SOC Operations on the Autobahn. Don t let the green grass fool you

Similar documents
CSE 565 Computer Security Fall 2018

Honey Pot Be afraid Be very afraid

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9. Firewalls

Advanced Threat Hunting:

CISNTWK-440. Chapter 5 Network Defenses

ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE

Resolving Security s Biggest Productivity Killer

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

IDS: Signature Detection

IJSER. Virtualization Intrusion Detection System in Cloud Environment Ku.Rupali D. Wankhade. Department of Computer Science and Technology

Computer Security: Principles and Practice

COMPUTER NETWORK SECURITY

SentinelOne Technical Brief

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

CIS Top 20 #12 Boundary Defense. Lisa Niles: CISSP, Director of Solutions Integration

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Evolution Of Cyber Threats & Defense Approaches

Overview Intrusion Detection Systems and Practices

Introduction Honeynets/pots - Types and variation Honeynets/pots - Advantages/Disadvantages Conclusion Q and A Diagrams. Honeynets

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017

What a Honeynet Is H ONEYPOTS

Virtual CMS Honey pot capturing threats In web applications 1 BADI ALEKHYA, ASSITANT PROFESSOR, DEPT OF CSE, T.J.S ENGINEERING COLLEGE

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Active defence through deceptive IPS

Defend Against the Unknown

BUILDING AND MAINTAINING SOC

2. INTRUDER DETECTION SYSTEMS

Essentials to creating your own Security Posture using Splunk Enterprise

WHITEPAPER ENDPOINT DETECTION AND RESPONSE BEYOND ANTIVIRUS PROACTIVE THREAT HUNTING AT THE ENDPOINT

Introduction to Honeypot Technologies

You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent.

Symantec Ransomware Protection

Aligning with the Critical Security Controls to Achieve Quick Security Wins

Forensic Network Analysis in the Time of APTs

Network Security Issues and New Challenges

SIEM (Security Information Event Management)

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

Raj Jain. Washington University in St. Louis

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

Comparative Study of Different Honeypots System

Are we breached? Deloitte's Cyber Threat Hunting

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

MISP Training: MISP Deployment and Integration

How Breaches Really Happen

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

Intrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.

WHITE PAPER. Best Practices for Web Application Firewall Management

Understanding Cisco Cybersecurity Fundamentals

Agile Security Solutions

CS Review. Prof. Clarkson Spring 2017

SentinelOne Technical Brief

Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0

100% Endpoint Protection dank Machine Learning, EDR & Deception?

Advanced Threat Defense Certification Testing Report. Symantec Corporation Symantec Advanced Threat Protection

May the (IBM) X-Force Be With You

OODA Security. Taking back the advantage!

Reduce Your Network's Attack Surface

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Copyright ECSC Group plc 2017 ECSC - UNRESTRICTED

One Phish, Two Phish, Three! Building an Active Threat Management Framework for Malicious

Symantec Endpoint Protection Family Feature Comparison

CIS Controls Measures and Metrics for Version 7

A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE

Imperva Incapsula Website Security

Design your network to aid forensics investigation

Sandboxing and the SOC

CIS Controls Measures and Metrics for Version 7

An Aflac Case Study: Moving a Security Program from Defense to Offense

Beyond Firewalls: The Future Of Network Security

INCIDENT HANDLING & RESPONSE PROFESSIONAL VERSION 1

BUILDING A NEXT-GENERATION FIREWALL

Snort: The World s Most Widely Deployed IPS Technology

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

YOU VE GOT 99 PROBLEMS AND A BUDGET S ONE

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

DEFENCE IN DEPTH HOW ANTIVIRUS, TRADITIONAL FIREWALLS, AND DNS FIREWALLS WORK TOGETHER

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Network Security: Firewall, VPN, IDS/IPS, SIEM

