Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Transcription

1 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

2 September 2014 Let HP ArcSight ESM be the strong link in your Cyber Kill Chain Pete Babcock - USAA

3 3 What is the Cyber Kill Chain? The Cyber Kill Chain is a taxonomy designed to measure the effectiveness of the Defense-in-Depth strategy. Layer 3 Layer 2 Layer 1 How far can I get?

4 4 What is the origin of the Kill Chain? The Cyber Kill Chain was socialized by Lockheed Martin. It is based on military doctrine. It was developed as a method for describing an intrusion from an attacker s point of view. It can inform Cyber Security and Intelligence Analysis.

5 5 Reconnaissance Searches LinkedIn for System Administrators at USAA. Guesses their USAA addresses based on name. Weaponization Cyber Obtains domain name and creates website with malware. Crafts spear phish. Delivery Sends spear phish to targeted addresses. Administrator clicks on link and goes to evil website. Kill Chain Exploitation Zero day exploit on website executes on Administrator s PC. Administrator s PC is compromised. Installation Root Kit is installed on Administrator s PC. Stages Establish Root kit connects back to C2 Threat Actor s server to obtain further instructions. Actions on Objectives Threat Actor looks for data on Administrator s PC. Threat Actor starts compromising other USAA machines.

6 6 What can the Kill Chain do? Each phase of the kill chain can be mapped to corresponding defensive tools and actions. An analyst who knows the stage of the Kill Chain has a basic understanding of what is being attempted and what response is called for. Defensive Courses of Actions are based on the Information Operations principles of: Detect, Deny, Disrupt, Degrade, Deceive & Destroy

7 7 Courses of Action Matrix Phase Detect Deny Disrupt Degrade Deceive Reconnaissance Firewall NIDS Web Logs Firewall NIPS * * * Weaponization DNS Monitoring Website Monitoring * * * * Delivery Antivirus NIDS Vigilant User NIPS Proxy In-Line Antivirus * * Exploitation Installation Establish C2 Actions on Objectives NIDS Antivirus Antivirus Application Logs CIC Malware Sandbox NIDS Application Logs Antivirus System Patching Antivirus System Patching Restricted User Accounts * Antivirus * * Firewall NIPS * * Firewall VLANs VLANs * *

8 8 What can the Kill Chain do? The sooner in the kill chain you can disrupt the attack, the better. Tracking similarities across kill chain phases can give CTOC Analysts insight into: Threat Actor Tactics, Techniques and Procedures (TTP) Campaign Analysis

9 9 How will USAA operationalize? 1 Integrate into ArcSight ESM Cases 2 3 Integrate into the CTOC Wiki Integrate into the Weekly Stand-Up Briefing

10 10 Repurposing Case Fields Energy cannot be created or destroyed, it can only be changed from one form to another. - Albert Einstein ArcSight ESM Case Fields are kinda like that

11 11 Modifying ESM Cases When using ArcSight ESM Cases, it is possible to modify them to your needs. There are 3 files that control cases: Manager /opt/arcsight/manager/config/caseui.xml Yes, the modified files will need to be updated on ALL Consoles Console C:\arcsight\Console\current\i18n\common\ label_strings_en.properties C:\arcsight\Console\current\i18n\common\ resource_strings_en.properties

12 12 Repurposing Case Fields The Joke: You are going to use ArcSight s Foreign Language capabilities to give a field an alias in English! First pick a Case Field that you aren t using of the correct field type. Candidates can be found in the resource_strings_en.properties file. Modify the field in the resource_strings_en.properties file. If using a list field in the resource_strings_en.properties file, make sure to configure the list options.

13 13 resource_strings_en.properties Modify the Field extendedcase.attribute.vulnerabilitydata.label=vulnerability Data extendedcase.attribute.vulnerabilitydata.shortlabel=vulnerability Data extendedcase.attribute.history.label=reoccurence Pain extendedcase.attribute.history.shortlabel=reoccurence Pain extendedcase.attribute.lastoccurrencetime.label=4 - Investigation Start Time extendedcase.attribute.lastoccurrencetime.shortlabel=4 - Investigation Start Time extendedcase.attribute.resistance.label=kill Chain Stage extendedcase.attribute.resistance.shortlabel=kill Chain Stage extendedcase.attribute.conclusions.label=conclusions extendedcase.attribute.conclusions.shortlabel=conclusions List Field Options extendedcase.history=unknown or None,Low,Medium,Please make it stop #extendedcase.resistance=high,low,unknown extendedcase.resistance=unknown,reconnaissance,weaponization,delivery,exploitation,installation,establish C2,Actions on Objectives,Not on Kill Chain

