PRACTICAL THREAT AUTOMATION · 2018. 6. 11. · •Automation: automatic handling of a task in an...
Transcript of PRACTICAL THREAT AUTOMATION · 2018. 6. 11. · •Automation: automatic handling of a task in an...
![Page 1: PRACTICAL THREAT AUTOMATION · 2018. 6. 11. · •Automation: automatic handling of a task in an information or cyber security system –Works well within a single product or system,](https://reader035.fdocuments.in/reader035/viewer/2022071510/612e01a21ecc515869428ad1/html5/thumbnails/1.jpg)
PRACTICAL THREAT AUTOMATION
Session 223
![Page 2: PRACTICAL THREAT AUTOMATION · 2018. 6. 11. · •Automation: automatic handling of a task in an information or cyber security system –Works well within a single product or system,](https://reader035.fdocuments.in/reader035/viewer/2022071510/612e01a21ecc515869428ad1/html5/thumbnails/2.jpg)
PANEL• Jaquar Harris– Intelligence Manager, Global Resilience
Federation• Kevin Moore – Chief Security Officer | Fenwick & West LLP
• Richard Timbol– ISSM Davis Polk & Wardell LLP
• Michele Gossmeyer (moderator)– Global Director, Information Governance, Risk &
Compliance, Dentons
![Page 3: PRACTICAL THREAT AUTOMATION · 2018. 6. 11. · •Automation: automatic handling of a task in an information or cyber security system –Works well within a single product or system,](https://reader035.fdocuments.in/reader035/viewer/2022071510/612e01a21ecc515869428ad1/html5/thumbnails/3.jpg)
INTRO• Threat automation overview
– Purpose
– Goals
– Current info
• Architecture overview of speaker's implementations
– value of setup
– pitfalls encountered
![Page 4: PRACTICAL THREAT AUTOMATION · 2018. 6. 11. · •Automation: automatic handling of a task in an information or cyber security system –Works well within a single product or system,](https://reader035.fdocuments.in/reader035/viewer/2022071510/612e01a21ecc515869428ad1/html5/thumbnails/4.jpg)
OBVIOUS BUT IMPORTANT…
• Have a clear strategy before trying to implement– What type of Indicators of Compromise (IoC) can your security
products pivot on?
– What type of formats can ingest the intelligence?
– What are their limitations? e.g. Next-Gen Firewalls are limited to the tens of thousands of ip’s they can have on a block list
– How do you develop workflow around those limitations?
– How do you intend your products and staff to use the intelligence?
![Page 5: PRACTICAL THREAT AUTOMATION · 2018. 6. 11. · •Automation: automatic handling of a task in an information or cyber security system –Works well within a single product or system,](https://reader035.fdocuments.in/reader035/viewer/2022071510/612e01a21ecc515869428ad1/html5/thumbnails/5.jpg)
THE KEY COMPONENTS
• Timely & Relevant Threat Intelligence Feeds
– You can’t ingest them all without drowning!
– Should contain the types of IoC’s you can use.
• A Simple to Use & Maintain Threat Intelligence Platform (TIP)
– Should import/export in the formats your security tools use.
– Once setup should be able to leverage scripts or rules to function in a 99% automated mode.
![Page 6: PRACTICAL THREAT AUTOMATION · 2018. 6. 11. · •Automation: automatic handling of a task in an information or cyber security system –Works well within a single product or system,](https://reader035.fdocuments.in/reader035/viewer/2022071510/612e01a21ecc515869428ad1/html5/thumbnails/6.jpg)
THE FLOW & ARCHITECTURE OF A THREAT INTELLIGENCE ECOSYSTEM
Firewall
Threat Intelligence Platform (TIP)
LS-ISAO Feed(Membership)
EDR SolutionIDS/IPS
Open Source Threat Intelligence(Free)
SIEM
Attacks that Happen in the InternetIndicator s of Compromise
(IOC s) are Identified
Threat Intelligence Service(Paid)
Internally Derived(Free)
![Page 7: PRACTICAL THREAT AUTOMATION · 2018. 6. 11. · •Automation: automatic handling of a task in an information or cyber security system –Works well within a single product or system,](https://reader035.fdocuments.in/reader035/viewer/2022071510/612e01a21ecc515869428ad1/html5/thumbnails/7.jpg)
THE EVERYTHING LINK FOR THREAT INTELLIGENCE
An “Awesome” curated list of Threat Intelligence Feeds, Platforms & Tools
https://github.com/hslatman/awesome-threat-intelligence
![Page 8: PRACTICAL THREAT AUTOMATION · 2018. 6. 11. · •Automation: automatic handling of a task in an information or cyber security system –Works well within a single product or system,](https://reader035.fdocuments.in/reader035/viewer/2022071510/612e01a21ecc515869428ad1/html5/thumbnails/8.jpg)
INSIGHTS FROM KEVIN• Automation: automatic handling of a task in an
information or cyber security system
– Works well within a single product or system, but…
• Orchestration: required to automate many tasks or process between other products, tools or systems
– Get more value out of your people, processes and tools
– Streamline detection, response, and remediation.
