Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Sean MasonDirector, Threat ManagementMar 10, 2017
Reducing Complexity & Designing for ScaleEnhancing IR
@SeanAMason
SeanA.Mason @SeanAMasonwww.SeanMason.com
v Florida resident v Developer for 10 yearsv Auditor for 2 yearsv IR for 10 yearsv 7 certifications
v ISC2 SMEv BS & MBA
Career Highlight: Briefing Jeff Immelt & The Board of GE at 30 Rock in NYC
Agenda
§ Integrated Threat Defense Foundation
§ Complexity
§ Integration, Consolidation, and Automation
§ Other Critical Aspects
§ Metrics
§ Closing
ITD Foundation
Single Pane
IMSRT
Wiki Repo
IDB IPS SuspectExternal SSH
Wor
kflo
w
Man
agem
ent
auto
mat
ed&
man
ual
auto
mat
ed
auto
mat
ed&
man
ual
Workflow
M
anagement
Knowledge
Managem
entKnow
ledg
e M
anag
emen
t
ESA
HIPS
Internal SSHSIEM
IR Evolution & Maturity
“Threat Management Maturity”, Sean Masonbit.ly/IRMaturity
Maturity Level
Ad-hoc Maturing Strategic
As NeededDedicatedPart-Time Full-Time SOC/IR+ Fusion
CMM Equivalent Initial Repeatable Defined Managed Optimized
Existing IR Capabilities
Peop
le • 0 • 1-3• Specialization
• 4+• Formal roles
• 10+ (may include MSS)
• Shifts (possible 24x7)
• 15+• Intel, SOC, and IR Teams
Proc
ess
• Chaotic and relying on individual heroics; reactive
• General purpose run-book
• Tribal knowledge
• Situational run books; some consistency
• Email-based processes
• Requirements and Workflows documented as standard business process
• Some improvement over time
• Process is measured via metrics
• Some automation• Minimal Threat
Sharing• Shift turnover• SLAs
• Processes are constantly improved, automated, and optimized
• Broad Threat sharing• Hunt teams
Tech
nolo
gy
• AV• Firewalls• IDS/IPS
• SIEM• Sandboxing
• Continuous Monitoring• Endpoint Forensics• Tactical Intelligence
• Malware Analysis• Additional
Intelligence• Some Integration
• Intel+IR Drives Security Program
• Focus on Integrations• Strategic Intelligence• Coordination with Physical Security/Intelligence
Dynamic Threats
Objective
Example
Skill
PotentialData
Targets
NamedActors
StateSponsored/APT
Economic, PoliticalAdvantage, Destruction
Intellectual Property Theft, DDOS
Very High
Intellectual Property, Negotiation,
National Intelligence
APT1, Energetic Bear
CyberCrime
Financial Gain
Credit Card Theft
High
Credit Card Data, Personal
Identifiable Information, Health
Records
Russian Business Network (RBN)
Hacktivism
Defamation,Destruction, Press &
Policy
Website Defacements, DDOS
Low - Med
Access to the Network, Compromising
Information
Syrian Electronic Army, LizardSquad, Anonymous
Nuisance
Access & Propagation
Botnets & Spam
Low
Sensitive Information,
Vulnerable Data
General Malware
Revenge, Destruction, Monetary Gain
Insiders
Destruction,Theft
Med
Intellectual Property,
Compromising Information
Jimmy, Suzy, Sally, Johnny
Attackers Are Easily Exploiting & Bypassing Point Solutions
NGIPS
MalwareSandbox
IAM
Antivirus
IDSFirewall
VPN
NGFW
Data
Only an Integrated Threat Defense Can Keep Pace
Data
Systemic Response
Con
trol
Visibility Context Intelligence
Reduce Time to :
-Detection-Containment-Mitigation-Response
Integrated Threat Defense Architecture
Faster Time to Detection, Faster Time to Remediate
Visibility Control Intelligence Context
Complexity
Fragmented Security Market
Security Vendors for Some Customers
45+
Complexity
Security Vendors 2017 RSAC(450 : 373)
558
Fragmentation
Increase in CapabilitiesOver time, adding incremental solutions has plateauing capabilities
Adding on ComplexityAt the cost of additional complexity
Goal for Effective Security
