tying cyber attacks to business processes, for faster mitigation
TRANSCRIPT
TYING CYBER ATTACKS TO BUSINESS PROCESSES, FOR FASTER MITIGATION
Prof. Avishai Wool, CTO, AlgoSec
AGENDA• Introduction• Business Driven Incident Response• Technical Considerations in Remediation• SIEM integration with AlgoSec
2
INTRODUCTION
BACKGROUNDThe attackers are already inside the corporate network:• Advanced Persistent Threat (APT)• Compromised servers and desktops• Malicious insiders
What can happen during an attack: • Data is being exfiltrated (theft, espionage)• A compromised server attacks other systems• A compromised desktop is part of a DDoS attack network• …
4
ADAPTIVE SECURITY• “… preventive, detective and response capabilities.” • “… context-aware network, endpoint and application
security protection platforms”• Neil MacDonald, Peter Firstbrook, Gartner 2016
• “Leverage the Security Ecosystem from within the SIEM – Avoid Context Switching”
• “Maintain context during investigations”• Splunk Partner Information, 2016
AN INCIDENT STARTS WITH DETECTION• Technological detectors, with different methodologies:
• Signature-based, anomaly-detection, behavioral• Network-based, host-based• Dedicated sensors, alerts from standard systems• Internal or from threat-intelligence• Etc.…
• Human analysts in the “Cyber Operation Center” (CoC)• Free-search through real-time + offline log data
Evidence of malicious activity can be observed in logs
6
THE FUNNEL: LOGS > CASES > INCIDENTS • Many systems produce logs • Firewalls, anti-virus, computer OS, authentication systems, ….
• Logs sent to a SIEM (Security Information and Event Management)• Huge volume, nearly all benign
• SIEM “business logic” / “event correlation”: open Cases• SOC (Security Operations Center) staff handles the
cases• Many false alarms
• Real cases become incidents• COC (Cyber-Operation Center) staff handles the
incidents7
Their job is to detect real breaches (avoid false alarms), report the incident, analyze their impact, and stop/contain the attack.
SECURITY INCIDENT RESPONSESecurity Analysts in the COC analyze cases and incidents.
8
BUSINESS DRIVEN INCIDENT RESPONSE
INCIDENT DETECTED – NOW WHAT• Common: (unstructured)
• “30 people on a bridge call”• “24 hours just to decide whether to isolate, and when”• “one person walking around and documenting”
• Better: use a “case management system” • within SIEM or add-on• Collect and document evidence
• Best: • Business-driven, Context-aware• Actionable
10
BUSINESS-DRIVEN TRIAGE• Identify impacted business processes
• Which business applications rely on impacted systems?• How business-critical are these applications?• Who are the business owners?
• Identify data sensitivity• Do impacted applications handle sensitive data?• Is impacted system a “stepping stone” to sensitive data?• Can impacted system exfiltrate data?
• Triage outcomes:• Urgency of mitigation (now/tonight/change-control-window)• Aggressiveness of mitigation (filter/disconnect/shutdown/patch)
11
BUSINESS-DRIVEN CONSIDERATIONS• Weigh 2 types of risk:• Security risk: damage of attack until it is mitigated• Operational risk: downtime during mitigation + unintended
side effects
• Business criticality primarily affects the Operational Risk
• Data sensitivity primarily affects the Security Risk• … also regulatory compliance and reporting requirements
REACHABILITY CONSIDERATIONS• Assume that impacted system is “0wned”• All sensitive data on that system is exposed• … but network defenses are still in place:
• East-West traffic filters (in a segmented datacenter)• North-South traffic filters (perimeter firewalls)
• Can impacted system connect to Internet?• exfiltrate local data
• Can impacted system connect to more sensitive systems?• Lateral movement• Stepping stone
• Contain:• Remediate through automatic isolation of compromised servers from network
• Report:• Report incident to relevant teams•Maintain audit trail of actions taken
RESPONSE: TAKING ACTION
14
BUSINESS-DRIVEN REMEDIATION: WHEN TO ISOLATE?• Timing of isolation may be important
• How urgent and how severe is the issue?• In which time-zones are the affected application’s users
in?• Possible outcomes:• Do it now!• Use an unscheduled change-control window (tonight)• Wait for a normal change-control window? (next week)
15
BUSINESS-DRIVEN REMEDIATION: HOW TO ISOLATE?• Method of isolation may be important
• Possibilities:• Power down• Disconnect from local network
• Physically pull the cable• Logically disconnect from L2 switch
• Block all traffic at network segment boundaries • Restrict traffic at network segment boundaries (allow only
restricted flows)
POLL
POLL• How many people do you have in
your Cyber-Operation Center?
•We don’t have one•1-5•6-15•More than 15
18
TECHNICAL CONSIDERATIONS IN REMEDIATION
WHERE TO ISOLATE (NETWORK SEGMENT)?• Find the filtering devices closest to the impacted
system
20
Impacted system
Isolation points
L2 / HOST-BASED ISOLATION• NAC to disconnect the Ethernet port • Wireless hotspot to disconnect the mobile host
• Advantage: isolate the host from all others
• Challenges: • Going from IP address to L2 port number• May require additional equipment
21
TRADITIONAL FIREWALL-BASED ISOLATION• Use firewall(s) and filtering routers to block/restrict
traffic to/from device
• Advantages: • At arms-length from infected host, retains forensic evidence• Filtering is what firewalls do• No additional equipment required
• Limitation: isolation is as good as network segmentation
22
RESTRICT RATHER THAN ISOLATE?• Put “other side” of connection in a black-list
• Web proxy (e.g. BlueCoat, zScaler, WAF)
• Restrict infected machine to only specific services• Restrict to only internal addresses
• DLP• Disconnect from botnet C&C• Prevent participation in outbound DDoS
• Restrict to only external addresses (e.g., for web-facing servers)• Block access to sensitive internal data• Prevent attacks on internal servers
23
SIEM INTEGRATION WITH ALGOSEC
ALGOSEC SPLUNK APP FOR INCIDENT RESPONSE
• Splunk App for Incident Response based on AlgoSec capabilities
• To be used as-is or incorporated into other Splunk Apps
25
26
27
AlgoSec App adds an action menu to all IP address fields
28
- Critical business process? (identify business impact, set priority)- Who to report to?
29
30
- Custom business logic- Machine-readable data to allow further
integration
31
Can reach Internet? Data exfiltration possible
• From impacted system• To Internet
32
Can reach sensitive zone? Stepping stone Regulatory impact Reporting
requirements
• From impacted system• To sensitive zone
10.3.3.3
33
34
35
36
DISTRIBUTION AND LICENSING• Delivered via Splunkbase (Splunk’s App Store)• Download directly from Splunk administration UI, or via Splunk
website• App is free, open source • requires a licensed AlgoSec deployment
• Customers/partners are welcome to extend the App or extract parts of it and use in other Splunk Apps
• More to come – stay tuned!
37
SUMMARY
• Overview of Incident Response processes• Business Driven Incident Response• Technical Considerations in Remediation• SIEM integration with AlgoSec
38
EXIT POLLWould you like to evaluate the AlgoSec/Splunk integration?
•Yes, please contact me this month•Yes, in 3-6 months• I don’t have Splunk•No
MORE RESOURCES
40