![Page 9: PRACTICAL THREAT AUTOMATION · 2018. 6. 11. · •Automation: automatic handling of a task in an information or cyber security system –Works well within a single product or system,](https://reader035.fdocuments.in/reader035/viewer/2022071510/612e01a21ecc515869428ad1/html5/thumbnails/9.jpg)
CURRENT CHALLENGES• Managing multiple tools and processes manually
• “Best of breed” security systems do not integrate well
• Feeds – Prevention is great if high fidelity and quality
– Relevance/Context
– How does the intel relate directly to your organization. – Is the intel related to internal network activity or alerts
– Enrichment
– Speed
• Rotation of IOCs
• Staffing requirements/challenges
![Page 10: PRACTICAL THREAT AUTOMATION · 2018. 6. 11. · •Automation: automatic handling of a task in an information or cyber security system –Works well within a single product or system,](https://reader035.fdocuments.in/reader035/viewer/2022071510/612e01a21ecc515869428ad1/html5/thumbnails/10.jpg)
SAMPLE - WHAT ARE WE DOING• Perch Security
– TIP + IDS/IPS + MSP of TI
– Injests feeds compares to network traffic and alerts on hit of IOC
• Phantom – Orchestration and Automation
• Cisco
– pxGRID ISE Infrastructure via ACLs
– Threat Intelligence Director (TID)
![Page 11: PRACTICAL THREAT AUTOMATION · 2018. 6. 11. · •Automation: automatic handling of a task in an information or cyber security system –Works well within a single product or system,](https://reader035.fdocuments.in/reader035/viewer/2022071510/612e01a21ecc515869428ad1/html5/thumbnails/11.jpg)
MALWARE PLAYBOOK - EXAMPLE
![Page 12: PRACTICAL THREAT AUTOMATION · 2018. 6. 11. · •Automation: automatic handling of a task in an information or cyber security system –Works well within a single product or system,](https://reader035.fdocuments.in/reader035/viewer/2022071510/612e01a21ecc515869428ad1/html5/thumbnails/12.jpg)
RANSOMWARE PLAYBOOK – EXAMPLE
![Page 13: PRACTICAL THREAT AUTOMATION · 2018. 6. 11. · •Automation: automatic handling of a task in an information or cyber security system –Works well within a single product or system,](https://reader035.fdocuments.in/reader035/viewer/2022071510/612e01a21ecc515869428ad1/html5/thumbnails/13.jpg)
Firepower Management Center
Ingest
Observations
Cisco Security Sensors• Firepower NGFW
• FirePOWER NGIPS
• AMPThreat Intelligence
Director
CISCO THREAT INTELLIGENCE DIRECTOROPERATIONALIZE THREAT INTELLIGENCE
CSV
![Page 14: PRACTICAL THREAT AUTOMATION · 2018. 6. 11. · •Automation: automatic handling of a task in an information or cyber security system –Works well within a single product or system,](https://reader035.fdocuments.in/reader035/viewer/2022071510/612e01a21ecc515869428ad1/html5/thumbnails/14.jpg)
INTELLIGENCE DATA FLOW
Threat Intelligence Director Cisco Security Sensors
SightingsIncidents
Observables (IOCs)
Threat
Intelligence
STIXX
FMC
![Page 15: PRACTICAL THREAT AUTOMATION · 2018. 6. 11. · •Automation: automatic handling of a task in an information or cyber security system –Works well within a single product or system,](https://reader035.fdocuments.in/reader035/viewer/2022071510/612e01a21ecc515869428ad1/html5/thumbnails/15.jpg)
OTHER OPTIONS• LS-ISAO – Subscription to Anomali included
• Anomali STAXX ( free )
• MineMeld (Open Source) from Palo Alto Networks
• GOSINT – Open Source Intel gathering and processing framework from Cisco
• MISP (Malware Information Sharing Platform)
![Page 16: PRACTICAL THREAT AUTOMATION · 2018. 6. 11. · •Automation: automatic handling of a task in an information or cyber security system –Works well within a single product or system,](https://reader035.fdocuments.in/reader035/viewer/2022071510/612e01a21ecc515869428ad1/html5/thumbnails/16.jpg)
LS-ISAO AUTOMATED THREAT INTELLIGENCE
Peer Organizations
Law Firms, Bar
Associations, Clients
Government Partners
DHS, CISCP, US-CERT, ISC-
CERT
Sharing Organizations
EASE, FS-ISAC, ONG-ISAC,
MS-ISAC, NH-ISAC, R-CISC
Vendors
Curated Products
Intelligence products,
member incident
submissions
Open Source
Dynamically filtered, vetted
sources streams for trusted
confidence and fidelity
Sharing Platform
![Page 17: PRACTICAL THREAT AUTOMATION · 2018. 6. 11. · •Automation: automatic handling of a task in an information or cyber security system –Works well within a single product or system,](https://reader035.fdocuments.in/reader035/viewer/2022071510/612e01a21ecc515869428ad1/html5/thumbnails/17.jpg)
LS-ISAO AUTOMATED THREAT INTELLIGENCE
• Intelligence Source Integrations• AIS
• Curated sources
• Intelligence Partners
• Peer ISACs and Cross Sector Sharing• Feeds from – NH-ISAC, ONG-ISAC, FS-ISAC, MS-ISAC, EASE
• Volume vs Fidelity• Ingestion of 3.5 million Indicators
• Leveraging Resources
• Sharing Value• Community sharing
• Enrichment
• Analysis
![Page 18: PRACTICAL THREAT AUTOMATION · 2018. 6. 11. · •Automation: automatic handling of a task in an information or cyber security system –Works well within a single product or system,](https://reader035.fdocuments.in/reader035/viewer/2022071510/612e01a21ecc515869428ad1/html5/thumbnails/18.jpg)
Questions????