Enterprise Security Monitoring

Transcript

1. PRESENTED BY: © Mandiant Corporation. All rights reserved. Enterprise Security

   Monitoring Comprehensive Intel-Driven Detection David J. Bianco [email protected] BSIDES AUGUSTA 14 SEPTEMBER, 2013

2. © Mandiant Corporation. All rights reserved. First there was… 2

3. © Mandiant Corporation. All rights reserved. Then there was… 3

4. © Mandiant Corporation. All rights reserved. Now there is… 4

   Enterprise Security Monitoring (ESM)

5. © Mandiant Corporation. All rights reserved. Enterprise Security Monitoring 5

   ESM

6. © Mandiant Corporation. All rights reserved.   Increased visibility across

   the entire organization   Get more value out of existing systems   Data aggregation is “hunter friendly”   Better organization around:   Detection platform coverage   Detection planning   General   Threat-specific   Prioritization of detection resources   Quicker, more accurate incident detection and response   Leverage your detection/response infra as an offensive capability Benefits of Enterprise Security Monitoring 6

7. © Mandiant Corporation. All rights reserved. Intel Lifecycle 7 Research

   Analyze Conclude

8. © Mandiant Corporation. All rights reserved. Detection Process 8 Observe

   Compare Alert Validate

9. © Mandiant Corporation. All rights reserved. Response Cycle 9 Contain

   Investigate Remediate

10. © Mandiant Corporation. All rights reserved. Intel-Driven Operations Process 10

    Research Analyze Conclude Observe Compare Alert Validate Contain Investigate Remediate Indicators Alerts Intel DB Detect DB Respond DB Feedback Feedback

11. © Mandiant Corporation. All rights reserved. Intel-Driven Detection 11 Enterprise

    Security Monitor Intel NSM / IDS Detection Processing Sigs Intel Analysts Alerts & Queries Firewalls Routers Switches OS Logs App Logs Proxy Logs Web Logs Antivirus HIDS/HIPS Other Enterprise Data

12. © Mandiant Corporation. All rights reserved. What is an indicator?

    12 A piece of information that points to a certain conclusion

13. © Mandiant Corporation. All rights reserved. What it is not

    13 ≠

14. © Mandiant Corporation. All rights reserved. Common Indicator Data Types

    14 IPv4 Address Domain / FQDN Hash (MD5, SHA1) URL Transaction Element (User- Agent, MTA) File Name / Path Mutex Registry Value User Name Email Address

15. © Mandiant Corporation. All rights reserved. Indicator Characteristics 15 Extractable

    Can I find this indicator in my data? Purposeful To what use will I put this indicator? Actionable If I find this indicator in my data, can I do something with that information?

16. © Mandiant Corporation. All rights reserved. Attribution •  Who/what is

    responsible for this activity? Detection •  If this event happens, I want to know about it. Profiling •  What are the targeting parameters for this threat? Prediction •  Given the current state, what can I expect from this threat in the future? Indicator Purposes 16

17. © Mandiant Corporation. All rights reserved. The Kill Chain 17

    Reconaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives “a systematic process to target and engage an adversary to create desired effects.” Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked August 2013)

18. © Mandiant Corporation. All rights reserved. Mandiant Attack Lifecycle Diagram

    18

19. © Mandiant Corporation. All rights reserved. The Pyramid of Pain

    19

20. © Mandiant Corporation. All rights reserved. I don’t have a

    cool name for this. “Bed of Nails”? 20 Reconaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives

21. © Mandiant Corporation. All rights reserved.   What scenarios do

    we need to be able to detect?   What are our options for detecting them?   What are the strengths and weaknesses of our detection program today?   What is our detection stance against specific actors?   What is our overall plan for detection across our enterprise? Intel-Driven Detection Planning 21

22. © Mandiant Corporation. All rights reserved. What scenarios do we

    need to be able to detect? 22 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

23. © Mandiant Corporation. All rights reserved. Detection Options - Snort

    23 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

24. © Mandiant Corporation. All rights reserved. Detection Options - HIPS

    24 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

25. © Mandiant Corporation. All rights reserved. Detection Options - MIR

    25 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

26. © Mandiant Corporation. All rights reserved. Score Card: Use of

    Available Indicators 26 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

27. © Mandiant Corporation. All rights reserved. Score Card: Pyramid Effectiveness

    of Indicators 27 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

28. © Mandiant Corporation. All rights reserved. Score Card: Effectiveness Against

    APT-π 28 Reconaissance • URI – Domain Name • Address - ipv4-addr Weaponization Delivery • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

29. © Mandiant Corporation. All rights reserved. Enterprise Detection Plan 29

30. © Mandiant Corporation. All rights reserved.   NSM:IDS :: ESM:NSM

      Collect and aggregate across your entire enterprise   Increased visibility   Maximum use of resources   Better for “hunting”   Organize intel for for better program insights   Big improvements in detection & response capabilities for minimal investment   Smart detection makes for frustrated adversaries! Summary 30

31. © Mandiant Corporation. All rights reserved. Questions? 31 David J.

    Bianco [email protected] detect-respond.blogspot.com