Académique Documents
Professionnel Documents
Culture Documents
Sean Mason
Director, Incident Response
BRKSEC-2043
Cisco Spark
Questions?
Use Cisco Spark to chat with the
speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click Join the Discussion
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
Introduction
Complexity
IR Landscape
Threat Landscape
IR Fundamentals
Staying Prepared
Intel Highlights
Deep Dive: Objectifying Cyber Intel Indicators
Closing Thoughts
Sean Mason www.SeanMason.com @SeanAMason
Florida resident
Developer for 10 years
IR for 10 years
7 certifications
ISC2 SME
BS & MBA
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Integrated Threat
Defense Foundation
Management
Management
Workflow
Workflow
RT IMS
HIPS
automated
ESA
External SSH
IDB Single Pane
IPS Suspect
SIEM InternalSSH
Management
Management
Knowledge
Knowledge
Wiki Repo 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Attackers Are Easily Exploiting & Bypassing Point Solutions
Antivirus
VPN
NGFW
Email
IAM IDS
Firewall
Malware
Sandbox
NGIPS
Data
Attackers Are Easily Exploiting & Bypassing Point Solutions
Antivirus
VPN
NGFW
Email
IAM IDS
Firewall
Malware
Sandbox
Reduce Time to :
-Detection
-Containment
-Mitigation
-Response
Systemic Response
Data
Integrated Threat Defense Architecture
Visibility Control Intelligence Context
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Complexity
Fragmented Security Market
Complexity Fragmentation
45+ 558
Security Vendors for Security Vendors
Some Customers 2017 RSAC
(450 : 373)
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Increase in Capabilities
Over time, adding incremental
solutions has plateauing capabilities
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Adding on Complexity
At the cost of additional complexity
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Goal for Effective Security
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Integration,
Consolidation,
& Automation
The Path to Effective IR Requires
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
The Path to Effective IR Requires
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
82% realize they need an
integrated security architecture
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Starting with something like this
Third Party Solutions
Telemetry Enrichment
Sources
NW DDoS Hosted WAF
Feeds
Web Tools Service
Protections
Management
NGFW
Ticketing
Monitoring Investigation
NGIPS SIEM
Log Mgmt
CMDB
Linux Open
Source Tools
Log
Collector Training
Platform
Antimalware
Web
Proxies
Cloud Services
Collab Tool
Vuln Scan
Wiki IM Virtualized
Infrastructure
Email Sec
Communications, Collaboration and other IT Systems
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Evolving to this
Intelligence Platforms Intel and Enrich
Telemetry and Third Party Solutions
Threat Threat Intel
Other Data Intelligence Providers
Service
Sources Provider
Solutions Malware AV Intel
Analysis Providers
Log
Enrichment
Management
Monitoring & Response Investigation Providers*
Security
Native Security Case
Logs Management
Monitoring, Service
Analytics and Digital Management
Other Sources Response Suite Forensics
Tools
Ticketing
Breach
Knowledge
Remediation Base
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Consolidation
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Features?
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Prevention & Detection Scenarios
Act on
Recon Weaponization Deliver Exploitation Installation C2
Objectives
File - Name File - Path File Win Registry Key Win Process Win Process Win Registry Key
URI Domain Name URI - URL File - Path File Win Registry Key Win Registry Key Win Service
HTTP - GET URI- Domain Name URI Domain Name File - Path URI Domain Name File - Path
HTTP UA String URI - URL URI URL File - Name URI - URL File - Name
Address e-mail HTTP - POST Hash MD5 URI Domain Name HTTP - GET URI Domain Name
Address ipv4-addr Email Header - Subject Hash SHA1 URI - URL HTTP - POST URI URL
Email Header X-Mailer Address cidr HTTP - GET HTTP UA String Hash MD5
Hash MD5 Address ipv4-addr HTTP UA String Hash MD5 Hash SHA1
Address ipv4-addr
Notes:
Security solutions are able to investigate, analyze and monitor this indicator type
Security solutions are unable to track this indicator type. These areas represent gaps Created by David Bianco, GE-CIRT
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Aggregated View
Act on
Recon Weaponization Deliver Exploitation Installation C2
Objectives
File - Name File - Path File Win Registry Key Win Process Win Process Win Registry Key
URI Domain Name URI - URL File - Path File Win Registry Key Win Registry Key Win Service
HTTP - GET URI- Domain Name URI Domain Name File - Path URI Domain Name File - Path
HTTP UA String URI - URL URI URL File - Name URI - URL File - Name
Address e-mail HTTP - POST Hash MD5 URI Domain Name HTTP - GET URI Domain Name
Address ipv4-addr Email Header - Subject Hash SHA1 URI - URL HTTP - POST URI URL
Email Header X-Mailer Address cidr HTTP - GET HTTP UA String Hash MD5
Hash MD5 Address ipv4-addr HTTP UA String Hash MD5 Hash SHA1
Hash SHA1 Hash MD5 Hash SHA1 Address ipv4-addr
Address e-mail Hash SHA1 Address e-mail
Act on
Recon Weaponization Deliver Exploitation Installation C2
Objectives
URI - URL
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
IR
INTERNET IR
AMP
HERE AMP
HERE
FIREPOWER HERE
AMP 4 FP
AMP
LANCOPE & HERE
AMP AMP Off-net
AMP
AMP AMP
AUTOMATION
HQ Roaming
