When it comes to malware attacks, one of the more common techniques is “living off the land.” Attackers utilize standard programs and processes to execute these attacks, blending into an existing environment to avoid detection.
ProblemChild aims to help detect these attacks by identifying rare parent-child process chains and suppressing commonly occurring ones, since processes that are rarely spawned in an environment (and more-so from a specific parent process) could indicate malicious activity. Flagging rare malicious processes further helps security/malware analysts prioritize events for analysis. The ProblemChild framework identifies these anomalous chains by leveraging multiple machine learning capabilities in the Elastic Stack.
In this webinar, we will provide:
- An overview of how we implemented ProblemChild in the Elastic Stack
- A deep dive into case studies that leverage the ProblemChild framework
- Results that show the effectiveness of ProblemChild at identifying living-off-the-land attacks
- Webinar slides
- Webinar: Operationalizing machine learning for SIEM
- Blog: Discovering anomalous patterns based on parent-child process relationships
- You can try hosted Kibana (and Elasticsearch) with a no-cost Elastic Cloud 14-day trial.