自主时间线分析与威胁狩猎：时间草图人工智能代理.pdf

1、#BHUSA BlackHatEventsAutonomous Timeline Analysis and Threat HuntingAI Log Reasoning Capability in TimesketchAlex Kantchelian,Marteen Van Dantzig,Diana Kramer,Janosch Kpper,Eric Morley,Sadegh Momeni,Yanis Pavlidis,Elie Bursztein with the help of many Googlers#BHUSA BlackHatEvents4,000,000Average num

2、ber of events on a freshly installed Windows server#BHUSA BlackHatEventsAgendaSec-Geminis Log Reasoning CapabilityForensics 101The Log Volume ProblemTimesketch with Sec-GeminiEvaluation SCAN FOR SLIDES#BHUSA BlackHatEventsThe Log Volume ProblemFinding the needle in a haystack#BHUSA BlackHatEventsAna

3、tomy of a Windows 2022 Base Image 3.1MFilesystem events(e.g.file creation/modification)400k Registry events350k UsnJrnl events50k Executable Events40k Exec Events(per day)4,000,000+EventsExcludes sources like:netflow,DNS,other system logs#BHUSA BlackHatEventsThe log volume problemAttackers can look

4、like normal usersOne attack creates a dozen log typesThe signal is buried in the noise#BHUSA BlackHatEventsForensics 101and how we do it at Google#BHUSA BlackHatEventsThree phases of forensicsProcessingConvert into a friendlier format.Parse,normalize,and enrich data AnalysisReview artifacts-explore

5、the timeline and check for indicatorsCollectionFetch artifacts:disk images,process executions,and event/auth logs#BHUSA BlackHatEventsForensics with open source toolsCollectionProcessingAnalysislibcloudforensicsCollects artifacts from cloud providersPlasoBuilds timelines from collected artifactsTime

6、sketchEnables collaborative timeline investigations#BHUSA BlackHatEventsForensics with open source toolslibcloudforensicsCollects artifacts from cloud providersPlasoBuilds timelines from collected artifactsTimesketchEnables collaborative timeline analysismvd-gcp-projectGCE disk image(copy)/tmp/disk-