Firewalls, Tunnels, and Network Intrusion Detection

Zimperium Global Threat Data

CS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection

Introduction to Threat Deception for Modern Cyber Warfare

esendpoint Next-gen endpoint threat detection and response

Too Little Too Late: Top Reasons Why You Got Hacked

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

Post-Exploitation Hunting with ATT&CK & Elastic

McAfee Network Security Platform 8.3

Open Source Security Orchestration. Brucon 9, Ghent 2017

THE ACCENTURE CYBER DEFENSE SOLUTION

empow s Security Platform The SIEM that Gives SIEM a Good Name

6 MILLION AVERAGE PAY. CYBER Security. How many cyber security professionals will be added in 2019? for popular indursty positions are

Legal Informatics, Privacy and Cyber Crime

Qualys Indication of Compromise

RSA INCIDENT RESPONSE SERVICES

Vulnerability Assessment. Detection. Aspects of Assessment. 1. Asset Identification. 1. Asset Identification. How Much Danger Am I In?

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

Transcription:

SOC Operations on the Autobahn Don t let the green grass fool you

Who am I? Adrian Kelley 15+ Years of IT Experience Current: Sands Corp. (Vulnerability Management Engineer) United States Computer Emergency Readiness Team (DHS/US-CERT) National Credit Union Association (NCUA) Office of the Director of Naval Intelligence (ONI) Office of the Director of National Intelligence (ODNI) General Dynamics Advanced Information Systems Northrop Grumman Corporation United States Marine Corps (0811-Artillery)

How I feel about certifications? CISSP CISA GPEN C EH C HFI GMON GCED GSEC SFCP Security + ETC

Mission Discovering Speed Isn t a Factor (Indicator Gathering) Navigate through Heavy Packet Traffic (Long Tail Analysis) Blocking Traffic in the Fast Lane ( IDS vs IPS) Cloned Camera s on the Autobahn (Honeypot Networks)

Why These Will Help Your SOC? 5 Million Events Daily isn t Pleasant We don t have an unlimited supply of analyst Technology is good, human verification is still best If AI takes the wheel... Your network would look like this!

We All Seen the Movie

Indicator Reconnaissance Alerts can only make so much noise!

What are Indicators? Cybersecurity Information Sharing Act of 2015 defines cyber threat indicator as information that is necessary to describe or identify: Malicious reconnaissance Remnant of exploiting a security vulnerability A method that causes a legitimate users account to enable the defeat a security control any combination thereof.

What are Indicators? (cont) Basically pieces of information that can be used to search and identify compromised systems Commonly known as Indicators of Compromise

What forms do Indicators come in? File Hashes, IP addresses, URL s, email addresses Unusual Outbound Network Traffic Anomalies in Privileged User Account Activity Unusual DNS Request Log-In Red Flags Increases in Database Read Volume Bundles of Data in the Wrong Place

How do you get proactive?

Collect Collect OSINT reports NCCIC CISCP program public-private information sharing Open Threat Exchange (OTX) MISP - Open Source Threat Intelligence Platform Emerging Threat Rules IP Block List Malware Domain List

Extract Extract IOC s from OSINT reports File Hashes URL s Domain Names IP addresses Email addresses User Agents Registry Keys

Convert Convert the IOC s Snort signatures Suricata rules Bro IDS rule SQUID

Rinse & Repeat Collect OSINT reports Feed IOC s into SIEM/Security Appliance Extract IOC s from OSINT reports Convert the IOC s

Takeaway Reducing detection time saves lots of money and front page articles and jobs, and reputations, and careers ***The running theme of this brief

Long Tail Analysis Logs can only make so much noise!

What is Long Tail Analysis? We pay close attention to the stuff that makes the most noise when in actuality, the most interesting stuff is at the lower end of the spectrum.

