tx dfir presentation - texas · bert hayes senior soluons engineer: splunk, inc. 2013 – today...
TRANSCRIPT
Copyright©2015SplunkInc.
EnterpriseSecurity
AdvancedThreatDetecAon&ResponseBertHayes
Agenda● Agenda
● IntroducAon
● SecurityProgramCriAcalPath
● CollecAngDatatoidenAfybreaches
● IncidentResponse
2
BertHayes● SeniorSoluAonsEngineer:Splunk,Inc.2013–Today
● NetworkSecurityAnalyst
● DigitalForensics&IncidentResponse– PublicSectorFocused‣ TexasEducaAonAgency‣ UniversityofTexasatAusAn‣ TexasDepartmentofInformaAonResources‣ TexasHigherEducaAonCoordinaAngBoard
3
CYBERCRIMINALS
MALICIOUSINSIDERS
NATIONSTATES
4
5
AdvancedThreatsAreHardtoFind
CyberCriminals
Na;onStates
InsiderThreats
Source:MandiantM-TrendsReport2012/2013/2014
100%ValidcredenAalswereused
40Average#ofsystemsaccessed
229Median#ofdaysbeforedetecAon
67%OfvicAmswerenoAfiedbyexternalenAty
6
AllDataisSecurityRelevant=BigData
Servers
Storage
DesktopsEmail Web
TransacAonRecords
NetworkFlows
DHCP/DNS
HypervisorCustomApps
PhysicalAccess
Badges
ThreatIntelligence
Mobile
CMDB
IntrusionDetecAon
Firewall
DataLossPrevenAon
AnA-Malware
VulnerabilityScans
Tradi;onal
AuthenAcaAon
SecurityProgram:TheBigPicture
7
SecurityProgram:TheBigPicture
8
It’scomplicated…
ThreeInterrelatedComponentsofSecurity
9
Process
PeopleTechnology
Butwhichismostimportant?
10
Process
1.PeopleTechnology
Thenwhat?
11
2.Process
1.PeopleTechnology
ASecurityProgram
12
SecurityCriAcalPath
13
Risk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC)
SecurityCriAcalPath
14
RiskandComplianceRisk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC) AssetidenAficaAon Risk– Assets– Threats(Actors,AcAons,Modeling)– VulnerabiliAes(Vulnerabilitymanagement)
Compliance
Outcome:Priori;zedlistofwhattoprotect
SecurityCriAcalPath
15
ThreatsRisk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC) Anextremelyimportanttopicofdiscussion Threat:Aperson,group,orthinglikelytodamageorendanger
– Internal:Maliciousinsider,whistleblower,cluelessinsider– External:NaAonstates,organizedcrime,hackAvists,scriptkiddies
UseMicrosog’sSTRIDEmodeltogenerateconversaAonalquesAons:– Spoofing(idenAty)– Tampering– RepudiaAon(proof)– InformaAonDisclosure– DenialofService– ElevaAonofPrivilege
SecurityCriAcalPath
16
ThreatAc;onsandThreatActorsRisk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC)
SourceVerizonDBIR2015
SecurityCriAcalPath
17
ThreatAc;onsandIndustriesRisk&
Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC)
SourceVerizonDBIR2015
SecurityCriAcalPath
18
ThreatsandVulnerabili;esRisk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC)• CananorganizaAoncompletelyprepareforeverythreat?• No!• CananorganizaAoncompletelyeliminateeveryvulnerability
• No!• SowhereshouldanorganizaAonstart?• ByapplyingRiskAnalysis
SecurityCriAcalPath
19
RiskRisk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC)• Riskisanogenmisunderstoodconceptandterm• FromaconversaAonalperspecAve,thinkofrisklikethis
– Risk=LikelihoodXImpact– Risk=ThreatsXVulnerabiliAes
• SignificantRiskonlyexistswiththepotenAalforsignificantLoss• Ifdoneproperly,riskcan(andshould)bemeasuredinmonetaryterms,
literally:$£€• Riskframeworkstoknow:
– AnnualizedLossExpectancy(ALE)tobeusedasacounter-example(andtopasstheCISSPexam!)
– FactorAnalysisofInformaAonRISK(FAIR)
SecurityCriAcalPath
20
RiskTreatmentRisk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC) • OnceriskhasbeenidenAfied,itmustbedealtwith• Avoid• Reduce• Transfer• Accept
SecurityCriAcalPath
21
ComplianceRisk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC)• ComplianceisogenprescripAve,notdrivenpurelybyriskanalysis• ControlsandacAviAesthatdonoteffecAvelylowersecurityriskare
someAmesrequired• IfanorganizaAondoesnothaveanexperiencedsecurityteam,
someAmescomplianceismoreprominentthanriskmanagement• Complianceisdrivenby
– Region– Industry/verAcal
– AcAviAes(Creditcardprocessing,etc.)
CompliancecanbejustasimportantasRiskasadriverforfuturephasesinthesecuritycriAcalpath.
