Managing the Space-

Time

Continuum of

CyberdefenseTony Sager

Center for Internet Security (CIS)

Cyber Next Summit/Borderless Cyber/IACD – October 2019

A few lessons

• Knowing about flaws doesn’t get them fixed

• In Cyberspace, we all have more in common than different

• The Bad Guy doesn’t perform magic

• and most attacks are repeats of a pattern

• There’s a large but limited number of defensive choices

• and the 80/20 rule applies (The Pareto Principle)

• Cyber Defense is really Information Management

• and when you see “share”, replace with “translate” and “execute”

• Cybersecurity is not an event, a tool, or training – it’s a machine

“Every computer in the DoD

is configured as securely as possible,

all of the time,

and the right people know that this is so

(or not so).”

Lt Gen Harry Raduege (retired)

former Director Defense Information Systems Agency

An IT Operator’s View

Cybersecurity Plumbing

Vulnerability “Plumbing”

“PLUMBING”

CVE

OVAL

CCE

CPE

CVSS

XCCDF

------

“FIXTURES”

Net management tools

Integrated reports

Integrated tools

Policy compliance

Rapid sharing, assessment, remediation

“CONTENT”

New IT vulns

Security Guides & benchmarks

Red and Blue Team Reports

Product tests

Security events

Incident reports

Security Automation (2002; 2010-2011)

A Cyberdefense OODA Loop (“Patch Tuesday”)

OBSERVE Track security bulletins,

advisories

ORIENTAssess applicability, operational

issues, risk

DECIDEPrioritize remediation

ACTRollout, Monitor, Manage

“breakage”

“Dueling OODAs” (and the role of Threat Intelligence), Analytics)

• There are many loops, often connected

• “farther in space, earlier in time”

• The Bad Guy’s loop is also an opportunity

OBSERVE

ORIENT

DECIDE

ACT

OBSERVE

ORIENT

DECIDE

ACT

OBSERVE

ORIENT

DECIDE

ACT

O

O

D

A

Lockheed-Martin Kill Chain “Courses of Action”

Enterprise 1: Model based on LM Kill ChainAnotionaluseoftheLockheedKillChain:mappingControlstotheKillChain;thenmappingspecifictoolchoicestotheKillChain

Recon&Prep Delivery Exploitation C2 internalRecon LateralMovement Persistence Stage&Action

IDS/IPS

Firewall Firewall

Proxy Proxy

AV

MailGateway

Patching Patching

CONTROLS DEP

StandardConfig StandardConfig

EMET

Sinkhole

AD

WrongPath

DLP

OCC

Exchange

Akamai

Logs

PRODUCTS FireEye

Netwitness Netwitness

Splunk

MIR MIR

Vontu

Enterprise 2: Kill Chain, Mandiant APT1 and JP 3-13

AnotionaluseoftheMandiantAPT1model;mappingControlstotheAdversarymodel;thenmappingspecifictoolchoices

SOURCE:http://www.appliednsm.com/making-mandiant-apt1-report-actionable/

fromJP3-13 Recon Delivery Exploitation Installation C2

Actionsor

Objectives

DETECT NIDS NIDS NIDS HIDS HIDS

RouterLogs HIDS HIDS ApplicationLogs NIDS

WebLogs VigilantUser AV AV AV

AV

DENY FirewallACL MailFilter HIPS AppWhitelisting EgressFilter EgressFilter

WebFilter AV BlockExecution FirewallACL FirewallACL

fromJointPubJP3-13,2006 HardenedSystems Sinkhole NWSegmentation

DISRUPT ActiveDefenses WebFilter HIPS AV DEP NWSegmentation

MailFilter AV HIPS Sinkhole DEP

HardenedSystems HIPS

DEGRADE Honeypot Sinkhole RestrictUserAccountsComboofDeny/DisruptSinkhole NWSegmentation

RedirectLoops ComboofDeny/Disrupt

ActiveDefenses

DECEIVE Honeypot Honeypot Honeypot Honeypot Honeypot Honeypot

RedirectLoops ` Sinkhole

ActiveDefenses

(DESTROY) N/A N/A N/A N/A N/A N/A

CIS Community Attack Model – choosing controls

MITRE ATT&CK https://attack.mitre.org/

The “Multi-Framework Era”

• Enterprises need to “report to” more than one, and often MANY parties

o Regulators, the legal system, auditors, partners, formal requirements

o Supply chain is now a driver

• Best Case = ” Do Once, Report to Many”

• Cross-Mappings become a necessity

• Framework creators need to cooperate

Cross-mapping to the NIST CSFhttps://www.nist.gov/cyberframework/informative-references/informative-reference-catalog

ATTA

CK

ER

TACTICAL STRATEGIC

DEF

END

ER

INTENTIONSCAPABILITIES

SECURITY ENGINEERING

MANAGE PRIVILEGESSCAN FOR MALWARE

WEAPONIZE VULNERABILITIES

RECON OF TARGETSDEVELOP EXPLOIT

CONTINUOUS MEASUREMENT

MANAGE DEVICES

MANAGE SOFTWARE

USE SECURE CONFIGSTRAIN PEOPLE

INTELLIGENCE GATHERING

CREATE “TOOLBOXES”

ATTACK SUPPLY CHAIN

THREAT INTELLIGENCE

ANALYTICS, CORRELATION

CONTROL PORTS, SERVICES, PROTOCOLS

COMMAND & CONTROL

ESTABLISH “BEACHHEAD”

SOFTWARE ENGINEERING

CONTROL EXECUTION

CLEAN UP TRACES

A Two-Level Game

BUILD ATTACK INFRASTRUCTURE

• Website: www.cisecurity.org

• Email: Controlsinfo@cisecurity.org

• Twitter: @CISecurity

• Facebook: Center for Internet Security

• LinkedIn Groups:• Center for Internet Security

• 20 Critical Security Controls