Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Enterprise Security Monitoring

David J. Bianco
June 23, 2014
Technology
1
250

Enterprise Security Monitoring

Presented at FIRST 2014, Boston, MA

David J. Bianco

June 23, 2014
Tweet

More Decks by David J. Bianco

See All by David J. Bianco
Generative AI in Cybersecurity: Rise of the Machines?
davidjbianco
0
20
Trust Unearned? Evaluating CA Trustworthiness Across 5 Billion Certificates
davidjbianco
0
160
Five Lies & a Truth: Attacking the Defender's Dilemma
davidjbianco
0
37
Five Lies and a Truth: Attacking the Defender's Dilemma
davidjbianco
0
230
Developers: What Your Security Team Wishes You Knew (And It's Not Secure Coding!)
davidjbianco
0
120
Raising the Tide: Driving Improvement in Security by Being a Good Human
davidjbianco
0
38
Evolving the Hunt: A Case Study in Improving a Mature Hunt Program
davidjbianco
0
940
Quality Over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
1
370
Quality over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
0
260

Other Decks in Technology

See All in Technology
一生覚えておきたい「システム開発=コミュニケーション」〜初めての実務案件振り返りLT〜
maimyyym
1
170
Google Cloud Next '24でブログを10本書いた方法と勉強会を沸かせた方法
yasumuusan
0
310
GrafanaMeetup_AmazonManagedGrafanaのアクセス制御機能とマルチテナント環境下でのアクセス制御について
daitak
0
250
On Your Data を超えていく!
hirotomotaguchi
2
690
私が trocco を推す理由
__allllllllez__
1
260
いつか使うかも貯金してたらめちゃめちゃ機能が増えてた話
riyaamemiya
0
370
【NW X Security JAWS#3】L3-4:AWS環境のIPv6移行に向けて知っておきたいこと
shotashiratori
0
390
Postman v10リリース後を振り返る / Looking back at Postman v10 after release
yokawasa
1
160
どうするコスト最適化のトレードオフ
tetsuyaooooo
1
530
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
120
Grafana x PagerDuty Better Together
jacopen
0
110
Building a RAG-powered AI chat app with Python and VS Code
pamelafox
0
110

Featured

See All Featured
Adopting Sorbet at Scale
ufuk
68
8.6k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
25
2.3k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
226
51k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.6k
Happy Clients
brianwarren
92
6.4k
Build The Right Thing And Hit Your Dates
maggiecrowley
24
2k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
9
8.3k
Being A Developer After 40
akosma
57
580k
The Art of Programming - Codeland 2020
erikaheidi
42
12k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
Imperfection Machines: The Place of Print at Facebook
scottboms
260
12k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
14
1.5k

Transcript

  1. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    1 Enterprise Security Monitoring Comprehensive Intel-Driven Detection David J. Bianco [email protected] FIRST 2014

  2. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2 First There Was…

  3. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    3 Then There Was…

  4. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    4 Now There Is… Enterprise Security Monitoring (ESM)

  5. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    5 Enterprise Security Monitoring ESM

  6. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    6 ESM Architecture Threat Intelligence Technical Data HTTP Server & Proxy Logs Firewalls & Network Infrastructure IDS/NSM/ Endpoints OS & Application Logs Business Data Org Charts Employee DB Travel Plans Enterprise Security Monitor

  7. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    7 •  Increased visibility across the organization •  Get more value out of existing systems •  Data aggregation is hunter friendly •  Better organization around: –  Detection platform coverage –  Detection planning •  General •  Threat-specific –  Prioritization of detection resources •  Quicker, more accurate incident detection and response •  Leverage your detection/response infra as an offensive capability Benefits of Enterprise Security Monitoring

  8. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    8 Intel Lifecycle Direction Collection Analysis Dissemenation

  9. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    9 Detection Process Observe Compare Alert Validate

  10. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    10 Response Cycle Contain Investigate Remediate

  11. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    11 The Intel-Driven Operations Cycle Direction Collection Analysis Dissemenation Observe Compare Alert Validate Contain Investigate Remediate Intelligence Detection Response Validated Alerts Quality Feedback

  12. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    12 Wacky Wall Walker Intelligence The most common approach to “threat intel” I see is… THROW ALL OUR FACTS OUT THERE AND SEE WHAT STICKS. Pros Quick to implement Cons Too many alerts No confidence in results Gives your adversaries a laugh We can do better!

  13. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    13 Let’s Be Clear… Most people confuse with intelligence.

  14. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    14 Let’s Be Clear… Captain, I do not believe that to be the correct use of the term.

  15. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    15 What is an Indicator? A piece of information that points to a certain conclusion

  16. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    16 What is it Not? ≠

  17. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    17 Common Indicator Data Types IPv4 Address Domain / FQDN Hash (MD5, SHA1) URL Transaction Element (User- Agent, MTA) File Name / Path Mutex Registry Value User Name Email Address

  18. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    18 Indicator Characteristics Extractable Can I find this indicator in my data? Actionable If I find this indicator in my data, can I do something with that information? Purposeful To what use will I put this indicator?

  19. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    19 Attribution • Who/what is responsible for this activity? Detection • If this event happens, I want to know about it. Profiling • What are the targeting parameters for this threat? Prediction • Given the current state, what can I expect from this threat in the future? Indicator Purposes

  20. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    20 The Kill Chain Reconaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives “[…] a systematic process to target and engage an adversary to create desired effects.” Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White- Paper-Intel-Driven-Defense.pdf (Last checked August 2013)

  21. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    21 Mandiant Attack Lifecycle Diagram

  22. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    22 The Pyramid of Pain The Pyramid measures potential usefulness of your intel It also measures difficulty of obtaining that intel The higher you are, the more resources your adversaries have to expend. When you quickly detect, respond to and disrupt your adversaries’ activities, defense becomes offense.

  23. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    23 The Bed of Nails Reconaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives

  24. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    24 •  What scenarios do we need to be able to detect? •  What are our options for detecting them? •  What are the strengths and weaknesses of our detection program today? •  What is our detection stance against specific actors? •  What is our overall plan for detection across our enterprise? Intel-Driven Detection Planning

  25. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    25 What Scenarios Do We Need to Detect? Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4- addr Weaponization • Code - Binary_Code • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4- addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4- addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4- addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4- addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4- addr

  26. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    26 Detection Options - Snort Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4- addr Weaponization • Code - Binary_Code • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4- addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4- addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4- addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4- addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4- addr

  27. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    27 Detection Options - HIPS Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4- addr Weaponization • Code - Binary_Code • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4- addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4- addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4- addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4- addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4- addr

  28. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    28 Detection Options – Email Gateway Logs Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4- addr Weaponization • Code - Binary_Code • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4- addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4- addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4- addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4- addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4- addr

  29. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    29 Score Card: Use of Available Indicators Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4- addr Weaponization • Code - Binary_Code • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4- addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4- addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4- addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4- addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4- addr

  30. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    30 Score Card: Pyramid Effectiveness of Indicators Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4- addr Weaponization • Code - Binary Code • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4- addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4- addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4- addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4- addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4- addr

  31. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    31 Score Card: Effectiveness Against APT-π Reconaissance • URI – Domain Name • Address - ipv4- addr Weaponization Delivery • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4- addr Exploitation • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4- addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4- addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4- addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4- addr

  32. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    32 Enterprise Detection Plan

  33. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    33 •  NSM:IDS :: ESM:NSM •  Collect and aggregate across your entire enterprise –  Increased visibility –  Maximum use of resources –  Better for hunting •  Organize intel for for better program insights •  Big improvements in detection & response capabilities for minimal investment •  Smart detection makes for frustrated adversaries! Summary

  34. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    34 Questions? David J. Bianco [email protected] @DavidJBianco detect-respond.blogspot.com I <3 Feedback! I’d really love to hear from you. Questions, comments, stories about how this worked for you, citations referencing my work are all appreciated!