Enhancing IR Reducing Complexity & Designing for Scale. Sean Mason Director, Threat Management Mar 10,

Transcription

1 Enhancing IR Reducing Complexity & Designing for Scale Sean Mason Director, Threat Management Mar 10,

2 Sean A. Mason v Florida resident v Developer for 10 years v Auditor for 2 years v IR for 10 years v 7 certifications v ISC2 SME v BS & MBA Career Highlight: Briefing Jeff Immelt & The Board of GE at 30 Rock in NYC

3 Agenda Integrated Threat Defense Foundation Complexity Integration, Consolidation, and Automation Other Critical Aspects Metrics Closing

4 ITD Foundation

5 Knowledge Management Wiki Repo Knowledge Management Workflow Management RT IMS Workflow Management HIPS IDB automated & manual ESA IPS automated Single Pane Suspect automated & manual External SSH SIEM Internal SSH

6 IR Evolution & Maturity Maturity Level As Needed Ad-hoc Maturing Strategic Dedicated Part-Time Full-Time SOC/IR+ Fusion CMM Equivalent Initial Repeatable Defined Managed Optimized People Specialization 4+ Formal roles 10+ (may include MSS) Shifts (possible 24x7) 15+ Intel, SOC, and IR Teams Existing IR Capabilities Process Chaotic and relying on individual heroics; reactive General purpose runbook Tribal knowledge Situational run books; some consistency -based processes Requirements and Workflows documented as standard business process Some improvement over time Process is measured via metrics Some automation Minimal Threat Sharing Shift turnover SLAs Processes are constantly improved, automated, and optimized Broad Threat sharing Hunt teams Technology AV Firewalls IDS/IPS SIEM Sandboxing Continuous Monitoring Endpoint Forensics Tactical Intelligence Malware Analysis Additional Intelligence Some Integration Intel+IR Drives Security Program Focus on Integrations Strategic Intelligence Coordination with Physical Security/Intelligence Threat Management Maturity, Sean Mason bit.ly/irmaturity

7 Dynamic Threats Nuisance Hacktivism Insiders Cyber Crime State Sponsored/APT Objective Access & Propagation Defamation, Destruction, Press & Policy Revenge, Destruction, Monetary Gain Financial Gain Economic, Political Advantage, Destruction Example Botnets & Spam Website Defacements, DDOS Destruction, Theft Credit Card Theft Intellectual Property Theft, DDOS Skill Low Low - Med Med High Very High Potential Data Targets Sensitive Information, Vulnerable Data Access to the Network, Compromising Information Intellectual Property, Compromising Information Credit Card Data, Personal Identifiable Information, Health Records Intellectual Property, Negotiation, National Intelligence Named Actors General Malware Syrian Electronic Army, LizardSquad, Anonymous Jimmy, Suzy, Sally, Johnny Russian Business Network (RBN) APT1, Energetic Bear

8 Attackers Are Easily Exploiting & Bypassing Point Solutions VPN Antivirus NGFW IAM IDS Firewall Malware Sandbox NGIPS Data

9 Only an Integrated Threat Defense Can Keep Pace Reduce Time to : tex Systemic Response ence Con -Detection t e l l ig t ro ib Con Int l V is ility Data -Containment -Mitigation -Response

10 Integrated Threat Defense Architecture Visibility Control Intelligence Context Faster Time to Detection, Faster Time to Remediate

11 Complexity

12 Fragmented Security Market Complexity Fragmentation Security Vendors for Some Customers Security Vendors 2017 RSAC (450 : 373)

13 Increase in Capabilities Over time, adding incremental solutions has plateauing capabilities

14 Adding on Complexity At the cost of additional complexity

15 Goal for Effective Security

16 Integration, Consolidation, & Automation

17 The Path to Effective IR Requires Integration Consolidation Automation

18 The Path to Effective IR Requires Integration Consolidation Automation

19 Starting with something like this Third Party Solutions Telemetry Sources NGFW NGIPS Log Collector NW DDoS Protections Monitoring Log Mgmt Hosted WAF SIEM Enrichment Feeds Investigation Linux Open Source Tools Web Tools Service Management Ticketing CMDB Training Platform Antimalware Web Proxies Vuln Scan Collab Tool Cloud Services Sec Wiki Communications, Collaboration and other IT Systems IM Virtualized Infrastructure

20 Evolving to this Telemetry and Other Data Sources Third Party Solutions Service Provider Solutions Intelligence Platforms Threat Intelligence Malware Analysis Intel and Enrich Threat Intel Providers AV Intel Providers Log Management Monitoring & Response Investigation Enrichment Providers* Native Logs Other Sources Security Monitoring, Analytics and Response Suite Security Case Management Digital Forensics Tools Service Management Ticketing Breach Remediation Knowledge Base Cyber Security Controls Other Infrastructure Comm & Collab Apps Wiki Communications and Collaboration Systems Internal Infra Cloud Infra Infrastructure Under Investigation Training Platform

