Intelligence-Driven Defense: Successfully Embedding … · Threat Intel in Security ... •Going to...
-
Upload
truongkiet -
Category
Documents
-
view
219 -
download
0
Transcript of Intelligence-Driven Defense: Successfully Embedding … · Threat Intel in Security ... •Going to...
SANS Blue Team Summit
Intelligence-Driven Defense: Successfully Embedding Cyber Threat Intel in Security Operations
@aboutsecurity / Ismael Valenzuela Principal Engineer at McAfee, SANS Instructor, GSE #132
© 2018 Ismael Valenzuela | All Rights Reserved
© 2018 Ismael Valenzuela - @aboutsecurity
Where were you in 1986?
2
© 2018 Ismael Valenzuela - @aboutsecurity
Where we you in 1986?
3
4
© 2018 Ismael Valenzuela - @aboutsecurity
Cliff Stoll - 1986
5
© 2018 Ismael Valenzuela - @aboutsecurity
Was it the rope or the revolver?
6
https://www.youtube.com/watch?v=1h7rLHNXio8
“I thought all I had to do was show the data and people would
understand. It doesn’t work. You have to tell a story”
Cliff Stoll – SANS CTI Summit 2017
© 2018 Ismael Valenzuela - @aboutsecurity
What makes a good “story?”
7
• Who is attacking us?
• What is their motivation?
• Were they here before?
• How do they operate?
• What is the impact to our business?
• …and will they come back?
© 2018 Ismael Valenzuela - @aboutsecurity
Threat Intelligence and SOC (MGT 517) –The Program
Inputs
Production• IOCs derived from internal sources
• data from NSM sources, for hunting and data mining
Consumption• External threat feeds (often paid for)
• External reputation feeds (often paid for)
• External news – “open source collection”
Artifacts
• Bulletins – notify other function areas
• Internal intelligence repository –posterity
• Incident attribution – to named actor
• NIDS / HIDS rules – future detection
• Posture enhancement reports –show the business how to improve
8
© 2018 Ismael Valenzuela - @aboutsecurity
Threat Intelligence and SOC (MGT 517) –The Program
Open Source Resources
Internal Information Sources
Attribution Info
Threat Intelligence
Collect open source info
Collect internal adversary info
Retain adversarycharacteristics
Internal threat actorattribution & characteristics
Correlate events tothreat actors
Open Source Data CollectionHunting TeamsAttribution CapabilitiesAdversary Tracking
© 2018 Ismael Valenzuela - @aboutsecurity 10
© 2018 Ismael Valenzuela - @aboutsecurity
Threat Intelligence and SOC (MGT 517) –The Program
11
Suggestion to Threat Actors – Take a Selfie with Stolen LootElvis Rafael Rodriguez, left, and Emir Yasser Yeje, two of those charged in Brooklyn on Thursday, posed in March with approximately $40,000 in cash that the authorities say they were laundering.
https://www.nytimes.com/2013/05/10/nyregion/eight-charged-in-45-million-global-cyber-bank-thefts.html
© 2018 Ismael Valenzuela - @aboutsecurity
So where do I start?
12
© 2018 Ismael Valenzuela - @aboutsecurity
Where you DON’T want to start
13
• Asking for $$$$ to hire a bunch of threat intel analysts
• Going to RSA/BlackHat and buy a random TIP (or maybe two)
• Just send me feeds!!! (an overloaded SIEM once said).
• Re-attempting to start the “spreadsheet of doom”
• Try to attribute threat actors by looking at malware code, just because you’re 1337
• Adopting models just because everyone (including Gartner) says so
© 2018 Ismael Valenzuela - @aboutsecurity
Successfully embedding Threat Intel in SecOps: Tips & Tricks *
* none of this replaces a well-planned and resourced threat intel program
14
© 2018 Ismael Valenzuela - @aboutsecurity
Use MODELS that focus on BEHAVIOR, but remember none of them are perfect!
15
• Cyber Kill chain from Lockheed Martin
• MITRE ATT&CK Matrix
• OODA Loop
• Diamond Model
• Find, Fix, Finish, Exploit, Analyze, Disseminate (F3EAD)
• Whatever new pyramid you come up with…
© 2018 Ismael Valenzuela - @aboutsecurity
Don’t forget that Threat Models aren’t just for AppSec!
