Graph Based Queries

Because attackers think in graphs, Grapl provides a graph-based query interface for building out attack signatures. Grapl makes it simple to analyze and express complex behaviors with a simple, powerful language - Python. The combination of graph queries and Python means unlimited power for expressing attacker behaviors.

As an example, we can describe a ‘dropper’. Droppers are small malicious programs whose job is to bootstrap the true malicious payload. They are an extremely common tool for attackers, but can be difficult to detect in standard systems due to how many distinct behaviors they encompass.

With Grapl it’s simple to express the fundamental behavior of a dropper, and start tracking any “dropper-like” programs using the following query:

ProcessQuery()    # Any process
.with_external_connections()    # With traffic to external IPs
.with_created_files(  # That has created files
         FileQuery() .with_spawned_from()      # Where those files have executed
)

In just a few lines of code we’ve described a complex, multi-stage attacker behavior.

With graph based querying, Grapl can catch even the most complex attacks with just a few lines of code.

Confidence in Alerts

It isn’t uncommon for Detection Engineers to build hundreds of attack signatures. MITRE’s ATT&CK Framework alone describes well over one hundred distinct detections, and that’s just the tip of the iceberg. Describing all of these attacks can easily amount to thousands of lines of queries.

SIEMs or other vendor products that use bespoke query languages make managing all of these queries difficult. Concepts like linting, unit tests, code review, or even version control are simply not baked into their systems.

Unlike most products out there, Grapl uses Python for its query language - one of the most popular, supported programming languages in the world. This allows users to tap into the massive Python library and tooling ecosystem and follow standard engineering best practices. Whether it’s unit testing in CI/CD, linting your code for common mistakes or anti patterns, or even applying static analysis tools to weed out bugs, Python’s ecosystem has you covered.

Here you can see mypy, a static type system for Python, finding an error with this query before it’s run, speeding up our iteration cycle and reducing bugs that make it to production.

By allowing you to follow best practices for code maintenance,
Grapl drastically reduces maintenance burdens and increases confidence in your ability to detect an attack.

Risk Based

It isn’t uncommon for Detection Engineers to build hundreds of attack signatures. MITRE’s ATT&CK Framework alone describes well over one hundred distinct detections, and that’s just the tip of the iceberg. Describing all of these attacks can easily amount to thousands of lines of queries.

SIEMs or other vendor products that use bespoke query languages make managing all of these queries difficult. Concepts like linting, unit tests, code review, or even version control are simply not baked into their systems.

Unlike most products out there, Grapl uses Python for its query language - one of the most popular, supported programming languages in the world. This allows users to tap into the massive Python library and tooling ecosystem and follow standard engineering best practices. Whether it’s unit testing in CI/CD, linting your code for common mistakes or anti patterns, or even applying static analysis tools to weed out bugs, Python’s ecosystem has you covered.

Here you can see mypy, a static type system for Python, finding an error with this query before it’s run, speeding up our iteration cycle and reducing bugs that make it to production.

By allowing you to follow best practices for code maintenance,
Grapl drastically reduces maintenance burdens and increases confidence in your ability to detect an attack.

Pluggable

Grapl is built first and foremost as a pluggable platform. Grapl runs on AWS, which means you can easily spin up new resources, such as SQL databases or KV stores, to augment your analytics.

Grapl’s Plugin system allows you to add your own graph constructs to Grapl, extending Grapl to clean any of the data you provide to it, and build out powerful new analytics on top.

Plugins like Grapl’s Inter-Process Communication or OS User plugins can be used easily to create new, powerful analyzers and investigation tools.

Here you can see the IPC plugin at work, detecting a suspicious communication to ssh-agent, indicating an agent hijacking attack.

Using Plugins is a first class experience - here you can see the query used to find non-ssh IPC to ssh-agent or sshd

Notebook Investigations

The Jupyter Notebook has been a staple of the data science community for years, acting as the foundational tool for investigating data. The notebook provides a powerful interactive Python interface to data, allowing for quick iteration and in depth exploration.

Grapl puts the powerful capability of a Jupyter Notebook front and center for your incident response, and combines it with its graph based approach.

Notebooks are used to pivot off data in your suspect graph and explore the information more deeply, while Grapl provides a realtime graph visualization of the data you’re working with.

Here we can see an investigator pivoting off of some suspicious data, quickly adding new context to the graph.

And, correspondingly, Grapl’s graph visualization immediately shows the new context.

By combining the exploration power of a Jupyter Notebook with the visual and pivoting capabilities of a graph, Grapl can speed up investigations and help you quickly scope attacks.

Code First Detentions

Most systems in the past have focused on binary “Good" or “Bad" determinations with an alert based system on top of them. This approach forces detection engineers to spend all of their time maintaining whitelists, because the cost of a signature matching benign behavior can be significant.

Grapl throws this binary model away. Instead, it provides a gradient risk based system, with automated correlation to build up risk profiles. By providing a concept of risk detection engineers can focus on modeling attacker behavior, rather than modeling every single possible user behavior - rather that constantly maintaining whitelists, or disabling alerts altogether, you can simply adjust your risk score.

Every analyzer in Grapl has an associated risk score. Grapl will automatically correlate the outputs of individual analyzers together to create a composite risk score for the asset, user, or any other specified correlation points.

Here we can see the composite risk where our correlation point is a user’s desktop machine. cmd.exe is involved in two distinct analyzers, svchost.exe and dropper.exe, and so its risk score is significantly higher than just the discrete risks of those two analyzers.

By increasing risk based on overlapping analyzer outputs Grapl’s correlation will quickly lift up particularly suspicious behaviors, and benign, one-off user behaviors will fade into the background. This means no more wasted time triaging endless false positives, no more maintaining massive whitelists, and more time to focus on truly suspicious behaviors.