Of course, I'm Red Hat, so I do want you to buy open shifts. So see me after the talk, so, but those are the three takeaways, and somebody throws something at me. Sam, you know, about 510, more minutes. I want to make sure I get through some of the the topics, but I want to get into the demo, because I think it's really powerful that you can go work through some of these tutorials, simple ones, but then you can go to the Black Hat ones that are out on open cybersecurity Alliance, and you can start getting deeper into the different use cases. And so

my project, I included the link here. I published out on Red Hat research. Red Hat has a research magazine. They put out bi monthly, and so I wrote an article and put that out there. This goes to the importance of, why are we talking about threat hunting? Because at times that's manual human intervention, looking at the hypothesis, etc. So in the article I was putting in, we have these core components of NIST cybersecurity framework, and the core function that I'm concentrating on with this research and this project and the Kestrel portion, I'm working on the Kestrel as a service, so more of scaling team capability using the AI using automation. But the Kestrel project itself is used by Palo Alto IBM and some of their

security products. So what I want to highlight here, though, when we talk about that mean time to detect I find the incidents that are occurring. But if you look at that diagram on the right hand side, of course, you see the percentage of the attacker and what may be occurring in minutes and hours, days, etc. But if you'll notice, on the bottom are defensive cyber operations that may take an extended time to be able to find something going on. And so with this Kestrel as a service, we want the team hunting, we want the scaling, and we want to move that time frame that's on the right all the way over to the left. So this is one of those takeaways that, yeah, we

have a security operations center. We have Splunk, elastic, gray log, whatever we can have these nice dashboards, and they're starting to add more AI into them, but what we want to make sure we can do is have those threat hunting teams that can really examine this, all this data that may be coming in through these different data sources, and have these hunt flows, these steps, and of course, tie in AI and automation. But has to be, is this a suspicious process? I need to examine it. I need to go in further. And when I think of hunt books and building out these steps, I think of Ansible and what we do with automation, I have these nice playbooks that

I can share and I can reuse, and I have these tasks. That's what we want to do with threat hunting, is I want to be able to share with a team what I've I've done with these steps and this hunt flow. But also I want to be able to stop and come back to it, and that's important with this container, and being able to deploy to a platform. So when we talk threat intelligence and we talk threat hunting, we're focusing on that threat hunting portion. So we're looking at developing these hypothesis, looking at network, looking at systems, and then, of course, as we're building this hunt flow, being able to go back and start over. So threat intelligence being data that may have come

from an attack or attempted, whether it's attempted or successful, and then the threat hunting kind of is coming from that I have a trigger, I'm doing some type of investigation and, of course, remediation. But the the focus here is that wait time or not knowing time that mean time to detect before we can recover from something going on, we have to detect it, right? So that's what we're looking at here, that 20% so Kestrel, that I mentioned a minute ago, that is our threat hunting language. It started with DARPA a rfl. There's a transparent computing and cyber hunting at scale this runtime, this language, started with those two projects. It is open source. It's out on open

cybersecurity Alliance. So you can go out to GitHub and find the Kestrel, Kestrel language, the analytics, what I've built all of that out on open cybersecurity Alliance, and you can either run the container alone on your laptop or deploy it to a platform where it is a nice team threat hunting environment. And so what I wanted to highlight here. Really, it boils down to, as I mentioned, the mean time to detect, but hunt fast, right? In order to decrease the mean time to detect, I have to be able to hunt fast, and that means having the team doing these hunts at scale. So all of these that are listed on these bullet points here, this is tying it to crowd

threat hunting. So we want to be able to reuse code. We want to be able to revise we want to be able to share snippets, or the whole hunt flow and all the components that I'm going to mention here in a second, they enable that through Jupiter hub or single sign on. I don't know how many here have used Jupiter, but that's what this threat hunting container is based on. Is that Jupiter notebook that has a kestrel language in it that's deployed to a platform, and one of the things in the background it uses is something called stick shifter, which is able to pull in a lot of different data sources, so you can run your hump flow against it. So a lot of this material,