SecurityCriAcalPath
22
SecurityArchitectureRisk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC) ControlSelecAon/Design
– Defenseindepth– CIS(SANS)20CriAcalControls– ISO/IEC27002
Controlsarealsoknownascountermeasures CostofthecountermeasureshouldbelessthantheriskfacingtheorganizaAon
Networksecurityandmonitoringarchitecture Interfacewithotherteams Outcome:Whatcontrolswillbeimplemented,andwhere
AdversaryPerspecAve-ArackKillChain
Reconnaissance
WeaponizaAon
Delivery
ExploitaAon
InstallaAon
CommandandControl(C2)
AcAonsonObjecAves
23
hrp://www.lockheedmarAn.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
Gartner’sFiveStylesofAPTDefense
24
SecurityCriAcalPath
25
SecurityEngineeringRisk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC) Implementcontrols Maintainsecuritysystems,responsibleforupAme Changemanagementisimportant OperaAonalvisibilityforsecuritysystems Outcome:StableplaXormforsecurityopera;ons
SecurityCriAcalPath
26
SecurityOpera;onsRisk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC) OperaAonalsecuritycapability– Prevent– Detect(includeshunAng!)– Respond
ThisiswheretheSecurityOperaAonCenter(SOC)lives! Outcome:Consistent,repeatable,measurablesecurityresponsecapability
Getthehow-to
27
Copyright©2015SplunkInc. 28
Source:MandiantM-TrendsReport2012/2013/2014
67%VicAmsnoAfiedbyexternal
enAty
100% ValidcredenAals
wereused229
Median#ofdaysbeforedetecAon
TheEver-changingThreatLandscape
29
ThreatIntelligenceNetwork Endpoint Access/IdenAty
DataSourcesRequired
DataSourcesRequiredPersist,Repeat
Knownrelay/C2sites,infectedsites,IOC,arack/campaignintentandarribuAon
Whotalkedtowhom,traffic,malwaredownload/delivery,C2,exfiltraAon,lateralmovement
Runningprocess,services,processowner,registrymods,filesystemchanges,patchinglevel,networkconnecAonsbyprocess/service
Accesslevel,privilegeduse/escalaAon,systemownership,user/system/servicebusinesscriAcality
30
• 3rdpartyThreatIntel• Opensourceblacklist• Internalthreatintelligence
• Firewall,IDS,IPS• DNS• Email
• WebProxy• NetFlow• Network
• AV/IPS/FW• MalwaredetecAon• ConfigManagement
• Performance• OSlogs• FileSystem
• DirectoryServices• AssetMgmt• AuthenAcaAonLogs
• ApplicaAonServices• VPN,SSO
Threatintelligence
Access/Iden;ty
Endpoint
Network
ExamplesofWhat’sAvailableFromtheStreamingNetwork/WireData
31
PerformanceMetrics
RoundTripTime
ClientRequestTime
ServerReplyTime
ServerSendTime
TotalTimeTaken
BaseHTMLLoadTime
PageContentLoadTime
TotalPageLoadTime
Applica;onData
POSTContent
AJAXData
SecAon
Sub-SecAon
PageTitle
SessionCookie
ProxiedIPAddress
ErrorMessage
BusinessData
ProductID
CustomerID
ShoppingCartID
CartItems
CartValues
Discounts
OrderID
Abandoned?
32
Capabilities - Scoping Infections and Breach
AnalyAcs Context&Intelligence
ConnecAngDataandPeople
QuesAons
ExploitaAon!=GameOver
34
BestPracAces–BreachResponsePosture● Bringindatafrom(minimumatleastonefromeachcategory):– Network–nextgenfirewallorwebproxy,email,dns– Endpoint–windowslogs,registrychanges,filechanges– ThreatIntelligence–opensourceorsubscripAonbased– AccessandIdenAty–authenAcaAonevents,machine-user
mapping
● Employasecurityintelligenceplawormsoanalystscan:– Contextualizeevents,analyAcsandalerts– AutomatetheiranalysisandexploraAon– Sharetechniquesandresultstolearnandimprove
35
Resources
Copyright©2015SplunkInc.
KillChain–BreachExample
37
hrp(web)sessiontocommand&controlserver
RemotecontrolStealdataPersistincompanyRentasbotnet
WEB
DeliveryExploitaAonInstallaAonC2AcAonsonObjecAves
.pdfexecutes&unpacksmalwareoverwriAngandrunning“allowed”programs
Svchost.exeCalc.exe
Arackercreatesmalware,embedin.pdf,
emailstothetarget
Reademail,openarachment
Threatintelligence
Access/Iden;ty
Endpoint
Network
Copyright©2015SplunkInc.
