Enterprise Security Monitoring: Comprehensive, Intel-Driven Detection

Transcript

1. 1 Copyright © 2014, FireEye, Inc. All rights reserved. Enterprise

   Security Monitoring Comprehensive Intel-Driven Detection David J. Bianco [email protected] HTCIA Atlantic Canada September 2014

2. 2 Copyright © 2014, FireEye, Inc. All rights reserved. About

   Me Hunt Team Manager at FireEye 15 years of Detection & Response experience in government, research, educational and corporate arenas One of the founding members of a Fortune 5 CIRT. Spent 5 years helping to build an international detection & response capability Been waiting years for a venue in which this picture would be appropriate!

3. 3 Copyright © 2014, FireEye, Inc. All rights reserved. First

   There Was…

4. 4 Copyright © 2014, FireEye, Inc. All rights reserved. Then

   There Was…

5. 5 Copyright © 2014, FireEye, Inc. All rights reserved. Now

   There Is… Enterprise Security Monitoring (ESM)

6. 6 Copyright © 2014, FireEye, Inc. All rights reserved. Enterprise

   Security Monitoring ESM

7. 7 Copyright © 2014, FireEye, Inc. All rights reserved. ESM

   Architecture Threat Intelligence Technical Data HTTP Server & Proxy Logs Firewalls & Network Infrastructure IDS/NSM/ Endpoints OS & Application Logs Business Data Org Charts Employee DB Travel Plans Enterprise Security Monitor

8. 8 Copyright © 2014, FireEye, Inc. All rights reserved. Benefits

   of Enterprise Security Monitoring § Increased visibility across the organization § Get more value out of existing systems § Data aggregation is hunter friendly § Better organization around: –  Detection platform coverage –  Detection planning •  General •  Threat-specific –  Prioritization of detection resources § Quicker, more accurate incident detection and response § Leverage your detection/response infra as an offensive capability

9. 9 Copyright © 2014, FireEye, Inc. All rights reserved. Intel

   Lifecycle Direction Collection Analysis Dissemination

10. 10 Copyright © 2014, FireEye, Inc. All rights reserved. Detection

    Process Observe Compare Alert Validate

11. 11 Copyright © 2014, FireEye, Inc. All rights reserved. Response

    Cycle Contain Investigate Remediate

12. 12 Copyright © 2014, FireEye, Inc. All rights reserved. The

    Intel-Driven Operations Cycle Direction Collection Analysis Dissemination Observe Compare Alert Validate Contain Investigate Remediate Intelligence Detection Response Validated Alerts Quality Feedback

13. 13 Copyright © 2014, FireEye, Inc. All rights reserved. Wacky

    Wall Walker Intelligence The most common approach to “threat intel” I see is… THROW ALL OUR FACTS OUT THERE AND SEE WHAT STICKS. Pros Quick to implement Cons Too many alerts No confidence in results Gives your adversaries a laugh We can do better!

14. 14 Copyright © 2014, FireEye, Inc. All rights reserved. Let’s

    Be Clear… Most people confuse with intelligence.

15. 15 Copyright © 2014, FireEye, Inc. All rights reserved. Let’s

    Be Clear… Captain, I do not believe that to be the correct use of the term.

16. 16 Copyright © 2014, FireEye, Inc. All rights reserved. What

    is an Indicator? A piece of information that points to a certain conclusion

17. 17 Copyright © 2014, FireEye, Inc. All rights reserved. What

    is it Not? ≠

18. 18 Copyright © 2014, FireEye, Inc. All rights reserved. Common

    Indicator Data Types IPv4 Address Domain / FQDN Hash (MD5, SHA1) URL Transaction Element (User- Agent, MTA) File Name / Path Mutex Registry Value User Name Email Address

19. 19 Copyright © 2014, FireEye, Inc. All rights reserved. Indicator

    Characteristics Extractable Can I find this indicator in my data? Actionable If I find this indicator in my data, can I do something with that information? Purposeful To what use will I put this indicator?

20. 20 Copyright © 2014, FireEye, Inc. All rights reserved. Indicator

    Purposes Attribution •  Who/what is responsible for this activity? Detection •  If this event happens, I want to know about it. Profiling •  What are the targeting parameters for this threat? Prediction •  Given the current state, what can I expect from this threat in the future?

21. 21 Copyright © 2014, FireEye, Inc. All rights reserved. The

    Kill Chain Reconaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives “[…] a systematic process to target and engage an adversary to create desired effects.” Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked August 2013)

22. 22 Copyright © 2014, FireEye, Inc. All rights reserved. Mandiant

    Attack Lifecycle Diagram

23. 23 Copyright © 2014, FireEye, Inc. All rights reserved. The

    Pyramid of Pain The Pyramid measures potential usefulness of your intel It also measures difficulty of obtaining that intel The higher you are, the more resources your adversaries have to expend. When you quickly detect, respond to and disrupt your adversaries’ activities, defense becomes offense.

24. 24 Copyright © 2014, FireEye, Inc. All rights reserved. Intel-Driven

    Detection Planning § What scenarios do we need to be able to detect? § What are our options for detecting them? § What are the strengths and weaknesses of our detection program today? § What is our detection stance against specific actors? § What is our overall plan for detection across our enterprise?

25. 25 Copyright © 2014, FireEye, Inc. All rights reserved. The

    Bed of Nails Reconaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives

26. 26 Copyright © 2014, FireEye, Inc. All rights reserved. What

    Scenarios Do We Need to Detect? Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • Code - Binary_Code • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

27. 27 Copyright © 2014, FireEye, Inc. All rights reserved. Detection

    Options - Snort Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • Code - Binary_Code • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

28. 28 Copyright © 2014, FireEye, Inc. All rights reserved. Detection

    Options - HIPS Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • Code - Binary_Code • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

29. 29 Copyright © 2014, FireEye, Inc. All rights reserved. Detection

    Options – Email Gateway Logs Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • Code - Binary_Code • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

30. 30 Copyright © 2014, FireEye, Inc. All rights reserved. Score

    Card: Use of Available Indicators Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • Code - Binary_Code • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

31. 31 Copyright © 2014, FireEye, Inc. All rights reserved. Score

    Card: Pyramid Effectiveness of Indicators Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • Code - Binary Code • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

32. 32 Copyright © 2014, FireEye, Inc. All rights reserved. Score

    Card: Effectiveness Against APT-π Reconaissance • URI – Domain Name • Address - ipv4-addr Weaponization Delivery • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr

33. 33 Copyright © 2014, FireEye, Inc. All rights reserved. Enterprise

    Detection Plan

34. 34 Copyright © 2014, FireEye, Inc. All rights reserved. Summary

    § NSM:IDS :: ESM:NSM § Collect and aggregate across your entire enterprise –  Increased visibility –  Maximum use of resources –  Better for hunting § Organize intel for for better program insights § Big improvements in detection & response capabilities for minimal investment § Smart detection makes for frustrated adversaries!

35. 35 Copyright © 2014, FireEye, Inc. All rights reserved. Questions?

    David J. Bianco [email protected] @DavidJBianco detect-respond.blogspot.com I <3 Feedback! I’d really love to hear from you. Questions, comments, stories about how this worked for you, citations referencing my work are all appreciated!