Transcript Protecting Your Data - Eric Browning - Part II

Incident Response Management
Processes
Preparation
Identification
Notification
Analysis
Containment
Observe—What do we know?
•
•
•
•
System analysis
Log analysis
Malware analysis
Network traffic
Eradication
Restoration
Follow-Up
Incident Response Management
Processes
Preparation
Identification
Notification
Analysis
Containment
Eradication
Restoration
Orient—What do we need to know?
How will we know that?
• What are the business goals?
• What are the investigative capabilities?
Follow-Up
Incident Response Management
Processes
Preparation
Identification
Notification
Analysis
Containment
Eradication
Restoration
Decide—Develop Courses of
Action (COAs). Select COAs.
• COAs will likely involve multiple teams within the organization—IT
and non-IT.
Follow-Up
Incident Response Management
Processes
Preparation
Identification
Notification
Analysis
Containment
Eradication
Act – Assign tasks. Execute Tasks.
Supervise.
• Break down the COAs and assign
and execute tasks.
• Reap the benefits of the Preparation
Phase (or not).
Restoration
Follow-Up
Incident Response Management
Processes
•
•
•
•
•
•
•
•
•
Preparation
Identification and Triage
Escalation and Notification
Initial Containment
Analysis
Containment
Eradication
Restoration
Follow-Up
Top 10 Logs to Collect in Support of
IR
External/Internal
DNS Requests
VPN Logs
Web Proxy Logs
Firewall Logs
Endpoint Activity
IPS/IDS Logs
Application
Whitelisting Logs
Mail Servers
(OWA, SMTP)
Administrative
Protocols (SSH,
RDP)
Antivirus
Both “allowed” and “denied” activity should be logged
What Good Looks like – SOC Analysis Tiers
Team
Duties
Operations
Level 0
Monitoring platform with automated filters and use cases to filter out false positives
automatically
Level 1
24x7 SLA driven security analysis. Filter out additional false positives and carry out basic
security analysis on true incidents.
24x7
Level 2
Second level of analysis by senior team with access to threat intelligence and business
tools and systems for further business context enrichment.
8x5
Level 3
Advanced investigation of incidents escalated from Level 2. Communications with the
business unit stakeholders and Legal.
8x5
Level 4
Access to team of specialist incident responders providing malware reverse
engineering, targeted threat hunting and forensic investigations
Threat
Intelligence
Access to threat intelligence from research carried out by specialist team. The TI
will support operational, strategic, tactical and technical security analysis.
Classification: //SecureWorks/Confidential - Limited External Distribution:
Platform
Retainer
Subscription
Agenda
• Strategy
• Common Entry Methods
• Incident Response
• Baking in Threat Intelligence
• Lessons Learned
Baking in Threat Intelligence
Blacklists | Hashes | Behavior | Forensic Response
Endpoint
Blacklists | Signatures | Response
IDS/IPS
Blacklists | Signatures | Sandbox | Response
AdvMalware
AttackerDB
Bad Domains/IPs | Context | Lifespan | Daily Updates
Monitoring
TI Service
Blacklists | Correlation Rules | Response
Indicator Feeds | Malware Analysis | Threat Groups
Classification: //SecureWorks/Confidential - Limited External Distribution:
Evolution of Threat Indicators
Hashes
IP
Addresses
Network
Artifacts
Host
Artifacts
Tools &
TTPs
Domains
Low Impact
Medium
Classification: //SecureWorks/Confidential - Limited External Distribution:
High Impact
Detection Pyramid
Threat Intelligence
Cost to Threat
Actor to
Retool
Impact to
Adversary
TTPs
Tools
Endpoint
Host Signature
Network Signature
Domain Name
IPS Device
Blacklists
IP Address
Hash Values
Anti-Virus
Classification: //SecureWorks/Confidential - Limited External Distribution:
Join The Dots
Behavior
Event
Tactic
Actor
Response
RAR Password
PowerShell
command
RAT Malware
TG-0110
Initiate IR
Username
Clear Event Logs
Command & Control
TG-0416
Reset Credentials
Filenames
UAC Bypass
Exploit & Escalation
TG-0919
Re-Image Host
Directories
Scheduled Task
Data Destruction
TG-6529
Collect Memory
Image
Tool Arguments
Network Recon
Credential Theft
TG-4192
Collect Disk Image
Preferred Tools