14 14 label_strings_en.properties This file is used to rename the Case tabs and headers displayed in the ArcSight ESM Console. Manager #Cases cases.tab.initial=initial cases.tab.attributes=case Info cases.tab.description=description cases.tab.securityclassification=security Classification cases.tab.followup=incident cases.tab.final=analysis cases.tab.attackmechanism=dean's Categorization cases.tab.attackagent=attack Agent cases.tab.incidentinformation=incident Information cases.tab.vulnerability=vulnerability cases.tab.other=other cases.header.case=case cases.header.ticket=ticket cases.header.incidentinformation=incident Information cases.header.securityclassification=security Classification cases.header.securityclassificationcode=security Classification Code

15 15 CaseUI.xml This is the xml file that defines the fields and tabs to display within a case. <editor enforcelocking="true" colortreeby="consequenceseverity" width="480" height="480"> <tab name="cases.tab.final" <component name="securityclassificationtable" <parameter name="cases.header.case" <parameter name="name" <parameter name="plannedactions" <parameter name="tickettype" <parameter name="stage" <parameter name="securityclassification" <parameter name="resistance" <parameter name="consequenceseverity" <parameter name="history" <parameter name="cases.header.ticket" <parameter name="estimatedstarttime" <parameter name="detectiontime" <parameter name="attacktime" <parameter name="lastoccurrencetime" <parameter name="estimatedrestoretime" </component> <component name="actionstaken" type="base"> type="table"> type="header"/> type="resourcename"/> type="string"/> type="stringlist"/> type="stringlist"/> type="stringlist"/> type="stringlist"/> type="stringlist"/> type="stringlist"/> type="header"/> type="date"/> type="date"/> type="date"/> type="date"/> type="date"/> type="textarea"/> <component name="followupcontact" <component name="conclusions" </tab> <tab name="cases.tab.attributes" <component name="attributestable" <parameter name="cases.header.case" <parameter name="name" <parameter name="displayid" <parameter name="common" </component> </tab> <tab name="cases.tab.followup" <component name="incidentinformationtable" <parameter name="incidentsource1" <parameter name="attackmechanism" </component> <component name="estimatedimpact" </tab> </editor> type="textarea"/> type="textarea"/> type="base" showexport="true"> type="table"> type="header"/> type="resourcename"/> type="int" readonly="true"/> type="commonresourceattrs"/> type="base"> type="table"> type="string"/> type="stringlist"/> type="textarea"/>

16 16 Classify ArcSight ESM Cases

17 17 Classify ArcSight ESM Cases

18 18 Categorize CTOC Use Cases in Wiki

19 19 Categorize CTOC Use Cases in Wiki

20 20 Categorize CTOC Use Cases in Wiki

21 21 How will this be briefed?

22 22 Integrate into the weekly standup briefing The CTOC gives a Weekly Briefing to USAA s CSO and of his direct reports and other parts of the business. 3 new slides were incorporated into the Weekly Standup Briefing slide deck to communicate the Cyber Kill Chain metrics.

23 23 Weekly Cyber Kill Chain metrics 1,200 Reconnaissance 1,000 Weaponization 800 Delivery 600 Exploitation 400 Installation 200 Establish C2 0 12/10/ /17/13 12/24/13 12/31/13 1/7/14 1/14/14 1/21/14 1/28/14 2/3/14 Actions on Objectives

24 24 This week s Cyber Kill Chain

25 25 This week s Cyber Kill Chain highlights Reconnaissance Multiple failed logins - Non-privileged This spike was caused by USAA employees attempting (and failing) to VPN into USAA during the icy weather on Friday 1/24/14. Actions on objectives Non-active USAA username - Destination This was caused by Peoplesoft listing contactors as being terminated when, in fact, their contract was extended. More timely updates to Peoplesoft would correct this.

26 26 Why do we need the Cyber Kill Chain? Measurement is the first step that leads to control and eventually to improvement. If you can t measure something, you can t understand it. If you can t understand it, you can t control it. If you can t control it, you can t improve it. - H. James Harrington

27 27 Q&A Questions?

28 Please give me your feedback Session TB3028 Speaker Pete Babcock Use the mobile app 1. Click on Sessions 2. Click on this session 3. Click on Rate Session Or use the hard copy surveys Thank you for providing your feedback, which helps us enhance content for future events.

29 Thank you Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

30 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.