21 Integrated Processes: Intel-driven risk mitigation Prevention Tactical Intel Sources Intel Analysis Detection Strategic Intel Hunting Triage Response Lessons Learned Analysis Other Functions Containment Collection IR Process Today, Sean Mason bit.ly/irprocessimg

22 The Path to Effective IR Requires Integration Consolidation Automation

23 Consolidation Also, I ve seen a looooooooooooong list of vendors that are a feature an engine to match TI to logs/flows [SIEM does this, even if not yet at scale], UBA for one particular use case, web proxy log analyzer [because, dude, proxy logs are SO important! :-)], etc. Sorry, but these products are all destined to die, and maybe the lucky few are to be acquired by larger vendors missing exactly that one feature - Dr. Anton Chuvakin, Gartner

24 Features?

25 Prevention & Detection Scenarios Recon Weaponization Deliver Exploitation Installation C2 Act on Objectives File File Behavior Behavior Code Binary Code Behavior Behavior File - Name URI Domain Name URI URL HTTP - GET HTTP UA String Address Address ipv4-addr File - Path URI - URL File File - Path File - Name URI- Domain Name URI - URL HTTP - POST Header - Subject Header X-Mailer Hash MD5 Hash SHA1 Address Address ipv4-addr Win Registry Key File File - Name URI Domain Name URI URL Hash MD5 Hash SHA1 Address cidr Address ipv4-addr Win Process Win Registry Key File File - Path File - Name URI Domain Name URI - URL HTTP - GET HTTP UA String Hash MD5 Hash SHA1 Address Win Process Win Registry Key File URI Domain Name URI - URL HTTP - GET HTTP - POST HTTP UA String Hash MD5 Hash SHA1 Address Address ipv4-addr Win Registry Key Win Service File File - Path File - Name URI Domain Name URI URL Hash MD5 Hash SHA1 Address ipv4-addr Address ipv4-addr Created by David Bianco, GE-CIRT

26 Platform Strengths (ex. IDS) Recon Weaponization Deliver Exploitation Installation C2 Act on Objectives File File Behavior Behavior Code Binary Code Behavior Behavior File - Name File - Path File Win Registry Key Win Process Win Process Win Registry Key URI Domain Name URI - URL File - Path File Win Registry Key Win Registry Key Win Service URI URL File - Name File - Name File File File HTTP - GET URI- Domain Name URI Domain Name File - Path URI Domain Name File - Path HTTP UA String URI - URL URI URL File - Name URI - URL File - Name Address HTTP - POST Hash MD5 URI Domain Name HTTP - GET URI Domain Name Address ipv4-addr Header - Subject Hash SHA1 URI - URL HTTP - POST URI URL Header X-Mailer Address cidr HTTP - GET HTTP UA String Hash MD5 Hash MD5 Address ipv4-addr HTTP UA String Hash MD5 Hash SHA1 Hash SHA1 Hash MD5 Hash SHA1 Address ipv4-addr Address Hash SHA1 Address Address ipv4-addr Address Address ipv4-addr Address ipv4-addr Notes: Security solutions are able to investigate, analyze and monitor this indicator type Security solutions are unable to track this indicator type. These areas represent gaps Created by David Bianco, GE-CIRT

27 Aggregated View Recon Weaponization Deliver Exploitation Installation C2 Act on Objectives File File Behavior Behavior Code Binary Code Behavior Behavior File - Name File - Path File Win Registry Key Win Process Win Process Win Registry Key URI Domain Name URI - URL File - Path File Win Registry Key Win Registry Key Win Service URI URL File - Name File - Name File File File HTTP - GET URI- Domain Name URI Domain Name File - Path URI Domain Name File - Path HTTP UA String URI - URL URI URL File - Name URI - URL File - Name Address HTTP - POST Hash MD5 URI Domain Name HTTP - GET URI Domain Name Address ipv4-addr Header - Subject Hash SHA1 URI - URL HTTP - POST URI URL Header X-Mailer Address cidr HTTP - GET HTTP UA String Hash MD5 Hash MD5 Address ipv4-addr HTTP UA String Hash MD5 Hash SHA1 Hash SHA1 Hash MD5 Hash SHA1 Address ipv4-addr Address Hash SHA1 Address Address ipv4-addr Address Address ipv4-addr Notes: Address ipv4-addr Security solutions are able to investigate, analyze and monitor this indicator type Security solutions are unable to track this indicator type. These areas represent gaps Created by David Bianco, GE-CIRT