16
• How are you going to prioritize what’s important to you?
• How do you know who’s after you?
• Learn from your incidents!• What were they after?
• How did they get in?
• What tools did they used?
• Start building a profile
• Don’t wait for an incident. Start mining your previous ones.
© 2018 Ismael Valenzuela - @aboutsecurity
It’s all about IMPACT
17
• And impact varies greatly based on CONTEXT:• Is an nmap scan high severity or low severity?
• Is a phishing email a high severity or a low severity one?
• Depends on:• What assets are involved?
• What services do they support?
• Where are they located in your network?
• What defensive mechanisms are in place?
• What other events are these alerts connected to?
• ….
© 2018 Ismael Valenzuela - @aboutsecurity
Definition of insanity = focusing on external intelligence and ignoring internal one
18
We know this… yet, when we think about intelligence the 1st thing we ask for is: 3rd party feeds for our SIEM!
The solution is not necessarily to get rid of all the low fidelity rules, but to use them strategically, leveraging “internal intelligence”
© 2018 Ismael Valenzuela - @aboutsecurity
Reducing noise by using “internal” intelligence
19
Do not alert on IOC feeds, use them for enrichment!
Apply low fidelity indicators to tiers, strategically:
- High value assets- VIP users
- Users with access to crown jewels
- Business critical infrastructure
- High risk assets- Those that exhibit risky behavior (yes, like those that fail your phishing
tests!)
- Legacy software
© 2018 Ismael Valenzuela - @aboutsecurity
Automation needed
20
Effectively managing, curating and applying indicators to different tiers will require significant maintenance over time.
• Threat Intelligence Platforms (TIP) are the best tools for this
• Start with open source (MISP/CRITS) then move to commercial if needed, once you understand your requirements
You will also need to collect feedback, generate your own intelligence and develop metrics to track success over time.
• Case management tools are great for this!
© 2018 Ismael Valenzuela - @aboutsecurity
TheHive
21
http://chrissanders.org/2017/03/case-management-the-hive/
© 2018 Ismael Valenzuela - @aboutsecurity
TheHive
22
https://blog.thehive-project.org/2017/06/19/thehive-cortex-and-misp-how-they-all-fit-together/
TheHive can receive alerts from different sources via REST API, and connect to one or several MISP instances.
Cases can be created from alerts or from scratch, and are divided into tasks and observables.
Observables can be tagged, flagged as IOCs and analyzed (via Cortex).
© 2018 Ismael Valenzuela - @aboutsecurity
Once you have these systems in place... test them!
23
Don’t wait for an incident to find out these systems don’t work for you:
• Use TTX or Red Teaming exercises
• Be specific. Rehearse scenarios that are applicable to your environment. Tell a story, document & drive change!
• Don’t be adversarial. The objective is not to win, but to learn & mature.
• Consider if you’re prepared for fully unannounced exercises or if hand holding is required.
© 2018 Ismael Valenzuela - @aboutsecurity
MITRE Adversary Emulation Plan Methodology
24
https://attack.mitre.org/wiki/Adversary_Emulation_Plans
© 2018 Ismael Valenzuela - @aboutsecurity
Learn through simulation: Example
• Victim: HACME Software
• Operation Name: Skeleton in the closet
• Objectives:• Exfiltration of documents.
• Target IP (code) in file shares.
• Threat Actor:• Angry Panda (Chinese group, behaves similarly to APT3)
• Initial entry point: Phishing attack
• Other tactics: persistence (scheduled task), privilege escalation (weak NTFS permissions), lateral movement (MimiKatz & PSexec) and exfiltration (http over 443, not ssl).
© 2018 Ismael Valenzuela - @aboutsecurity
More automation!! – Uber Metta
26
Uber’s metta for adversarial simulationhttps://github.com/uber-common/metta
Parses yaml files with actions sorted by MITRE ATT&CK
© 2018 Ismael Valenzuela - @aboutsecurity
More automation!! - APT Simulator, RTA, Caldera and more
27
Florian’s Roth APT simulator, a Windows Batch script that makes a system look as if it was compromisedhttps://github.com/NextronSystems/APTSimulator
Other projects:https://github.com/redcanaryco/atomic-red-team
https://www.endgame.com/blog/technical-blog/introducing-endgame-red-team-automation
https://github.com/mitre/caldera
© 2018 Ismael Valenzuela - @aboutsecurity
More automation!! – Unfetter analytic
28
A community-driven suite of open source tools leveraging the MITRE ATT&CK framework.
