0

Getting Security Operations Right with TTP0

Ismael Valenzuela

SANS Instructor, McAfee@aboutsecurity

Rob Gresham

Splunk> Phantom@SOCologize

Where were you in 1986?

0

What is the story?

https://securingtomorrow.mcafee.com/mcafee-

labs/emotet-trojan-acts-as-loader-spreads-

automatically/

Google Market Summary

We keep seeing the same situation...

SOC Strategic Mission: manage & report risk

Success: interrupt adversary activity to mitigate loss, managing and communicating risk

Requires a strategic and tactical approach to security, where Cyber Threat Intelligence (CTI) is central to this mission

10,000 hours or 6 months?

So we sat down...

• And started to think about what works...

0Monitor

Discover

RespondMeasure

Automate

Transform

Lear

n

0Security Operations Story

30 9060

Understand the business, set initial goals & outline a realistic, high-impact plan

Create awareness, maintain focus and augment visibility

Report & celebrate success, identify points of change, increase scope in spiral

motion

0Security Operations Story: NSM

30 9060

Understand the business, set initial goals & outline a realistic, high-impact plan

Create awareness, maintain focus and augment visibility

Report & celebrate success, identify points of change, increase scope in spiral

motion

DISCOVER… the businessMONITOR… define zones, critical assetsRESPOND… define IRP for themAUTOMATE… core actions (Create tickets, data transfer processes)MEASURE… time to notify, remediate

TRANSFORM… create awarenessDISCOVER… anomalies or gapsMONITOR… critical, high alertsRESPOND… refine IRPAUTOMATE… contextual dataMEASURE… time to investigate, recovery

TRANSFORM… analytical qualityDISCOVER… hunt retroactivelyMONITOR… new attack points (scope)RESPOND… apply lessons learnedAUTOMATE… response scenariosMEASURE… alignment to business goals

0Discover

What’s important, Crown Jewels, save one’s SOEL

• Understand the Business Units and talk to your IT cohorts• Understand what’s critical to enterprise operations• Review the Business Continuity Plan (if they have one)• Start early, don’t wait...

“In preparing for battle I have always found that plans are useless, but planning is indispensable.” - Dwight D. Eisenhower

0Monitor

SOC Zoning

Using the concept of SOC Zones to defend your organization allows for both IT and business context in order simplify building effective Use-Cases

Set the stage to build efficient response processes around...

• Zones• Categories• Severity• Sensitivity • Resource Tiers

0Monitor

Other Examples:

• OT/ICS • Manufacturing• R&D• PCI Zones• business-critical

application• Cloud critical hosting • DMZ

Zoning should be implemented in a way that reflects business-critical capability

0Monitor

Determine essential security feeds and intelligence sources

0Monitor

Effective application of content

(threat content engineering)

0Response

Block Processes and C2 Channels

• External Contextualization• Internal Scoping (beyond reporting)• Root Cause Analysis

• Triage Forensics• Contain not remediate

• Eradicate / Recovery• Lessons Learned

0

AUTOMATE: Introducing TTP0 DRONE

0Automate

Configure & automate ticket creation with DRONE, by @DFIRENCE -https://github.com/TTP0/drone

0Check out our WIKI

• https://github.com/TTP0/drone/wiki/OVERVIEW

0TRANSFORM

Create awareness by telling a story -https://github.com/TTP0/ttp0_community_templates

TLP: RED TLP: RED

44

JAN FEB MAR APR MAY JUN

JUL AUG SEP OCT NOV DEC

FEYE - APT1

Blog/Report

Victim

Weapons

<ActorNameHere> - <YYYY>

SPEARPHISHING

00Tier Threat Response TeamThreat Mitigation and Recovery Team (12 - Team)

Incident Leader

Hunt

Scan & Assess

Vulnerability Analysis

Risk Assessment

Find & Analyze

System Integrity

Forensics

Monitor

Network (SO, Bro, Snort)

Host (HIPS, Raptor, ePO)

Harden

Windows (Applocker, GPO,

EMET)

Linux/Unix

(IPTables, rkhunter)

Infrastructure

(ACLs, MAC Blocks)

Intelligence - LE Liaison

Incident Response Lead

Incident Responder

SOC IR

SOC Analyst

Red Teamer

CTI Analyst

Host Forensics

Net Forensics

Host Discovery

0

0www.ttp0.io

0What is available today

- TTP0 DRONE by @DFIRENCE

- Automates incident creation with zones, tiers, etc

- Requires python 2.7, installed TheHive

- GitHub: https://github.com/TTP0/drone

- Opbrief PPT templates by TLP

- Actor Tracker PPT templates by TLP

- 0Tier Threat Response model vs 3Tier Traditional SOC

- A curated list of awesome GitHub resources we use

0What we are working on

- Security Operations Story templates- Tying Use Case to Responses Playbooks- Investigation and Response Metrics

- Security Operations Templates for Managers- Tools matrix- SWOT * TWOS Analysis- Staff management & SOC scheduling configurations

- How To Guidelines:- Zoning, tiers, etc.- Use Case prioritization- Standardize Automation Investigation Playbooks

0Thanks! Follow us @TTP_0

TTP0 Founders:

Ask us how to contribute: info@ttp0.io

@dfirence @carric

Carlos Diaz Carric Dooley Rob Gresham Ismael Valenzuela

@SOCologize @aboutsecurity

Thank you!