BreachExample–DisrupAonOpportuniAes
38
hrp(web)sessiontocommand&controlserver
RemotecontrolStealdataPersistincompanyRentasbotnet
WEB
DeliveryExploitaAonInstallaAonC2AcAonsonObjecAves
.pdfexecutes&unpacksmalwareoverwriAngandrunning“allowed”programs
Svchost.exeCalc.exe
Arackercreatesmalware,embedin.pdf,
emailstothetarget
MAILReademail,openarachment
Threatintelligence
Access/Iden;ty
Endpoint
Network
39
JobConAnues–NeedtoPerformIncidentInvesAgaAon
Creditcardtransmired
Adminaccountused
Hackertoolfound
EndpointSecurity
IntrusionDetec;on
40
UseMulApleDataSourcestoLinkEvents
Malwaredownload
BlacklistedIP
MalwareexecuAonandinstallaAon
MaliciouscommunicaAon
Threatintelligence
Auth-UserRoles,CorpContext
HostAc;vity/Security
NetworkAc;vity/Security
41
AdvancedThreatDetecAon&Response
WEB
ConductBusiness
Createaddi;onalenvironment
GainAccesstosystemTransac;on
.pdf Svchost.exeCalc.exe
Eventsthatcontainlinktofile
ProxylogC2communicaAontoblacklist
Howwasprocessstarted?
Whatcreatedtheprogram/process?
ProcessmakingC2traffic
WebPortal.pdf
42
Connectthe“Data-Dots”toSeetheWholeStory
Persist,Repeat
Threatintelligence
Auth-UserRoles,CorpContext
HostAc;vity/Security
NetworkAc;vity/Security
Aracker,knowrelay/C2sites,infectedsites,IOC,arack/campaignintentandarribuAon
Wheretheywentto,whotalkedtowhom,aracktransmired,abnormaltraffic,malwaredownload
Whatprocessisrunning(malicious,abnormal,etc.)Processowner,registrymods,arack/malwarearAfacts,patchinglevel,aracksuscepAbility
Accesslevel,privilegedusers,likelihoodofinfecAon,wheretheymightbeinkillchain
Delivery,ExploitInstalla;on
GainTrustedAccess
Exfiltra;onDataGatheringUpgrade(escalate)Lateralmovement
Persist,Repeat
• Third-partyThreatIntel• Opensourceblacklist• Internalthreatintelligence
• Firewall• IDS/IPS• Vulnerabilityscanners
• WebProxy• NetFlow• Network
• Endpoint(AV/IPS/FW)• MalwaredetecAon• PCLM
• DHCP• OSlogs• Patching
• AcAveDirectory• LDAP• CMDB
• OperaAngSystem• Database• VPN,AAA,SSO
Threatintelligence
Auth-UserRoles,CorpContext
HostAc;vity/Security
NetworkAc;vity/Security
Command&ControlExploita;on&Installa;onDelivery
MAIL WEB WEB FW
AccomplishMission
Connectthe“Data-Dots”toSeetheWholeStory
phishing
Downloadfrominfectedsite
1
2
5
67 8
3
4
IdenAty,Roles,Privileges,LocaAon,Behavior,Risk,Auditscope,ClassificaAon,etc.
ThreatIntelligenceData
EmailDataOr
WebData
HostorETDRData
WeborFirewallData
ThreatIntelligenceData
IdenAtyData
Threatintelligence
Auth-UserRoles,CorpContext
HostAc;vity/Security
NetworkAc;vity/Security
Command&ControlExploita;on&Installa;onDelivery
MAIL WEB WEB FW
AccomplishMission
StartAnywhere,AnalyzeUp-Down-Across-Backwards-Forward
phishing
Downloadfrominfectedsite
1
2
5
67 8
3
4
IdenAty,Roles,Privileges,LocaAon,Behavior,Risk,Auditscope,ClassificaAon,etc.
• Third-PartyThreatIntel• Opensourceblacklist• Internalthreatintelligence
• Firewall• IDS/IPS• Vulnerabilityscanners
• WebProxy• NetFlow• Network
• Endpoint(AV/IPS/FW)• MalwaredetecAon• PCLM
• DHCP• OSlogs• Patching
• AcAveDirectory• LDAP• CMDB
• OperaAngSystem• Database• VPN,AAA,SSO
ThankYou
46
RapidAscentintheGartnerSIEMMagicQuadrant*
*Gartner,Inc.,SIEMMagicQuadrant2011-2015.Gartnerdoesnotendorseanyvendor,productorservicedepictedinitsresearchpublicaAonandnotadvisetechnologyuserstoselectonlythosevendorswiththehighestraAngsorotherdesignaAon.GartnerresearchpublicaAonsconsistoftheopinionsofGartner’sresearchorganizaAonandshouldnotbeconstruedasstatementsoffact.GartnerdisclaimsallwarranAes,expressorimplied,withrespecttothisresearch,includinganywarranAesofmerchantabilityorfitnessforaparAcularpurpose.
2015LeaderandtheonlyvendortoimproveitsvisionaryposiAon
2014Leader
2013Leader
2012Challenger
2011NichePlayer
2015
Copyright©2015SplunkInc.
IndustryAccolades
47
BestSIEMSolu;on
BestEnterpriseSecuritySolu;on
BestSIEM
Dev.splunk.com40,000+ques;onsandanswers
800+apps LocalUserGroupsand
SplunkLive!events
48
ThrivingCommunity