we can go deep. So I'm not going to do that, because in a couple of minutes, what time was the session? Over 435, okay, in about five minutes, I want to get into a demo, because I think you would enjoy seeing that and seeing where you can get the presentation. It should be pretty simple to jump into the tutorial. So what I wanted to highlight with this slide is at the top you have the the threat Hunter, just building out the hump book, or the the steps for the hunt flow and putting everything in for that hump book to run it and the run time is what's picking up that hump book and executing so that the threat

hunters can concentrate on a language and let the run time, go and execute the code. So I'm not going to go through each of these concepts, as I said. We could dive deep, but when we go over to the demo, the tutorial, all of those are defined in the Hello World example, there's about 10, and I'm going to show you how this ties to AI as well. But the key here is I have these hunt flows, I have these tips steps, and I can tie them all together, and I can use them for a current hunt, or I can share them and use them in other hunts. And these steps, as I note here, originally, the analytics would do some analysis

and display, but now you can apply a analytics, Python program that will communicate the chat GPT get a response back, and you can continue the hunt off of what chat GPT response, or you can even change that From using chat GPT to using some open AI API, as long as it's open AI compatible. And so the components that I want to mention that are in this Kestrel as a service. So keep in mind kestrels, the language and runtime. Kestrel as a service is the deployment of a lot of different components to a platform so that it can be run at scale. But there's Docker file, so Ubuntu based, one's Ubuntu based. One is rel based, and then there is open command

and control, so some automation, a profile that's being added there the stick shifter, which is data sources, connection to a lot of data sources, so a data stream I can use in these threat hunts, and Jupiter hub. So Jupiter hub is very important, and then it can spawn the Jupyter notebook, and that's where the hunt is going to be built, and then it will be executed. But that allows the team to build projects, threat hunting projects, and share based on our back. And then you have some other things, like Ansible, key, cloak, etc. So you can go read about these components more. This slide is probably the main one that I want you to take away from the

deck and that I have development on the right hand side, and I can go to GitHub, open cybersecurity, Alliance, everything I need to get started, the examples, the deployment scripts, everything's over in the repo. And like I said, there is a Ubuntu image, REL image, and the main reason I had to do that is the Ubuntu image easily deploys into open source Kubernetes, into mini cube, into pod man or Docker. The open shift one is based on a data science image, and I did that because of some of the core components that had to be in the image. So on the left hand side, it goes from a developer, I'm going to go spin up an image, and I'm going to build out a

hunt book, or I want to test with a small team. I can use mini cube Helm. And then, of course, if I want to enterprise the full Kubernetes cluster or open shift, or I can use another vendor's platform, but we don't want to do that, right? So either ways, no, I said I'm a technologist, so it doesn't matter the platform, as long as you can do the threat hunting. That's my research, my project I'm working on. Take that container, run it wherever you want. The key is the scale, spawn the containers, where a team can use it, where it can be started, stopped. I can share the steps, the whole flow, so forth. So that's what's important to me. So what you see

on this, this slide, this walks through deploying to pod man desktop, as well as you can do something similar with Docker. And then this is I have all the playbooks to go deploy to mini cube, as well as Kubernetes. And then I'm going to show you open shift. The key with the integration is there's an apply command with Kestrel, and I can call the Python program that will communicate with open a AI API and send an input and get an output and continue on the hunt flow. So this is an example of the suspicious process I'm going to show you real quickly I can go analyze suspicious processes. Use chat GPT, use that as a step

in my hunt book, and say, This is the second part of that analytics Python code. So I'm going to keep going, because I want to show some of this, but look into the future, including indicators of behavior, not just indicators of compromise, and doing autocomplete in the language, as well as some more flexibility for integration to open API, open AI API. And so if you want to get involved, if you go to Open Cyber Security Alliance, there's indicators of behavior, there is stick shifter, there is Kestrel language, there's Kestrel as a service. So all that's open source. You're welcome to go and contribute. So now that we have five ish minutes, of course, we could take longer if you want, but five ish minutes, This lists

the repos I'm going to show you pod man real quick, and then open shift if it's still up. But you're welcome to email me, send me a message if there's anything you have trouble with, or if you'd like me to offline or a meeting, you know, explain how you can get it running. So we're going to try and do this demo real quick to show you. Yes, yes, please, please, please work, if not just take my word for it, right? Yeah, yeah. Local Host always works, right. Local host, all right, so is everybody seeing my screen? Yay. Okay, so this is an example of a developer. I'm just gonna go into pod man desktop. I want to go over and link to registry. You'll notice

