Skip to main content

Threat hunting behavior anomaly in Linux with Python

You can investigate suspicious activity that could be a behavior anomaly by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity.

You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector

Ingest one or more of the following machine data:

  • General system-wide error messages from /var/log/syslog
  • Auditing logs of application rulesets
  • Auditing logs of security contexts
  • Auditing logs of login attempts from /var/log/auth.log
  • Auditing logs of user management or group management
  • Auditing logs of password management
  • Application specific logs from /var/log
  • File system status of files and directories from stat
  • Auditing logs of package management
  • Auditing logs of configuration management
  • Raw dumps from sniffing at Layers 2-3
  • Raw dumps from /proc of kernel data structures
  • Raw dumps of kernel routing tables
  • Network services configuration files
  • Network interface configuration files
  • Headless raw dumps of active executables
  • Memory profiles of active executables
  • Summaries of memory debugging, memory management or memory profiling
  • File integrity checking with checksum matching prior to either base infection or payload infection
  • Summaries of resource utilization: physical, network, I/O, disks, processes, etc.

Do you have a suggestion about how to improve this blog? Let's talk about it. Contact me at David.Brenner.Jr@Gmail.com or 720-584-5229.

Comments

Post a Comment

Comments to this blog will be reviewed within 72 hours. No trolling please

Popular posts from this blog

OpenStack+Ceph as Software-Defined Storage

SDS reduces the costs of the management of growing data stores by decoupling storage management from its hardware to allow for centralized management of cheaper, popular commodity hardware. The example SDS ecosystem uses open source software like OpenStack as a front-end interface on top of Ceph as the resource provider of a RADOS cluster of commodity solid-state drives. OpenStack provides user-friendly wrappers for accessing and modifying underlying Ceph storage. OpenStack comes in the form of distributed microservices with RESTful API's: Block (Cinder), File (Manila), Image (Glance), and Object (Swift). Each microservice can scale-out as a cluster of stand-alone services to accommodate the varying demands of high-growth storage. With OpenStack the underlying Ceph storage can address the block storage needs, file storage needs, image storage needs, and object storage needs of datacenters adopting open source as their new norm in an industry trend for high performace and high a
1 comment
Read more

The meaning of time in reinforcement learning

Reinforcement learning (RL) is one of three basic machine learning paradigms, alongside supervised learning and unsupervised learning. Reinforcement learning is concerned with how software agents ought to take actions in an environment in order to maximize the notion of cumulative reward through the process of trial and error. In reinforcement learning an agent starts at an empty state then analyzes the available datasets according to a policy of positive states and negative states. Rather than being explicitly taught as in supervised learning the correct set of actions for performing a task, reinforcement learning uses rewards as signals for positive states and punishments as signals for negative states. The agent obtains the best path to a desirable reward as a cumulation of positive states and negative states. As compared to unsupervised learning, reinforcement learning is different in terms of goals. While the goal in unsupervised learning is to find similarities and differences
Post a Comment
Read more

Principal Component Analysis

Principal Component Analysis (PCA) is a common technique in statistical analysis, widely used for pattern recognition, data compression, image preprocessing, signal-noise analysis, and high resolution spectrum analysis. Principal Component Analysis transforms a group of activites into a set of unique components, where each component has a numerical degree of distance and relatedness from an agreed on centered component. The first component has the largest possible variance (it accounts for most of the variability in the group). Each succeeding component has the highest variance that is orthogonal to the preceding components. The transformation of the group proceeds linearly from a group with a high degree of dimensionality to a group with a low degree of dimensionality of which the components of the group with a low degree of dimensionality are uncorrelated. Principal Component Analysis is also used in the forecast of a most likely outcome through time-series analysis and regress
Post a Comment
Read more