Integration, Consolidation, & Automation
The Path to Effective IR Requires
Integration Consolidation Automation
The Path to Effective IR Requires
Integration Consolidation Automation
Communications, Collaboration and other IT Systems
InvestigationMonitoring
Telemetry Sources
Third Party Solutions
Service Management
Web Tools
SIEM
Enrichment Feeds
Cloud Services
Hosted WAFNW DDoS Protections
Linux Open Source Tools
IM
NGIPS
NGFW
Antimalware
Web Proxies
Vuln Scan
Email Sec
Virtualized Infrastructure
Wiki
Collab Tool
Ticketing
CMDB
Training Platform
Log Collector
Log Mgmt
Starting with something like this…
Infrastructure Under Investigation
Breach Remediation
Communications and Collaboration Systems
InvestigationMonitoring & Response
Intel and Enrich Telemetry and
Other Data Sources
Third Party Solutions
Service Management
Security Monitoring,
Analytics and Response Suite
AV Intel Providers
Cloud Infra
Service Provider Solutions
Digital Forensics
Tools
Security Case
Management
Enrichment Providers*
Threat Intel Providers
Intelligence PlatformsThreat
Intelligence
Malware Analysis
Knowledge Base
Log Management
Native Logs
Cyber Security Controls
Wiki
Comm & Collab Apps
Internal Infra
Ticketing
Training Platform
Other Sources
Other Infrastructure
Evolving to this…
StrategicIntel
Collection
Prevention
Detection
Response
Analysis
TacticalIntel
Containment
Triage LessonsLearned
Sources
IntelAnalysis
OtherFunctions
Hunting
Integrated Processes: Intel-driven risk mitigation
“IR Process Today”, Sean Masonbit.ly/IRProcessImg
The Path to Effective IR Requires
Integration Consolidation Automation
Consolidation
“Also, I’ve seen a looooooooooooong list of vendors that are a feature – an engine to match TI to logs/flows [SIEM does this, even if not yet at scale], UBA for one particular use case, web proxy log analyzer [because, dude, proxy logs are SO important! :-)], etc. Sorry, but these products are all destined to die, and maybe the lucky few are to be acquired by larger vendors missing exactly that one feature…” - Dr. Anton Chuvakin, Gartner
Features?
Recon Weaponization Deliver Exploitation Installation C2 Act on Objectives
File
File - Name
URI – Domain Name
URI – URL
HTTP - GET
HTTP – UA String
Address – e-mail
Address – ipv4-addr
File
File - Path
URI - URL
Behavior
File
File - Path
File - Name
URI- Domain Name
URI - URL
HTTP - POST
Email Header - Subject
Email Header – X-Mailer
Hash – MD5
Hash – SHA1
Address – e-mail
Address – ipv4-addr
Behavior
Win Registry Key
File
File - Name
URI – Domain Name
URI – URL
Hash – MD5
Hash – SHA1
Address – cidr
Address – ipv4-addr
Code – Binary Code
Win Process
Win Registry Key
File
File - Path
File - Name
URI – Domain Name
URI - URL
HTTP - GET
HTTP – UA String
Hash – MD5
Hash – SHA1
Address – e-mail
Address – ipv4-addr
Behavior
Win Process
Win Registry Key
File
URI – Domain Name
URI - URL
HTTP - GET
HTTP - POST
HTTP – UA String
Hash – MD5
Hash – SHA1
Address – e-mail
Address – ipv4-addr
Behavior
Win Registry Key
Win Service
File
File - Path
File - Name
URI – Domain Name
URI – URL
Hash – MD5
Hash – SHA1
Address – ipv4-addr
Created by David Bianco, GE-CIRT
Prevention & Detection Scenarios
Created by David Bianco, GE-CIRT
Recon Weaponization Deliver Exploitation Installation C2 Act on Objectives
File
File - Name
URI – Domain Name
URI – URL
HTTP - GET
HTTP – UA String
Address – e-mail
Address – ipv4-addr
File
File - Path
URI - URL
Behavior
File
File - Path
File - Name
URI- Domain Name
URI - URL
HTTP - POST
Email Header - Subject
Email Header – X-Mailer
Hash – MD5