Docker Hub, I can connect to the registry, and then when I build my image, you'll notice a set docker.ia/k people, slash, Cas, dash, baseline, I can go ahead and add the image and then start the container. And if mine is still running, it is and it is here. So when I start that container, it's already gone by, but at the top it has the token and the URL to get into it. So let's come over here to my eyes. Okay, sign here, here. So when I sign on to it, I have some Jupiter Notebooks that are up. But the key is, you'll notice that has Kestrel there. That's because that Jupiter notebook is available and can spawn. And

when I when I go into here. It's those nine tutorials are available, and then I can go in, I mentioned here's those terms, and then I can go down, and I can hit the play button up here. It runs the cell, and it'll give the output like it is here. But the main one I want to show you real quick is this code here. So it's going and getting a data stream, and it's applying this, that analytics, Python code, and this is the prompt it's sending to chat, GPT, and then this is the answer that's coming back and saying, Here's my top 10 suspicious processes from that data stream. And now I can build my hunt steps to to run

something else. Go to a next step. Go to a next hunt flow. So remember, we're building hunt, books, we're building out these steps. And when we look at these tutorials like hello world, they get progressively more complicated. If we go over to the cyber security, open, cyber security, somewhere. If we go over here. to open.

Black Cat hunting lab. You don't want to use pod man desktop. You can just go over here and click this, and you'll connect to binder, and you can run tutorials there from that black cat and then the last part of the demo, before we have any questions, if it's still running and it looks like it is. So what I did and over an open shift. And if you'll look, notice the workloads and the pods should have CAS in here. Yeah, you'll notice my workbench, my data science workbench. I had that Jupyter Notebook running, and if I look over in data science, you'll see my CAS project and see that it's running. But what we just did in pod man, this is the notebook that was spawned,

and now I can have other team members join, and I can use these tutorials. I can build out my hunt book, and just like it shows here, I can connect to chat, GPT, send input, get a response, continue on my hunt flow, and I can next step, add a Ansible remediation or response. So if we go back to what I had listed a minute ago, if it will come up, I'll close this out.

Where'd it go? One here whoops.

We come back over here. The core function we were concentrating on, meantime, to detect. So everything I was doing in that hunt flow, this should help move the needle on the right hand diagram at the bottom right to the left. So what I'm going to do right now, because I'd love to keep talking, and remember, if you go try this, this screen is what you should be coming up to. But I'm going to stop right there, because I could talk for a long time. I love technology, but let's come here in the minus one minute that we have. Are there any questions? Yes, absolutely. Yes. I swung elastic gray log any of the so when I

was mentioning that, hopefully, and I know it's talking fast, when I was mentioning that earlier, when we think of 80% a lot of those tools in the security operations center, they have known baselines. They have that threat intelligence of what's occurred in other attacks already, whether they were tempted or successful. This whole project, this whole threat hunting Kestrel as a service that's trying to target the other portion. So this is more unrelated, or, I shouldn't say unrelated. This is that 20% that is probably not going to be found in something like elastic or Splunk, right? It's grabbing that data. And of course, those are getting more complex or more advanced with AI and all. But this is, this has a little bit

of human intervention, because I'm looking at this data, I'm trying to do this hunt flow. I see something suspicious, and that's an entity, right? A suspicious process. So I'm trying to determine is that a suspicious process or not, and am I currently have an incident, and what are the steps the attacker went through to get to that so that 80% there may be tools that are already in use. This tool is more of that percentage that are just unknown. We don't know if it's 20% but it said that portion that is unrelated, that portion that we may not have threat intelligence on, we're doing an examination and diving more into it. So hopefully that helps. No,

all right, I