Intelligence collected &
HERE
HERE stored at the Talos level
HERE
Signatures created &
pushed out globally
FIREPOWER
FIREPOWER
AMP AMP
Maximum coverage across
AMP AMP the environment quickly
Branch
Branch BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
IR Landscape
The Evolution of IR
IR
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
IR Evolution & Maturity
Ad-hoc Maturing Strategic
Maturity
Dedicated
Level As Needed Part-Time Full-Time SOC/IR+ Fusion
CMM Equivalent Initial Repeatable Defined Managed Optimized
0 individuals Part time resources Handful of individuals Larger teams 15-100+
People
Chaotic and relying on Situational run books; Requirements and Process is Processes are
individual heroics; some consistency Workflows measured via constantly improved,
reactive Email-based documented as metrics automated, and
Process
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Ad-hoc: IR
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Maturing: IR Process View
Contain &
Detect
Collect
Remediate Analyze
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Strategic: Integrated Intel-driven risk mitigation
Prevention
Tactical Intel
Sources
Detection
Intel Analysis
Analysis
Other Containment
Functions
Collection
IR Process Today, Sean Mason bit.ly/IRProcessImg
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Upfront Reality
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Threat Landscape
Mental Anchors
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Dynamic Threats
Cyber State
Nuisance Hacktivism Insiders
Crime Sponsored/APT
Botnets & Spam Website Destruction, Credit Card Theft Intellectual Property
Example Defacements, DDOS Theft Theft, DDOS
Sensitive Access to the Network, Intellectual Credit Card Data, Intellectual Property,
Potential Information,
Vulnerable Data
Compromising
Information
Property, Personal Negotiation,
Compromising Identifiable National Intelligence
Data Information Information, Health
Targets Records
General Malware Syrian Electronic Army, Jimmy, Suzy, Sally, Russian Business APT1, Energetic
Named LizardSquad,
Anonymous
Johnny Network (RBN) Bear
Actors
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
IR Fundamentals
Leadership
Credibility
Trust
Rapport
Consistency
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
IR Basics
Who is needed for wing-to-wing IR? Name Role Phone #
(think outside security) Ray Incident Coordinator 555-2368
Danny Incident Coordinator 555-0840
Who is on-call and when? (consider Kate Network Team 606-0842
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Documentation
Combination of platforms
Wiki
Process platforms
Collaboration (e.g. Box,
Dropbox)
Flexibility is key
Track details on incidents
Allow for dynamic process
updates
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Runbooks
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
RACI
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Incident Severities
Define a common lexicon for incidents
Rating Impact Description
Breach 1 1 Intruder has exfiltrated sensitive data or is suspected of exfiltrating sensitive data based on volume, etc.
Breach 2 2 Intruder has exfiltrated non-sensitive data or data that will facilitate access to sensitive data
Breach 3 3 Intruder has established command and control channel from asset with ready access to sensitive data
Cat 1 4 Intruder has compromised asset with ready access to sensitive data
Cat 2 5 Intruder has compromised asset with access to sensitive data but requires privilege escalation
Cat 3 6 Intruder is attempting to exploit asset with access to sensitive data
Cat 6 7 Intruder is conducting reconnaissance against asset with access to sensitive data
Vuln 1 8 Intruder must apply little effort to compromise asset and exfiltrate sensitive data
Vuln 2 9 Intruder must apply moderate effort to compromise asset and exfiltrate sensitive data
Vuln 3 10 Intruder must apply substantial effort to compromise asset and exfiltrate sensitive data
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Communication
Communicate broadly, engage others
Communication template, rhythm and formats
Mobile technology and speed of information
Incident Severity Communications Rhythm Audience
Grave (KC7) Within 1hr Conf. Call COO
2x Daily Conf. Call CSO
COB Daily E-mail CIO
General Counsel
Director of PR
CISO
Director of IR
Chief Security Architect
Significant (KC6) Within 1hr E-mail CISO
COB Daily E-mail Director of IR
Chief Security Architect
Benign (KC1-5) As needed or upon escalation Director of IR
Security Manager
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Internal Communications
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Containment,
Collection &
Analysis
Containment & Collection
Volatility
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Analysis Infrastructure
Storage (TB/PBs)
ResponderLaptops
MBP & Custom Gaming
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Staying
Prepared
Lessons Learned
Kill Chain Actor Action Failure Mode Mitigation Action
Delivery SQLI on vulnerable ASP page to Could not detect SSL traffic; Explore Secure Development &
gain admin access vulnerable to SQLI Application Security Assessments
Exploitation
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Recurring Testing
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Threat Hunting
The practice of proactively reviewing data to search for
signs of an attacker which may have evaded previous
detection.