Hash – SHA1
Address – e-mail
Address – ipv4-addr
Behavior
Win Registry Key
File
File - Name
URI – Domain Name
URI – URL
Hash – MD5
Hash – SHA1
Address – cidr
Address – ipv4-addr
Code – Binary Code
Win Process
Win Registry Key
File
File - Path
File - Name
URI – Domain Name
URI - URL
HTTP - GET
HTTP – UA String
Hash – MD5
Hash – SHA1
Address – e-mail
Address – ipv4-addr
Behavior
Win Process
Win Registry Key
File
URI – Domain Name
URI - URL
HTTP - GET
HTTP - POST
HTTP – UA String
Hash – MD5
Hash – SHA1
Address – e-mail
Address – ipv4-addr
Behavior
Win Registry Key
Win Service
File
File - Path
File - Name
URI – Domain Name
URI – URL
Hash – MD5
Hash – SHA1
Address – ipv4-addr
Notes:Security solutions are able to investigate, analyze and monitor this indicator typeSecurity solutions are unable to track this indicator type. These areas represent gaps
Platform Strengths (ex. IDS)
Created by David Bianco, GE-CIRT
Notes:Security solutions are able to investigate, analyze and monitor this indicator typeSecurity solutions are unable to track this indicator type. These areas represent gaps
Recon Weaponization Deliver Exploitation Installation C2 Act on Objectives
File
File - Name
URI – Domain Name
URI – URL
HTTP - GET
HTTP – UA String
Address – e-mail
Address – ipv4-addr
File
File - Path
URI - URL
Behavior
File
File - Path
File - Name
URI- Domain Name
URI - URL
HTTP - POST
Email Header - Subject
Email Header – X-Mailer
Hash – MD5
Hash – SHA1
Address – e-mail
Address – ipv4-addr
Behavior
Win Registry Key
File
File - Name
URI – Domain Name
URI – URL
Hash – MD5
Hash – SHA1
Address – cidr
Address – ipv4-addr
Code – Binary Code
Win Process
Win Registry Key
File
File - Path
File - Name
URI – Domain Name
URI - URL
HTTP - GET
HTTP – UA String
Hash – MD5
Hash – SHA1
Address – e-mail
Address – ipv4-addr
Behavior
Win Process
Win Registry Key
File
URI – Domain Name
URI - URL
HTTP - GET
HTTP - POST
HTTP – UA String
Hash – MD5
Hash – SHA1
Address – e-mail
Address – ipv4-addr
Behavior
Win Registry Key
Win Service
File
File - Path
File - Name
URI – Domain Name
URI – URL
Hash – MD5
Hash – SHA1
Address – ipv4-addr
Aggregated View
Created by David Bianco, GE-CIRT
Recon Weaponization Deliver Exploitation Installation C2
HTTP – UA String File
File - Path
URI - URL
Email Header - Subject
Email Header – X-Mailer
Hash – MD5
Hash – SHA1
Act on Objectives
Coverage Gaps
The Path to Effective IR Requires
Integration Consolidation Automation
& HEREAMP
AMP AMP
FIREPOWER
AMP AMP
FIREPOWER
HERE
HEREHERE
HERE
HEREHQ
Branch Branch
Roaming
Off-netAMP
IR
IRINTERNET
LANCOPEAMP4FPFIREPOWER
AMP AMP
AMPAMPAUTOMATIONIntelligence collected & stored at the Talos level
Signatures created & pushed out globally
Maximum coverage across the environment quickly
AMPAMP
HERE
Other Critical Aspects…
Incident Severity Communications Rhythm Audience
Grave (KC7) Within 1hr – Conf. Call2x Daily – Conf. CallCOB Daily – E-mail
• COO• CSO• CIO• General Counsel• Director of PR• CISO• Director of IR• Chief Security Architect
Significant (KC6) Within 1hr – E-mailCOB Daily – E-mail
• CISO• Director of IR• Chief Security Architect
Benign (KC1-5) As needed or upon escalation • Director of IR• Security Manager
CommunicationØCommunicate broadly, engage othersØCommunication template, rhythm and formatsØMobile technology and speed of information
“Intelligence-Driven Computer Network Defense Informed by Analysis ofAdversary Campaigns and Intrusion Kill Chains”, Lockheed Martin bit.ly/killchain
Internal Communications
Containment
• Who can access compromised devices?
