prepare your soc
TRANSCRIPT
Prepare Your SOC For the Convergence of Advanced Threat Management & SIEM
Peter Stephenson Michael Leland
Cyber Criminologist SIEM CTO & Evangelist
Did You Know About This?If Not, How Could You Prepare? (31 Aug 2016 – ad on exploit.in)
Universal System Cryptolocker Ransomware
Dear gentlemen!
We present you a new Universal System Cryptolocker Ransomware – the latest generation of this type of
ransomware, which can operate under the whole range of Windows OSes.
• Multithread encryption• MBR/UEFI - MFT level (ring 0)• Files are encrypted on a sectoral level, it’s not just a relocation; this guarantees that no recovery is possible• Strict binding to a [target] PC hardware; this ensures that decryption of files from another PC is impossible• File mask may be based either on file extensions and file names• Constantly bugging a user until he/she click “Yes”• Automorphing of a file at each reboot or not• With or without rebooting of Windows• Size with a maximum feature set is ~37KB• The file comes with self-obfuscation
A new universal cryptolocker
Hits on my 4-Host HoneynetOver a 10-Day Period
Imagine on an Enterprise of Any Size
But How do You Prepare?
1. Automated Threat Hunting (threat intelligence and analysis – or STIX/TAXii)
a. Observables
b. Indicators
c. TTPs (Tactics, Techniques, Procedures)
2. Automated construction of an open standard threat intelligence/analysis file (STIX)
3. Feed the file to your security stack
4. Rinse and repeat
But if you don’t have automated systems, you need to do this manually…
YOU CAN’T (at least, not efficiently)
A Simple Cyber Threat Campaign In “Prettified” STIX XML
A Simple Cyber Threat Campaign In “Prettified” STIX XML
Same Campaign In StixViz (free)
Threat Intelligence Lifecycle
1. CollectionConsume TI Content (Lists, IOCs, Signatures)
2. DisseminationParse, De-duplicate, Store
3. InvestigationReal-time/Historical Search, Watchlist, Sensor
4. TriagePrioritize, Enrich (Business Context)
5. RemediationCountermeasure, Orchestration, Action
Collect
Disseminate
Investigate
Triage
Remediate
Methods of Consuming Threat Intelligence
RESTful API provides programmatic ingestion from TI sources
HTTP/HTTPS supports scheduled ingestion/parsing of TTP artifacts
Manual collection and dissemination of TI content
Characteristics of Various Threat Intelligence
TTPs
Tools
Network / Host Artifacts
Domain Names
IP Addresses
Hash Values o Trivial
o Easy
o Simple
o Annoying
o Challenging
o Tough!
Source: David Bianco, detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
• Highly Effective
• Disruptive to Attacker
• AV Signatures, Yara Rules
• Fuzzy Hashes
• Registry Keys, Services
• Sensor-driven
• Static/Dynamic
• Binary Down-select
Sources/Types of Relevant Threat Intelligence
Commercial Open Source Crowd Source Vendor / Product
ZeuS Tracker
Malc0de
Threatcrowd
Methods of Visualizing Threat Intelligence
Methods of Visualizing Threat Intelligence
Conclusions
1. Not all Threat Intelligence is created equalConsider Challenge vs. RewardReduce Noise, improve Signal
2. Effective use of Threat Intelligence is a ProcessCollect, Disseminate, Investigate, Triage, Remediate
3. Visualization aids ComprehensionObservables, Campaigns, Graph Analytics
4. Don’t stop at Find – evolve to FixDetect, Protect, Correct
5. Effective processes must be AutomatedImprove efficiency, efficacy and repeatability
Detect Protect Correct
Questions
For additional information: www.mcafee.com/SIEM