It collects events with Sysmon from a client machine (Windows 7) and performs CAR analytics to detect potential adversary activity
This is not designed for production use. It’s meant to be used to experiment and learn. https://iadgov.github.io/unfetter/
© 2018 Ismael Valenzuela - @aboutsecurity
More automation!! – Using EMPIRE RestFul API
29
https://github.com/mohlcyber/Empire-API-Automation by @mohlcyber
© 2018 Ismael Valenzuela - @aboutsecurity
Don’t spend too much time collecting and little doing analysis
30
Intelligence is information that has been analyzed to answer a specific question.
Investigation playbooks guides should be about capturing questions & hypotheses• Not a scripted set of procedures & actions
• But they should lead to actions/procedures
• Actions/procedures are product/company independent
Related work
• How Analysts Approach Investigations by Chris Sanders
• Analysis of competing hypotheses by Dick Heuer (CIA)
Observation
Hypothesis
Question Answer
Conclusion
Investigative method
© 2018 Ismael Valenzuela - @aboutsecurity
Using Markdown to write investigation guides
Markdown (MD) is a plain-text format
• It allows to do basic text formatting
• It can be converted to HTML & PDF
We have extended markdown for iPBs
• Question numbering, hierarchy & order
• Question linking & PB modularity
• Tagging
• implementation& reference tracking
• Enable collaboration on Github
© 2018 Ismael Valenzuela - @aboutsecurity
Capturing sections & metadata
© 2018 Ismael Valenzuela - @aboutsecurity
Capturing questions
Tagging
Implementation details
Question links
Question ID
© 2018 Ismael Valenzuela - @aboutsecurity
Checkout our spec on GitHub
https://github.com/Foundstone/InvestigationPlaybookSpec
© 2018 Ismael Valenzuela - @aboutsecurity
Good metrics tell a good story
35
• What is success for your program?
• That definition will change depending on your stakeholder’s goals. Identify them and choose metrics that report how the program is moving towards meeting those goals.
• Tactical: alerting, rules and signature development, triage, situational awareness, indicator and feed management in TIP
• Operational: campaign tracking, identification of tools & tactics, IR support
• Strategic: architecture support, improving network defenses, risk management
© 2018 Ismael Valenzuela - @aboutsecurity
Conclusions
36
• Don't get lost on the models, marketing or sales speech
• Put the focus on behavior-based methodologies vs indicators
• Divide and conquer: create threat models for zones and tiers
• Don't forget the context. It's ALL about context
• Consume and PRODUCE intelligence
• Automate all the things, but don’t forget the analyst-in-the-loop
• Focus on good quality analysis, asking the right questions
• Choose good metrics that measure success and that “tell a story” that stakeholders care about. Drive continuous improvement!
© 2018 Ismael Valenzuela - @aboutsecurity
Send your feedback! - @aboutsecurity // Thank you!
Checkout our public playbook spec on GitHub:
https://github.com/Foundstone/InvestigationPlaybookSpec
References
The need for investigation playbooks at the SOC (SOC Summit 2017), by Ismael Valenzuela and Matias Cuenca-Acuna, McAfee.
https://www.sans.org/summit-archives/file/summit-archive-1496695240.pdf
Using Intelligence to Heighten your Defense - CTI SUMMIT 2017
https://www.youtube.com/watch?v=NRY5fKZDGVU&t=691s
Intelligence-Driven Incident Response: Outwitting the adversary by Scott. J. Roberts & Rebekah Brown, O’Reilly, 2017 https://www.amazon.com/Intelligence-Driven-Incident-Response-Outwitting-Adversary/dp/1491934948
BlackHills Webcast, John Strand, How to Use Threat Intelligence - https://www.blackhillsinfosec.com/webcast-how-to-use-threat-intelligence/