• How will you track down the devices?
• When do you contain?
• Who makes the containment call?
• What method(s) will you use?
“Focus on IR Fundamentals: Containment”, Sean Masonbit.ly/IRContainment
Analysis Infrastructure
qAnalysis Servers (CPU + RAM)qCisco UCS-C240q2.3GHz, 18 coresq200GB RAM
qStorage (TB/PBs)qResponder Laptops qMBP & Custom GamingqORIGIN PC (Miami, FL)
“What’s in Your IR Go-Bag?”, Shelly Giesbrechtbit.ly/IRGoBag
Recurring Testing
qPaper Test – Ensure all documentation, templates, etc… are properly updated.
qTable Top Exercise – Verbally walking through a number of different IR scenarios.
qSimulated Incident – A more invasive test that leverages a Red Team to simulate an attack (or utilize existing malware samples). Allows for a more comprehensive test of IR.
“Table Top Exercises for IR”, Sean Masonbit.ly/IRExercises
Metrics
Dwell Time
Business Impact Time
Contain Time
IR Measured Cycle TimesEvent (Event Time)
Triage (Detect Time)
Report (Report Time)
IR Actions (Contain Time)
Remediation (Remediation Time)
Event Analysis
Event
Report
Contain
Remediate
How fast did we find it?
How fast did we respond to it?
How fast did we fix it?
“Incident Response Metrics”, Sean Masonbit.ly/IRMetrics
Dwell & Contain
“Incident Response Metrics”, Sean Masonbit.ly/IRMetrics
050
100150200250300350400
Dwell Time
Days
05
10152025303540
Avg Time to Contain
Hours
0
5
10
15
20
Hours
Monthly Contain Time
Incidents
Outliers!
Intel & Detection
“Incident Response Metrics”, Sean Masonbit.ly/IRMetrics
0% 20% 40% 60% 80% 100%
0
50
100
150
In-House Talos Vendor1 Vendor2
Intel Source Success
False Positives
Incidents
Success Rate
0%
20%
40%
60%
80%
100%
020406080
100120
SIEM IDS DLP Users AV MIR
Detection Success
False Positives
Incidents
Success Rate
0%
20%
40%
60%
80%
100%
0
5
10
15
20
SIEM IDS DLP Users AV MIR
Incident Detection
Incidents
% of Incidents
Closing Thoughts
Lessons LearnedKill Chain Actor Action Failure Mode Mitigation Action
Reconnaissance Used commercial web scanner Potential gaps in threat tool & scanning capability Establish detection capability
Weaponization
SQLI on vulnerable ASP page to gain admin access
Could not detect SSL traffic; vulnerable to SQLI
Explore Secure Development & Application Security Assessments
Delivery
Exploitation
Installation IIS web service used to uploadweb shell
Failure to restrict file upload types or configure web server to not execute uploaded files
Explore Secure Development & Application Security Assessments
C2 Used web shell on initially compromised host Could not detect SSL traffic
Actions on Intent Accessed “info.txt” which held admin account information
Management scripts failed to delete “info.txt” after running
Scripts retired and environmentscanned
“Intelligence-Driven Computer Network Defense Informed by Analysis ofAdversary Campaigns and Intrusion Kill Chains”, Lockheed Martin bit.ly/KillChain
Ø “There simply isn’t enough talent”Ø Don’t hire all Senior talentØ Quit complaining- go do something!Ø Outsource
Ø Develop a pipeline of students & internsØ Don’t be a school snobØ Help schools design their InfoSec programs!
Ø https://www.iad.gov/nietp/reports/current_cae_designated_institutions.cfm
Ø Provide opportunities both waysØ Give your mid-level folks opportunitiesØ Bring in talent outside of IR
Organizational Sustainability & Elasticity
Resources
Cisco Incident Response TeamIf you are currently experiencing an incident, please contact us at: 1-844-831-7715
Or email [email protected]
Cisco Security
Services: https://cisco.com/go/securityservicesBlogs: https://blogs.cisco.com
Sean Mason@SeanAMason
https://SeanMason.com