Getting Security Operations Right with TTP0

Transcription

1 0 Getting Security Operations Right with TTP0 Ismael Valenzuela SANS Instructor, Rob Gresham Splunk>

2 Where were you in 1986?

3

4 0

5 What is the story? Google Market Summary

6 We keep seeing the same situation...

7 SOC Strategic Mission: manage & report risk Success: interrupt adversary activity to mitigate loss, managing and communicating risk Requires a strategic and tactical approach to security, where Cyber Threat Intelligence (CTI) is central to this mission

8 10,000 hours or 6 months?

9 So we sat down... And started to think about what works...

10 Learn Transform Measure Discover Monitor 0 Respond Automate

11 Security Operations Story 0 Understand the business, set initial goals & outline a realistic, high-impact plan Create awareness, maintain focus and augment visibility Report & celebrate success, identify points of change, increase scope in spiral motion

12 Security Operations Story: NSM 0 Understand the business, set initial goals & outline a realistic, high-impact plan Create awareness, maintain focus and augment visibility Report & celebrate success, identify points of change, increase scope in spiral motion DISCOVER the business MONITOR define zones, critical assets RESPOND define IRP for them AUTOMATE core actions (Create tickets, data transfer processes) MEASURE time to notify, remediate TRANSFORM create awareness DISCOVER anomalies or gaps MONITOR critical, high alerts RESPOND refine IRP AUTOMATE contextual data MEASURE time to investigate, recovery TRANSFORM analytical quality DISCOVER hunt retroactively MONITOR new attack points (scope) RESPOND apply lessons learned AUTOMATE response scenarios MEASURE alignment to business goals

13 Discover 0 What s important, Crown Jewels, save one s SOEL Understand the Business Units and talk to your IT cohorts Understand what s critical to enterprise operations Review the Business Continuity Plan (if they have one) Start early, don t wait... In preparing for battle I have always found that plans are useless, but planning is indispensable. - Dwight D. Eisenhower

14 Monitor 0 SOC Zoning Using the concept of SOC Zones to defend your organization allows for both IT and business context in order simplify building effective Use-Cases Set the stage to build efficient response processes around... Zones Categories Severity Sensitivity Resource Tiers

15 Monitor 0 Other Examples: OT/ICS Manufacturing R&D PCI Zones business-critical application Cloud critical hosting DMZ Zoning should be implemented in a way that reflects businesscritical capability

16 Monitor 0 Determine essential security feeds and intelligence sources

17 Monitor 0 Effective application of content (threat content engineering)

18 Response 0 Block Processes and C2 Channels External Contextualization Internal Scoping (beyond reporting) Root Cause Analysis Triage Forensics Contain not remediate Eradicate / Recovery Lessons Learned

19 AUTOMATE: Introducing TTP0 DRONE 0

20 Automate 0 Configure & automate ticket creation with DRONE, -

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42 Check out our WIKI 0

43 TRANSFORM 0 Create awareness by telling a story -

44 TLP: RED <ActorNameHere> - <YYYY> TLP: RED FEYE - APT1 SPEARPHISHING JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC Victim Blog/Report Weapons 44

45 0Tier Threat Response Team Threat Mitigation and Recovery Team (12 - Team) 0 Hunt Intelligence - LE Liaison Incident Leader Monitor Incident Response Lead Harden Incident Responder SOC IR SOC Analyst Red Teamer CTI Analyst Host Forensics Net Forensics Host Discovery Scan & Assess Find & Analyze Network (SO, Bro, Snort) Windows (Applocker, GPO, EMET) Vulnerability Analysis System Integrity Host (HIPS, Raptor, epo) Linux/Unix (IPTables, rkhunter) Risk Assessment Forensics Infrastructure (ACLs, MAC Blocks)

46 0

47 0

48 What is available today 0 - TTP0 DRONE - Automates incident creation with zones, tiers, etc - Requires python 2.7, installed TheHive - GitHub: - Opbrief PPT templates by TLP - Actor Tracker PPT templates by TLP - 0Tier Threat Response model vs 3Tier Traditional SOC - A curated list of awesome GitHub resources we use

49 What we are working on 0 - Security Operations Story templates - Tying Use Case to Responses Playbooks - Investigation and Response Metrics - Security Operations Templates for Managers - Tools matrix - SWOT * TWOS Analysis - Staff management & SOC scheduling configurations - How To Guidelines: - Zoning, tiers, etc. - Use Case prioritization - Standardize Automation Investigation Playbooks

50 Thanks! Follow 0 TTP0 Founders: Carlos Diaz Carric Dooley Rob Gresham Ask us how to contribute: info@ttp0.io

51 Thank you!