Network Scanning
Defensive Evasion
TG-4127
Isolate Host
Unique Toolset
Batch File Use
DDoS
TG-8288
Disconnect from
Internet
Ping 127.0.0.1
Execute Script
Lateral Movement
TG-2460
Review Windows
Event Logs
Data Dumps
Data Collection
Data Exfiltration
TG-2768
Threat Hunting
Classification: //SecureWorks/Confidential - Limited External Distribution:
Join The Dots
Behavior
Event
Tactic
Actor
Response
RAR Password
PowerShell
command
RAT Malware
TG-0110
Initiate IR
Username
Clear Event Logs
Command & Control
TG-0416
Reset Credentials
Filenames
UAC Bypass
Exploit & Escalation
TG-0919
Re-Image Host
Directories
Scheduled Task
Data Destruction
TG-6529
Collect Memory
Image
Tool Arguments
Network Recon
Credential Theft
TG-4192
Collect Disk Image
Preferred Tools
Network Scanning
Defensive Evasion
TG-4127
Isolate Host
Unique Toolset
Batch File Use
DDoS
TG-8288
Disconnect from
Internet
Ping 127.0.0.1
Execute Script
Lateral Movement
TG-2460
Review Windows
Event Logs
Data Dumps
Data Collection
Data Exfiltration
TG-2768
Threat Hunting
Classification: //SecureWorks/Confidential - Limited External Distribution:
Join The Dots
Behavior
RAR Password
Event
PowerShell
command
Tactic
Actor
Response
RAT Malware
Command & Control
Filenames
Collect Memory
Image
Scheduled Task
Tool Arguments
Collect Disk Image
Preferred Tools
TG-4127
Disconnect from
Internet
Execute Script
Lateral Movement
Review Windows
Event Logs
Data Exfiltration
Threat Hunting
Classification: //SecureWorks/Confidential - Limited External Distribution:
Agenda
•
•
•
•
Strategy
Common Entry Methods
Incident Response
Baking in Threat Intelligence
• Lessons Learned
People and Process Are Critical
Hackers anticipate process and policy breakdowns due to understaffing,
lack of training or lack of accountability
Predict, Defend, Detect, Respond
Expertise and
Staffing
Leadership and
Accountability
Security Awareness
and Training
– manpower must be
properly deployed against
today’s threats:
– all employees appreciate
the risks, know the
tolerance
– hackers prey on our
tendency to be trusting
and helpful
– a tone at the top fosters
accountability for security
policy
– insiders, even board
members, can fall victim
to email and phone
phishing scams
• variety of technical skills,
expertise, credentials
• 24/7, 356 monitoring:
outsource to expand
capability
• ability to apply threat
intelligence
• business skills: risk
management, process
development, advocacy
– checks and balances
ensure that policy and
procedure is followed
– business leaders engage
in Incident Response
planning
– an informed, vigilant
workforce is the best
defense
– effective employee
training and awareness
programs should emulate
the threats
Top Controls to Mitigate Top Threats
Security Skills and
Expertise
Two Factor
Authentication
Incident Response
Plan
Network Design &
Segregation
Controlled Use of
Privileged Accounts
Continuous
Vulnerability
Assessment &
Remediation
Advanced Malware
Protection
Advanced Endpoint
Monitoring
How the NSA does it
• http://www.wired.com/2016/01/nsa-hacker-chief-explains-how-to-keep-himout-of-your-system/
• Network admin credentials are king
• Once inside - good at finding hard coded passwords or transmitted clear
text passwords
• No vulnerability is insignificant – even temporary ones
• Personal devices employees bring into the office on which they’ve allowed
their kids to load Steam games, and which the workers then connect to the
network.
• Partner connections such as HVAC
Advice from the NSA
• Limit access privileges for important systems to those who really need them
• Segment networks and important data to make it harder for hackers to
reach your jewels
• Patch systems and implement application whitelisting
• Remove hardcoded passwords and legacy protocols that transmit
passwords in the clear
• Monitor network activity and produce logs that can record anomalous
activity—plus a smart system administrator who actually reads the logs and
pays attention to what they say
Who has the first question?
Eric Browning
[email protected]
Classification: //SecureWorks/Confidential - Limited External Distribution: