Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Enterprise Security Monitoring

David J. Bianco
January 09, 2014
Technology
1
250

Enterprise Security Monitoring

As presented at RaDFIRe on 9 January 2014

David J. Bianco

January 09, 2014
Tweet

More Decks by David J. Bianco

See All by David J. Bianco
Generative AI in Cybersecurity: Rise of the Machines?
davidjbianco
0
20
Trust Unearned? Evaluating CA Trustworthiness Across 5 Billion Certificates
davidjbianco
0
160
Five Lies & a Truth: Attacking the Defender's Dilemma
davidjbianco
0
37
Five Lies and a Truth: Attacking the Defender's Dilemma
davidjbianco
0
230
Developers: What Your Security Team Wishes You Knew (And It's Not Secure Coding!)
davidjbianco
0
120
Raising the Tide: Driving Improvement in Security by Being a Good Human
davidjbianco
0
38
Evolving the Hunt: A Case Study in Improving a Mature Hunt Program
davidjbianco
0
940
Quality Over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
1
370
Quality over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
0
260

Other Decks in Technology

See All in Technology
TechFeed Experts Night#27 〜 フロントエンドフレームワーク最前線 (Svelte)
baseballyama
1
400
チームでロジカルシンキングに改めて向き合っている話 〜学習環境と実践⽅法〜
sansantech
PRO
2
2.1k
Delivering Millions of Messages within seconds @ Duolingo
pelelgrino
0
350
最近たまに見かけるTiDBってなんだ? - Findy
pingcap0315
2
770
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
3
12k
Reducing Cross-Zone Egress at Spotify with Custom gRPC Load Balancing Recap
koh_naga
0
200
AOAI をきっかけに​ 社内の Azure 管理を見直した話​
recruitengineers
PRO
1
260
開発生産性大幅アップ!Postman VS Code拡張機能
nagix
2
370
ServiceNow Knowledge Learning Rise up
manarobot
0
210
20240418_Google ColabにLLMが搭載されたようなのでPython x データ分析の勉強方法を考えてみる
doradora09
0
120
コンパウンドスタートアップのためのスケーラブルでセキュアなInfrastructure as Codeパイプラインを考える / Scalable and Secure Infrastructure as Code Pipeline for a Compound Startup
yuyatakeyama
4
4.7k
アクセス制御にまつわる改善 / Improving access control
itkq
0
530

Featured

See All Featured
Atom: Resistance is Futile
akmur
259
25k
Embracing the Ebb and Flow
colly
80
4.1k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
The Invisible Side of Design
smashingmag
294
49k
Six Lessons from altMBA
skipperchong
21
3k
Product Roadmaps are Hard
iamctodd
44
9.7k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
Imperfection Machines: The Place of Print at Facebook
scottboms
260
12k
Web Components: a chance to create the future
zenorocha
305
41k
Become a Pro
speakerdeck
PRO
11
4.5k
Fantastic passwords and where to find them - at NoRuKo
philnash
37
2.5k
Making the Leap to Tech Lead
cromwellryan
124
8.5k

Transcript

  1. PRESENTED BY: © Mandiant Corporation. All rights reserved. Enterprise Security

    Monitoring Comprehensive Intel-Driven Detection David J. Bianco @DavidJBianco RADFIRE 09 JANUARY 2014

  2. © Mandiant Corporation. All rights reserved. First there was… 2

  3. © Mandiant Corporation. All rights reserved. Then there was… 3

  4. © Mandiant Corporation. All rights reserved. Now there is… 4

    Enterprise Security Monitoring (ESM)

  5. © Mandiant Corporation. All rights reserved. Enterprise Security Monitoring 5

    ESM

  6. © Mandiant Corporation. All rights reserved. §  Increased visibility across

    the entire organization §  Get more value out of existing systems §  Data aggregation is “hunter friendly” §  Better organization around: §  Detection platform coverage §  Detection planning §  General §  Threat-specific §  Prioritization of detection resources §  Quicker, more accurate incident detection and response §  Leverage your detection/response infra as an offensive capability Benefits of Enterprise Security Monitoring 6

  7. © Mandiant Corporation. All rights reserved. Intel Lifecycle 7 Research

    Analyze Conclude

  8. © Mandiant Corporation. All rights reserved. Detection Process 8 Observe

    Compare Alert Validate

  9. © Mandiant Corporation. All rights reserved. Response Cycle 9 Contain

    Investigate Remediate

  10. © Mandiant Corporation. All rights reserved. Intel-Driven Operations Process 10

    Research Analyze Conclude Observe Compare Alert Validate Contain Investigate Remediate Indicators Alerts Intel DB Detect DB Respond DB Feedback Feedback

  11. © Mandiant Corporation. All rights reserved. The ESM Model 11

    Enterprise Security Monitor Intel Intel Analysts Alerts & Queries Other Enterprise Data Corporate Data (Employee DB, Travel, etc) Antivirus HIDS/HIPS Proxy Logs Web Logs OS Logs App Logs Firewalls Routers Switches NSM / IDS Detection Processing Sigs Detection Rules

  12. © Mandiant Corporation. All rights reserved. What is an indicator?

    12 A piece of information that points to a certain conclusion

  13. © Mandiant Corporation. All rights reserved. What it is not

    13 ≠

  14. © Mandiant Corporation. All rights reserved. Common Indicator Data Types

    14 IPv4 Address Domain / FQDN Hash (MD5, SHA1) URL Transaction Element (User- Agent, MTA) File Name / Path Mutex Registry Value User Name Email Address

  15. © Mandiant Corporation. All rights reserved. Indicator Characteristics 15 Extractable

    Can I find this indicator in my data? Actionable If I find this indicator in my data, can I do something with that information? Purposeful To what use will I put this indicator?

  16. © Mandiant Corporation. All rights reserved. Attribution •  Who/what is

    responsible for this activity? Detection •  If this event happens, I want to know about it. Profiling •  What are the targeting parameters for this threat? Prediction •  Given the current state, what can I expect from this threat in the future? Indicator Purposes 16

  17. © Mandiant Corporation. All rights reserved. The Kill Chain 17

    Reconaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives “a systematic process to target and engage an adversary to create desired effects.” Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked August 2013)

  18. © Mandiant Corporation. All rights reserved. Mandiant Attack Lifecycle Diagram

    18

  19. © Mandiant Corporation. All rights reserved. The Pyramid of Pain

    19

  20. © Mandiant Corporation. All rights reserved. I don’t have a

    cool name for this. “Bed of Nails”? 20 Reconaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives

  21. © Mandiant Corporation. All rights reserved. §  What scenarios do

    we need to be able to detect? §  What are our options for detecting them? §  What are the strengths and weaknesses of our detection program today? §  What is our detection stance against specific actors? §  What is our overall plan for detection across our enterprise? Intel-Driven Detection Planning 21

  22. © Mandiant Corporation. All rights reserved. What scenarios do we

    need to be able to detect? 22 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • Code - Binary_Code • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

  23. © Mandiant Corporation. All rights reserved. Detection Options - Snort

    23 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • Code - Binary_Code • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

  24. © Mandiant Corporation. All rights reserved. Detection Options - HIPS

    24 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • Code - Binary_Code • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

  25. © Mandiant Corporation. All rights reserved. Detection Options - MIR

    25 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • Code - Binary_Code • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

  26. © Mandiant Corporation. All rights reserved. Detection Options – Email

    Gateway Logs 26 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • Code - Binary_Code • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

  27. © Mandiant Corporation. All rights reserved. Score Card: Use of

    Available Indicators 27 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • Code - Binary_Code • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

  28. © Mandiant Corporation. All rights reserved. Score Card: Pyramid Effectiveness

    of Indicators 28 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • Code - Binary Code • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

  29. © Mandiant Corporation. All rights reserved. Score Card: Effectiveness Against

    APT-π 29 Reconaissance • URI – Domain Name • Address - ipv4-addr Weaponization Delivery • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

  30. © Mandiant Corporation. All rights reserved. Enterprise Detection Plan 30

  31. © Mandiant Corporation. All rights reserved. §  NSM:IDS :: ESM:NSM

    §  Collect and aggregate across your entire enterprise §  Increased visibility §  Maximum use of resources §  Better for “hunting” §  Organize intel for for better program insights §  Big improvements in detection & response capabilities for minimal investment §  Smart detection makes for frustrated adversaries! Summary 31

  32. © Mandiant Corporation. All rights reserved. Questions? 32 David J.

    Bianco [email protected] @DavidJBianco detect-respond.blogspot.com I <3 Feedback! I’d really love to hear from you. Questions, comments, stories about how this worked for you, citations referencing my work are all appreciated!