Enterprise Security Monitoring

49d635b47da1fee5d0972745390e0633?s=47 David J. Bianco
September 14, 2013
1.3k

Enterprise Security Monitoring

Talk for the Blue Team track at the inaugural BSidesAugusta

49d635b47da1fee5d0972745390e0633?s=128

David J. Bianco

September 14, 2013
Tweet

Transcript

  1. PRESENTED BY: © Mandiant Corporation. All rights reserved. Enterprise Security

    Monitoring Comprehensive Intel-Driven Detection David J. Bianco David.Bianco@mandiant.com BSIDES AUGUSTA 14 SEPTEMBER, 2013
  2. © Mandiant Corporation. All rights reserved. First there was… 2

  3. © Mandiant Corporation. All rights reserved. Then there was… 3

  4. © Mandiant Corporation. All rights reserved. Now there is… 4

    Enterprise Security Monitoring (ESM)
  5. © Mandiant Corporation. All rights reserved. Enterprise Security Monitoring 5

    ESM
  6. © Mandiant Corporation. All rights reserved.   Increased visibility across

    the entire organization   Get more value out of existing systems   Data aggregation is “hunter friendly”   Better organization around:   Detection platform coverage   Detection planning   General   Threat-specific   Prioritization of detection resources   Quicker, more accurate incident detection and response   Leverage your detection/response infra as an offensive capability Benefits of Enterprise Security Monitoring 6
  7. © Mandiant Corporation. All rights reserved. Intel Lifecycle 7 Research

    Analyze Conclude
  8. © Mandiant Corporation. All rights reserved. Detection Process 8 Observe

    Compare Alert Validate
  9. © Mandiant Corporation. All rights reserved. Response Cycle 9 Contain

    Investigate Remediate
  10. © Mandiant Corporation. All rights reserved. Intel-Driven Operations Process 10

    Research Analyze Conclude Observe Compare Alert Validate Contain Investigate Remediate Indicators Alerts Intel DB Detect DB Respond DB Feedback Feedback
  11. © Mandiant Corporation. All rights reserved. Intel-Driven Detection 11 Enterprise

    Security Monitor Intel NSM / IDS Detection Processing Sigs Intel Analysts Alerts & Queries Firewalls Routers Switches OS Logs App Logs Proxy Logs Web Logs Antivirus HIDS/HIPS Other Enterprise Data
  12. © Mandiant Corporation. All rights reserved. What is an indicator?

    12 A piece of information that points to a certain conclusion
  13. © Mandiant Corporation. All rights reserved. What it is not

    13 ≠
  14. © Mandiant Corporation. All rights reserved. Common Indicator Data Types

    14 IPv4 Address Domain / FQDN Hash (MD5, SHA1) URL Transaction Element (User- Agent, MTA) File Name / Path Mutex Registry Value User Name Email Address
  15. © Mandiant Corporation. All rights reserved. Indicator Characteristics 15 Extractable

    Can I find this indicator in my data? Purposeful To what use will I put this indicator? Actionable If I find this indicator in my data, can I do something with that information?
  16. © Mandiant Corporation. All rights reserved. Attribution •  Who/what is

    responsible for this activity? Detection •  If this event happens, I want to know about it. Profiling •  What are the targeting parameters for this threat? Prediction •  Given the current state, what can I expect from this threat in the future? Indicator Purposes 16
  17. © Mandiant Corporation. All rights reserved. The Kill Chain 17

    Reconaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives “a systematic process to target and engage an adversary to create desired effects.” Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked August 2013)
  18. © Mandiant Corporation. All rights reserved. Mandiant Attack Lifecycle Diagram

    18
  19. © Mandiant Corporation. All rights reserved. The Pyramid of Pain

    19
  20. © Mandiant Corporation. All rights reserved. I don’t have a

    cool name for this. “Bed of Nails”? 20 Reconaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives
  21. © Mandiant Corporation. All rights reserved.   What scenarios do

    we need to be able to detect?   What are our options for detecting them?   What are the strengths and weaknesses of our detection program today?   What is our detection stance against specific actors?   What is our overall plan for detection across our enterprise? Intel-Driven Detection Planning 21
  22. © Mandiant Corporation. All rights reserved. What scenarios do we

    need to be able to detect? 22 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
  23. © Mandiant Corporation. All rights reserved. Detection Options - Snort

    23 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
  24. © Mandiant Corporation. All rights reserved. Detection Options - HIPS

    24 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
  25. © Mandiant Corporation. All rights reserved. Detection Options - MIR

    25 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
  26. © Mandiant Corporation. All rights reserved. Score Card: Use of

    Available Indicators 26 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
  27. © Mandiant Corporation. All rights reserved. Score Card: Pyramid Effectiveness

    of Indicators 27 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
  28. © Mandiant Corporation. All rights reserved. Score Card: Effectiveness Against

    APT-π 28 Reconaissance • URI – Domain Name • Address - ipv4-addr Weaponization Delivery • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
  29. © Mandiant Corporation. All rights reserved. Enterprise Detection Plan 29

  30. © Mandiant Corporation. All rights reserved.   NSM:IDS :: ESM:NSM

      Collect and aggregate across your entire enterprise   Increased visibility   Maximum use of resources   Better for “hunting”   Organize intel for for better program insights   Big improvements in detection & response capabilities for minimal investment   Smart detection makes for frustrated adversaries! Summary 30
  31. © Mandiant Corporation. All rights reserved. Questions? 31 David J.

    Bianco David.Bianco@mandiant.com detect-respond.blogspot.com