1. Am I compromised?
2. Identifies exploitation of control gaps
3. Reduces attack surface
4. Reduces dwell/exposure time
5. New detection methods to find internal and external attackers
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Structured Intel Storage & Analysis
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Deep Dive:
Objectifying Cyber
Intel Indicators
Indicator Reality
Indicators
Time
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Current State
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Confidence & Impact
Confidence Impact Weighting
Medium High Medium/High Confidence The quality and quantity of the information
Medium Medium Medium/Medium Impact - What level of impact this Indicator will have on
your organization if it is detected
Medium Low Medium/Low
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Areas to Objectify
1. Threat Actors
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
2. Source
Internal 42 24% 10
Vendor A 18 67% 8
Government 2 89% 4
Vendor B 0 88% 2
Your best source of intel should be the ones you earned on the battlefield.
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
3. Kill Chain Phase
Kill Chain Phase Objective KC1- Reconnaissance:
Recon Collecting information about the
Weighting target organization
0-3 months 10
3-6 months 8
6-12 months 6
12-24 months 4
24+ months 2
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
5. Past Performance
2+ - 10
1 - 9
0 - 5
0 10-50%+ 7
0 90%+ 2
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
6. Pyramid of Pain
Pyramid Level Objective Weighting
Network/Host Artifacts 8
Domain Names 5
IP Addresses 4
Hash Values 1
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Scoring
Formula
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Objective Ratings
Indicator Threat Source Kill Chain Indicator Performance Pyramid Formula Objective
Actor Date of Pain Rating
Badguy.com Unicorn Internal KC7 - AOI 12-24 2+ Incidents Domain ObjRat = 9.5
Spider months Name .25x10+.25x
10+.2x10+.0
5x10+.15x1
0+.1x5
6b4475ce9f Mutant Vendor A KC4 - 12-24 0 incidents Hash ObjRat = 6.95
9c5c4b9d2e Turtles Exploitation months .25x10+.25x
7edc8bdbf8 8+.2x7+.05x
49 4+.15x5+.1x
1
1.2.3.4 Xfit One Government KC6 C2 6-12 months 2+ incidents IP Address ObjRat = 5.25
.25x1+.25x4
+.2x9+.05x6
+.15x10+.1x
4
sdra64.exe Soccer Ball Vendor B KC5 - 24+ months 90% FP Host ObjRat = 4.8
Installation Artifact .25x6+.25x2
+.2x8+.05x2
+.15x2+.1x8
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Extra Credit
Dont just stop using math with indicators
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Final Thoughts
Objectify your indicators!
Take the math further; know what you can actually handle
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Dwell & Contain
Dwell Time Avg Time to Contain
400 40
350 35
300 30
250 25
200 20
150 Days 15 Hours
100 10
50 5
0 0
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Intel & Detection
Detection Success Intel Source Success
120 100% 120 100%
100 80% 100 80%
80 80
60% False Positives 60% False Positives
60 60
40% Incidents 40% Incidents
40 40
Success Rate 20% Success Rate
20 20% 20
0 0%
0 0%
SIEM IDS DLP Users AV MIR In-House Talos Vendor1 Vendor2
Incident Detection
20 100%
80%
15
60%
10 Incidents
40% % of Incidents
5
20%
0 0%
SIEM IDS DLP Users AV MIR
Incident Response Metrics, Sean Mason
bit.ly/IRMetrics
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Closing
Thoughts
Organizational Sustainability & Elasticity
There simply isnt enough talent
Dont hire all Senior talent
Quit complaining- go do something!
Outsource
Develop a pipeline of students & interns
Dont be a school snob
Help schools design their InfoSec programs!
https://www.iad.gov/nietp/reports/current_cae_designated_institutions.cfm
Provide opportunities both ways
Give your mid-level folks opportunities
Bring in talent outside of Incident Response
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Final Thoughts
1. Prevention Will Fail. Invest in Intel & IR; it can be measured, evolved,
and simplified.
2. Intel is more than a nice to have- it is a requirement. It also scales.
3. Think beyond IT; Partnerships are critical to success. Educate and
form alliances in the business and externally (e.g. local FBI office,
competitors, colleges)
4. Communicate findings back into other functions; Defense is a team
sport
5. Reward your teams!
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Resources
Cisco Security
Services: https://cisco.com/go/securityservices
Blogs: https://blogs.cisco.com
Sean Mason
@SeanAMason
https://SeanMason.com
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Complete Your Online
Session Evaluation
Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
Demos in the Cisco campus
Walk-in Self-Paced Labs
Lunch & Learn
Meet the Engineer 1:1 meetings
Related sessions
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Thank you