Getting Security Operations Right with TTP0Ismael Valenzuela SANS Instructor, McAfee @aboutsecurity...
Transcript of Getting Security Operations Right with TTP0Ismael Valenzuela SANS Instructor, McAfee @aboutsecurity...
0
Getting Security Operations Right with TTP0
Ismael Valenzuela
SANS Instructor, McAfee@aboutsecurity
Rob Gresham
Splunk> Phantom@SOCologize
Where were you in 1986?
0
What is the story?
https://securingtomorrow.mcafee.com/mcafee-
labs/emotet-trojan-acts-as-loader-spreads-
automatically/
Google Market Summary
We keep seeing the same situation...
SOC Strategic Mission: manage & report risk
Success: interrupt adversary activity to mitigate loss, managing and communicating risk
Requires a strategic and tactical approach to security, where Cyber Threat Intelligence (CTI) is central to this mission
10,000 hours or 6 months?
So we sat down...
• And started to think about what works...
0Monitor
Discover
RespondMeasure
Automate
Transform
Lear
n
0Security Operations Story
30 9060
Understand the business, set initial goals & outline a realistic, high-impact plan
Create awareness, maintain focus and augment visibility
Report & celebrate success, identify points of change, increase scope in spiral
motion
0Security Operations Story: NSM
30 9060
Understand the business, set initial goals & outline a realistic, high-impact plan
Create awareness, maintain focus and augment visibility
Report & celebrate success, identify points of change, increase scope in spiral
motion
DISCOVER… the businessMONITOR… define zones, critical assetsRESPOND… define IRP for themAUTOMATE… core actions (Create tickets, data transfer processes)MEASURE… time to notify, remediate
TRANSFORM… create awarenessDISCOVER… anomalies or gapsMONITOR… critical, high alertsRESPOND… refine IRPAUTOMATE… contextual dataMEASURE… time to investigate, recovery
TRANSFORM… analytical qualityDISCOVER… hunt retroactivelyMONITOR… new attack points (scope)RESPOND… apply lessons learnedAUTOMATE… response scenariosMEASURE… alignment to business goals
0Discover
What’s important, Crown Jewels, save one’s SOEL
• Understand the Business Units and talk to your IT cohorts• Understand what’s critical to enterprise operations• Review the Business Continuity Plan (if they have one)• Start early, don’t wait...
“In preparing for battle I have always found that plans are useless, but planning is indispensable.” - Dwight D. Eisenhower
0Monitor
SOC Zoning
Using the concept of SOC Zones to defend your organization allows for both IT and business context in order simplify building effective Use-Cases
Set the stage to build efficient response processes around...
• Zones• Categories• Severity• Sensitivity • Resource Tiers
0Monitor
Other Examples:
• OT/ICS • Manufacturing• R&D• PCI Zones• business-critical
application• Cloud critical hosting • DMZ
Zoning should be implemented in a way that reflects business-critical capability
0Monitor
Determine essential security feeds and intelligence sources
0Monitor
Effective application of content
(threat content engineering)
0Response
Block Processes and C2 Channels
• External Contextualization• Internal Scoping (beyond reporting)• Root Cause Analysis
• Triage Forensics• Contain not remediate
• Eradicate / Recovery• Lessons Learned
0
AUTOMATE: Introducing TTP0 DRONE
0Automate
Configure & automate ticket creation with DRONE, by @DFIRENCE -https://github.com/TTP0/drone
0Check out our WIKI
• https://github.com/TTP0/drone/wiki/OVERVIEW
0TRANSFORM
Create awareness by telling a story -https://github.com/TTP0/ttp0_community_templates
TLP: RED TLP: RED
44
JAN FEB MAR APR MAY JUN
JUL AUG SEP OCT NOV DEC
FEYE - APT1
Blog/Report
Victim
Weapons
<ActorNameHere> - <YYYY>
SPEARPHISHING
00Tier Threat Response TeamThreat Mitigation and Recovery Team (12 - Team)
Incident Leader
Hunt
Scan & Assess
Vulnerability Analysis
Risk Assessment
Find & Analyze
System Integrity
Forensics
Monitor
Network (SO, Bro, Snort)
Host (HIPS, Raptor, ePO)
Harden
Windows (Applocker, GPO,
EMET)
Linux/Unix
(IPTables, rkhunter)
Infrastructure
(ACLs, MAC Blocks)
Intelligence - LE Liaison
Incident Response Lead
Incident Responder
SOC IR
SOC Analyst
Red Teamer
CTI Analyst
Host Forensics
Net Forensics
Host Discovery
0
0www.ttp0.io
0What is available today
- TTP0 DRONE by @DFIRENCE
- Automates incident creation with zones, tiers, etc
- Requires python 2.7, installed TheHive
- GitHub: https://github.com/TTP0/drone
- Opbrief PPT templates by TLP
- Actor Tracker PPT templates by TLP
- 0Tier Threat Response model vs 3Tier Traditional SOC
- A curated list of awesome GitHub resources we use
0What we are working on
- Security Operations Story templates- Tying Use Case to Responses Playbooks- Investigation and Response Metrics
- Security Operations Templates for Managers- Tools matrix- SWOT * TWOS Analysis- Staff management & SOC scheduling configurations
- How To Guidelines:- Zoning, tiers, etc.- Use Case prioritization- Standardize Automation Investigation Playbooks
0Thanks! Follow us @TTP_0
TTP0 Founders:
Ask us how to contribute: [email protected]
@dfirence @carric
Carlos Diaz Carric Dooley Rob Gresham Ismael Valenzuela
@SOCologize @aboutsecurity
Thank you!