A Day in the Life of a Security Analyst. Your Guides Jer Kong Tony Townsend UVa Information Security

Transcription

1 A Day in the Life of a Security Analyst Your Guides Jer Kong Tony Townsend UVa Information Security

2 Many Differing Perceptions of Our Role

3 What Our Mothers Think We Do

4 What Our Wives and Kids Think We Do

5 What UVa Faculty, Staff & Students Think We Do

6 What UVa Administration Thinks We Do

7 What We Really Do

8 How Security Alerts Are Supposed to Work Preparation Identification Containment Remediate Eradicate Lessons learned

9 Preparation - Where Do We Get the Alerts? Multiple sources, monitoring points Flowtraq, FireEye, Splunk, Secureworks Inbound vs. outbound User reports And then there s the Batphone

10 How Is That Data Displayed? Log files Verbose, very eye-straining Dashboards And lots of them, all different

11 Splunk Dashboard - Example

12 FireEye Alerts - Example

13 SecureWorks Incidents - Example

14 FlowTraq - Example

15 Splunk Log - VPN Sessions - Example

16 10/22/2017 VirusTotal Sign in 49 engines detected this file 49 / 67 SHA a1ad83bd25a3f581049a45a5056b27d7a3dd37d3904f83 File name flash8.0adobeflash8.0@153_6400.exe File size 1.22 MB Last analysis :19:07 UTC Community score -49 Detection Details Relations Behavior Community Ad-Aware Gen:Variant.Razy AhnLab-V3 PUP/Win32.Generic.C ALYac Gen:Variant.Razy Antiy-AVL RiskWare[Downloader]/Win32.AGeneric Avast Win32:Adware-gen [Adw] AVG Avira AVware BitDefender Win32:Adware-gen [Adw] ADWARE/Qjwmonkey.uirrj Trojan.Win32.Generic!BT Gen:Variant.Razy VirusTotal File Analysis CAT-QuickHeal Downloader.Generic Comodo ApplicUnwnt.UnclassifiedMalware CrowdStrike Falcon malicious_confidence_60% (D) Cyren W32/S-24f27ace!Eldorado DrWeb Adware.Qjwmonkey.122 egambit malicious_confidence_91% Emsisoft Gen:Variant.Razy (B) Endgame malicious (high confidence) escan Gen:Variant.Razy ESET-NOD32 a variant of Win32/Adware.Qjwmonkey.H F-Prot W32/S-24f27ace!Eldorado F-Secure Gen:Variant.Razy Fortinet W32/Generic_PUA_JK.VE 1/2

17 Identification - Step One Three items usually needed Need an IP address or MAC address Date/Time stamp Port Number

18 Identification - Step Two Take the info you got in #1, corroborate it Single IOC usually means FP If it s on the usual suspects list, ignore it Watch out for red alerts

19 Follow the Trail Look in Splunk and FireEye for similar external IP address IOCs similar date and time Check Flowtraq for traffic anomalies

20 How Do We Figure Out What s Important? Is asset being targeted high-value? Workstation or server? SO MANY alerts

21 And Then The Batphone goes off OR SIS starts giving errors OR Spam flood starts Juggling skills required

22 More Often Than Not The dreaded FALSE POSITIVE Port scans Vulnerability scans Downloaded but not detonated malware Slightly-suspicious files Kept on file in case problem recurs

23 Let s Imagine It s A Real Security Problem Ascertain Department/LSP/User Contact via , phone Remove from network Is HSD involved? Run Identity Finder scan Call a P# incident in ServiceNow

24 Old Style Example: W-2 Fraud Scenario Starts with a phish Found employee with high-level access Gives bad guys high-level access Bad guys log in, change DD info Refunds, etc. go to bogus account

25 Old Style Example: W-2 Fraud Investigation User checks DD info online Finds bogus bank info Reports same to Abuse We pull logs (access, change) Look for bad guys IP address as common datapoint

26 Old Style Example: W-2 Fraud Investigation Time-consuming manual log review Manual check with other sources Notification of affected users

27 And Then The Batphone goes off OR SIS starts giving errors OR Spam flood starts Juggling skills required

28 New Style Example: W-2 Fraud Scenario Starts with a phish Individual users give up credentials Bad guys use that individually to alter bank info

29 New Style Example: W-2 Fraud Scenario User notifies Help Desk of erroneous deposit IT security looks at Splunk Searching for user records Then look at Fortimail logs (thru Splunk) Match subject lines Suss out bad IP address

30 New Style Example: W-2 Fraud Scenario Generate list of users that have contact with bad IP address Inform user of possible breach Reset user access if necessary Repeat. Again.

31 Lessons Learned Phishing still works DESPITE awareness training Implement: Notification to user of ANY info change Two-factor authentication Annual password resets

32 New Resources Security liaison program Data loss prevention ITAC security committee APN

33 Questions?