28 Coverage Gaps Recon Weaponization Deliver Exploitation Installation C2 Act on Objectives HTTP UA String File Header - Subject Hash MD5 File - Path Header X-Mailer Hash SHA1 URI - URL Created by David Bianco, GE-CIRT

29 The Path to Effective IR Requires Integration Consolidation Automation

30 IR INTERNET IR HERE AMP AMP HERE FIREPOWER HERE AMP 4 FP LANCOPE AMP & HERE AMP AMP AMP AMP HQ Off-net HERE HERE AMP Roaming HERE AUTOMATION Intelligence collected & stored at the Talos level FIREPOWER FIREPOWER Signatures created & pushed out globally AMP AMP Branch AMP AMP Branch Maximum coverage across the environment quickly

31 Other Critical Aspects

32 Communication ØCommunicate broadly, engage others ØCommunication template, rhythm and formats ØMobile technology and speed of information Incident Severity Communications Rhythm Audience Grave (KC7) Significant (KC6) Within 1hr Conf. Call 2x Daily Conf. Call COB Daily Within 1hr COB Daily COO CSO CIO General Counsel Director of PR CISO Director of IR Chief Security Architect CISO Director of IR Chief Security Architect Benign (KC1-5) As needed or upon escalation Director of IR Security Manager Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, Lockheed Martin bit.ly/killchain

33 Internal Communications

34 Containment Who can access compromised devices? How will you track down the devices? When do you contain? Who makes the containment call? What method(s) will you use? Focus on IR Fundamentals: Containment, Sean Mason bit.ly/ircontainment

35 Analysis Infrastructure qanalysis Servers (CPU + RAM) qcisco UCS-C240 q2.3ghz, 18 cores q200gb RAM qstorage (TB/PBs) qresponder Laptops qmbp & Custom Gaming qorigin PC (Miami, FL) What s in Your IR Go-Bag?, Shelly Giesbrecht bit.ly/irgobag

36 Recurring Testing qpaper Test Ensure all documentation, templates, etc are properly updated. qtable Top Exercise Verbally walking through a number of different IR scenarios. qsimulated Incident A more invasive test that leverages a Red Team to simulate an attack (or utilize existing malware samples). Allows for a more comprehensive test of IR. Table Top Exercises for IR, Sean Mason bit.ly/irexercises

37 Metrics

38 IR Measured Cycle Times Event (Event Time) Event Dwell Time Event Analysis Triage (Detect Time) How fast did we find it? Report (Report Time) Report Contain Time Contain IR Actions (Contain Time) How fast did we respond to it? Business Impact Time Remediate Remediation (Remediation Time) How fast did we fix it? Incident Response Metrics, Sean Mason bit.ly/irmetrics

39 Dwell & Contain Dwell Time Avg Time to Contain Days Hours Monthly Contain Time Outliers! Incidents Hours Incident Response Metrics, Sean Mason bit.ly/irmetrics

40 Intel & Detection Detection Success Intel Source Success SIEM IDS DLP Users AV MIR 100% 80% 60% 40% 20% 0% False Positives Incidents Success Rate In-House Talos Vendor1 Vendor2 100% 80% 60% 40% 20% 0% False Positives Incidents Success Rate Incident Detection % 15 80% % 40% 20% Incidents % of Incidents 0 SIEM IDS DLP Users AV MIR 0% Incident Response Metrics, Sean Mason bit.ly/irmetrics

41 Closing Thoughts

42 Lessons Learned Kill Chain Actor Action Failure Mode Mitigation Action Reconnaissance Used commercial web scanner Potential gaps in threat tool & scanning capability Establish detection capability Weaponization Delivery SQLI on vulnerable ASP page to gain admin access Could not detect SSL traffic; vulnerable to SQLI Explore Secure Development & Application Security Assessments Exploitation Installation IIS web service used to upload web shell Failure to restrict file upload types or configure web server to not execute uploaded files Explore Secure Development & Application Security Assessments C2 Used web shell on initially compromised host Could not detect SSL traffic Actions on Intent Accessed info.txt which held admin account information Management scripts failed to delete info.txt after running Scripts retired and environment scanned Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, Lockheed Martin bit.ly/killchain

43 Organizational Sustainability & Elasticity Ø There simply isn t enough talent Ø Don t hire all Senior talent Ø Quit complaining- go do something! Ø Outsource Ø Develop a pipeline of students & interns Ø Don t be a school snob Ø Help schools design their InfoSec programs! Ø Ø Provide opportunities both ways Ø Give your mid-level folks opportunities Ø Bring in talent outside of IR

44 Resources Cisco Security Services: Blogs: Cisco Incident Response Team If you are currently experiencing an incident, please contact us at: Or Sean

45