Upgrade to Pro — share decks privately, control downloads, hide ads and more …

From Tables to Semantics

ag0ncharov
November 14, 2014

From Tables to Semantics

Rethinking Information Security Workflow

ag0ncharov

November 14, 2014
Tweet

More Decks by ag0ncharov

Other Decks in Technology

Transcript

  1. What Do We Care About During Incident Response? • We

    care if something we discover (or something reported to us) could be “bad”. • But we don’t really care if it’s “good” or “bad”. • We do care wether we should do something about it. • So how do we determine if something is actionable?
  2. Questions We Ask • Have I seen this before? •

    Have others seen “this” before? • Is this a critical system or asset? • Who owns it? • What’s running on it? • What do we know about this Asset/User/Executable/Vulnerability? • ..or pretty much whatever I’m looking at at the moment. • Is this user / system / process behaving as it should? • Should I keep digging, close, or escalate?
  3. Answering “What Do We Know About X?” • “Zombie” workflows,

    tickets with no useful info in them • Digging for information we already have • Why can’t we automate the information gathering? • (We can, but the problem is presentation) • What we need is some new sort of interactive, assisted discovery. • So what provides the richest context? THIS SUCKS
  4. Rich, Automated Context Historical Activity (SIEM) + Other References System

    Activity User Activity Previous Incidents Identity Model (AD, IDM) Asset Model (asset mgmt) Vulnerability Model (CVE / CVSS) We have the data, so why not use it
  5. Modern Security Operations Technology Stack Threat Intel Event Collection Identity

    Model Collection and Storage Layer Behavior Analytics Processing Layer Asset Model Event Retention and Search Workflow Interaction Layer Anomaly Detection Correlation
  6. Modern Tools Don’t Cover Everything Threat Intel Event Collection Asset

    Model Behavior Analytics Identity Model Event Retention and Search Workflow Anomaly Detection Correlation (w/o Enterprise Security)
  7. Modern Security Operations Technology Stack Threat Intel Event Collection Identity

    Model Collection and Storage Layer Behavior Analytics Processing Layer Asset Model Event Retention and Search Workflow Interaction Layer Anomaly Detection Correlation Under-developed
  8. How Does It Help Our Problem? User Exported Sensitive Data

    Critical Vulnerability Found In Application Malware Infects Workstation IDS Alert Triggered By System Activity At the core of every actionable ticket / case / incident is a triple:
  9. Example 1. User receives an email with a malicious attachment

    2. Code is executed and malware is installed 3. Malware attempts to exploit an internal host, which contains sensitive data 4. Sensitive data is exfiltrated
  10. Tracked Tokens 1. User receives an email with a malicious

    attachment [ source email address ] [ user account ] [ file name ] [ workstation ] [ user (person) ] 2. Code is executed and malware is installed [ vulnerability ] [ vulnerable software release ] [ system files modified ] [ workstation ] 3. Malware accesses internal host, which contains sensitive data [ malware ] [ hostname (internal host) ] [ user account ] [ user (person) ] 4. Sensitive data is exfiltrated [ hostname (internal host) ] [ hostname (bad guys) ] [ process ]
  11. host3 [ bad guys ] process [ FTP ] host2

    [ sensitive data ] vulnerable software + version [ Adobe Acrobat 8.0 ] system files/directories [ ] User (Person) [ Joe Bob ] source email address [ ] file (name) [ readme.pdf ] Actor (Malware) [ Conflicker ] vulnerability [ ] host1 [ workstation ] exfiltration mechanism received email from network access belongs to sent from updates exploits delivered by contains has user_account1 [ jbob ] belongs to system access executes user_account2 [ [email protected] ] belongs to data losss connection established located on associated with Logical Layout of Our Complete Case
  12. Querying the Graph All tokens that belong_to person “Joe Bob”:

    Live model available here: http://neo4j-console-20.herokuapp.com/?id=nuop09
  13. Focus On Immediate Context 4 15 London Payroll Accounts Payable

    HR jewels.family.net Joe Bob Billy Dean Jim Junior CVE-2008-4250 contains CVE-2008-4251 CVE-2008-4252 CVE-2008-4253 Primary relashionships Secondary relationships
  14. Focus On Immediate Context 4 15 London Payroll Accounts Payable

    HR jewels.family.net Joe Bob Billy Dean Jim Junior CVE-2008-4250 contains CVE-2008-4251 CVE-2008-4252 CVE-2008-4253 other vulnerabilities typical users business application location unusual location Primary relashionships Secondary relationships
  15. Mappings Offer Immediate Insight host1 host2 host3 host4 host5 Snort:1:654

    Conflicker Flame CVE-2008-4250 jewels.family.net contains Snort:1:4154 Primary relashionships Secondary relationships
  16. Mappings Offer Immediate Insight host1 host2 host3 host4 host5 Snort:1:654

    Conflicker Flame CVE-2008-4250 jewels.family.net contains Snort:1:4154 Primary relashionships Secondary relationships detected by these IDS signatures other hosts with this vulnerability associated with malware hosts which triggered this IDS sig before host with this vulnerability which triggered this IDS sig before
  17. How Is This Approach Useful to Us? 1. It helps

    an analyst to validate alerts and notifications • “I know everything about this user (or system) without having to search through other directories or having to track down the business owners” • “Even though this user has proper privileges, their area of responsibility varies from the staff who typically access this system/data.” 2. It can help the automated detection processes (scenario or anomaly based) to be more precise by integrating context references • “The behavioral analytics process has flagged an anomaly, but querying known relationships between the user and the host helped downgrade this alert as a false positive.”
  18. Rules To Build By • Track all useful relationships (from

    SIEM events, AD/LDAP, asset db’s, etc) • Define the ontology • Which relationships matter and which ones do not? • Only show immediate and secondary relationships • Pay attention to clarity of presentation • Nobody wants to read upside-down labels • Great algorithm here: http://bl.ocks.org/MoritzStefaner/1377729 • Provide smooth navigation • Automate groupings to reduce clutter • Add critical pieces to the Case
  19. Things Still Left to Figure Out • Graph data sets

    are great for ‘as is’ states, but do not reflect time • How long ago was that connection? • A novel approach is needed to consider the time scale • Temporal subgraphs could help • Metrics and Reporting • Management still needs to track ‘avg. time to resolve’, etc.