When do you use it? When looking at: DNS Logs Firewall Logs Proxy Logs DHCP Logs Server Logs IDS Logs

Why do you use it? When the Autobahn is too much When something suspicious has occurred Looking for rogue activity Enhance hunt capability

The HUNT Lets jump in head first! Sort through the logs

The HUNT is Turn them into visual bar graphs Logs 700 654 600 500 509 432 422 400 334 300 200 276 235 200 180 100 0 120 99 80 46 44 12 10 8 7 3

The HUNT is an Now what jumps out? Anything abnormal? Logs 700 654 600 500 509 432 422 400 334 300 200 276 235 200 180 100 0 120 99 80 46 44 12 10 8 7 3

The HUNT is an ADVENTURE! Why are we getting hits on these domains? Logs 700 654 600 500 509 432 422 400 334 300 200 276 235 200 180 100 0 120 99 80 46 44 12 10 8 7 3

Suspicious Domains Lets take a deeper look at liagand.cn Domains Count f2725zfti2vy.17vj7b.top 46 hotmail.com 44 badguy.com 12 liagand.cn 10 mah0ney.com 8 fnjyygovdjyemga.xyz 7 mamj.ru 3

Suspicious Domain Our search yielded results!

DOCK YOUR SHIP!

Long Tail Recap The noise doesn t mask the truth This methodology for logs of all types Can be used to enhance cyber capabilities Gives analyst another tool to detect suspicious activity

Honeypot Networks They waste our time time to waste theirs!

History of this sweet stuff The idea came from a book called The Cuckoos Egg by Clifford Stoll released in 1991. First type of honeypot was released in 1997 Deceptive Toolkit The Philippine Honeypot Project was started to promote computer safety over in the Philippines in 2005.

What is a Honeypot? A honeypot is a trap set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of the following: A computer or interesting device on the network Data that would appear to be of value A network site that appears to be part of a network, but is actually isolated and monitored This is similar to the police baiting a criminal and then conducting undercover surveillance.

What can you do with a Honeypot? Great question! Record actions, capture keystrokes, view their toolset, etc. Supplement IDS Detection Slow down or STOP the adversary (Defense in Depth)

How is a Honeypot used?

Bad Guys shows up

Bad Guys probs network

Bad Guys finds & Pops a box

Bad Guy get quarantined

Bad Guy get quarantined

IOC s are blocked

All is RIGHT IN THE WORLD!!

Why would you deploy a Honeypot? DETECTION Defense in Depth Slow down or STOP the adversary (technology dependent) Low rate of false positive Record actions, capture keystrokes, view their toolset, etc.

Intrusion Detection & Prevention IPS vs IDS

Who is Who?

IDS Principles Assume that the users behavior is different than that of a normal user. Expect Overlap Problems include: False Positives False Negatives

What do you want from an IDS? Impose a minimal overhead on your network Run constantly Be scalable Be easily configurable Remain fault tolerant Catch the Bad Guy!

Types of IDS Host-Based IDS Primary purpose is to detect intrusions, log suspicious events, and send alert. Can detect both external and internal intrusions Anomaly-based vs Signaturebased detection

Types of IDS (cont) Network-Based IDS Monitor traffic at selected points on a network Detect intrusions in (near) real time Ability to examine high level protocol activity directed toward systems Modes Signature-based detection Anomaly-based detection

Types of IDS (cont)

Types of IPS Host-Based IPS Identifies attacks using both: Signature detection techniques Malicious application packets Anomaly detection techniques Behavior patterns that indicate malware. Can also sandbox applets to monitor behavior

Types of IPS (cont) Network-Based IPS Inline NIDS that can discard packets or terminate TCP connections Uses signature and anomaly detection Can identify malicious packets using: pattern matching, stateful matching, protocol anomaly, traffic anomaly, statistical anomaly Disadvantage: Accidentally block all traffic if a mistake is made.

Land Your Plane

Detection Trifecta Network-Based IPS + Network-Based IDS (Internal & External Sensor) + Host-Based IPS =

Mission Complete Discovering Speed Isn t a Factor (Indicator Gathering) Navigate through Heavy Packet Traffic (Long Tail Analysis) Cloned Camera s on the Autobahn (Honeypot Networks) Blocking Traffic in the Fast Lane ( IDS vs IPS)

Connect with me

Thank You!

SOC Operations on the Autobahn Don t let the green grass fool you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback