Post on 12-Apr-2017
transcript
Blue Team Reboot
● Security Consultant - Researcher
● Twitter: @haydnjohnson
● Talks: BsidesTO, Circle City Con, BsidesLV, SecTor
● Offsec, Purple Team, Gym??
● Big 4 experience
● http://www.slideshare.net/HaydnJohnson
Haydn Johnson
Cheryl Biswas
● Security researcher/analyst Threat Intel
● APTs, Mainframes, ICS SCADA, Shadow IT, StarTrek
● BSidesLV, Circle City, BSidesT0, SecTor, Hackfest, TiaraCon
● https://whitehatcheryl.wordpress.com
● Twitter: @3ncr1pt3d
DISCLAIMER: The views represented here are solely our own and not those of
our employers, past or present, or future.
Blue Team Reboot
Props to DarkReadingThis started with a webinar for DarkReading on Threat Intel and how to use it effectively. We received some great feedback, a lot of interest, and built upon it for HackFest.
Our Webinar:https://webinar.darkreading.com/2492?keycode=SBX&cid=smartbox_techweb_upcoming_webinars_8.500000620
What We Will Cover
All. That. DATALogging towards AlertsThreat IntelVisibilityContextPinpointing an AttackKill Chains & OODA Loops
Terminology
IOC - Indicator of Compromise - Domain, IP address, URLIOA - Indicator of AttackCOA - Course of Action - What can we do to prevent, mitigate, detect, EG - Implement a block on an email addressTTP - Tactics, Techniques, and Procedures
Your Take-Away Lootbag
What it isRelevanceExample casesTools & software applicable
LOGGING
LOGS: First Line of Defence
Logs
CIA
ConfidentialityIntegrityAvailability
WHO’S IN
YOUR
NETWORK?
Web Application Logs
Knock KnockWho was there?
The first place to detect
scannersrecon data scraping
Firewall Logs
Ingress | Egress
Websites | Email | FTP
End Point
Host Logs
Whitelisting applications - KNOWN GOODExecution of MacrosTerminal Commands executedTime of loginsAverage use
Network Logs
Internal trafficDomain connectionsInternal Scanning
https://www.sans.org/reading-room/whitepapers/logging/importance-
logging-traffic-monitoring-information-security-1379
2003
Big DataA Little Talk About ...
So. Much. Data
Crown Jewels
RelevanceAsset
Management
Create A Baseline
Have a starting placeKnown trafficKnown goodRegular review
Know Your Normal
Just Say NO!!!Macros: Disable
Adobe Anything: I can’t even
PowerShell: Are you worthy?
Admin for all - ORLY?
Deny on open Macros!
@InvokeThreatGuy https://github.com/invokethreatguy/DC416October?files=1
Wait! Who’s the all-powerful admin here?
Tools / Software
Carbon Black / Bit9SysMonLog-MDWireShark
https://www.wireshark.org/
https://msdn.microsoft.com/en-us/library/windows/desktop/dd408124(v=vs.85).aspx
http://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon
http://log-md.com/
http://brakeingsecurity.blogspot.ca/2015/10/2015-042-logmd-more-malware-archaeology.html
Logs to Alerts!
VISIBILITY
Visibility:What’s in your sights
CONTEXT
ContextI haz meaning?
Bad Alerts
Help! Too Many!
Good Alerts
Timely
Relevant
Context
Actionable
Good Alerts
Give enough information to correlate
Understand all you can from the one logActionable
Standard procedures for each for IR team
Time is NOT on your side
Example TimeWorkstation 2 Workstation
A: Lateral Movement
@raffertylaura | @haydnjohnsonhttps://www.youtube.com/watch?v=KO68mbk9-
OU&list=PL02T0JOKYEq52plvmxiJ1cSbwUgHHvP7H&index=8
Windows Event Log
Runs PowerShell
Connects to Web Server
Threat Intel
Threat Intel: What it Ain’t
Threat actor informationCampaignsIndicators of Compromise (IOCs)Identify known threatsExploitation in the wild
Threat intel: What it is
A product from collection, processing, exploitation, analysis dissemination and feedback of information.
Reducing False Positives
IOC ValidationAlert Tuning from IOCs
https://quadrantsec.com/about/blog/the_false_positives_of_threat_intelligence/
Threat Reports
Is it relevant to business?Could it have an impact?Are there IOCs?COA for prevention, detection, mitigation
KEY CRITERIA
Threat Report - Example
Landing PageDownloader URLC2 traffic
Threat Report - Example 2
http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-
evolves-adds-japan-target-list/
Threat Report - Example 2
C2 via blogsHard coded tags
http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-
evolves-adds-japan-target-list/
Threat Report - Example 2
Downloader
C2
Threat Report - Example 2
http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-
evolves-adds-japan-target-list/
Threat Report - Example 2
Threat Report - Example 2
IOCs - MD5Not strong but can put in place fast!
THREAT CORRELATION
Combining Data and Threat intel
The 4 C’s
Collect
Consolidate
Control
Communicate
Visibility
Take a big picture view
Know what’s going on from end to end
Cuz you don’t know what you don’t know
Context
Look for the patterns
So you can find the anomalies
How to Play With Data
Not what you got but how you use it
Ask the right questions - get the right answers
What have we been missing?
Security Analytics - Example
The Game Changers
Machine Learning
Analytics
IAM
BIG DATA - TOOLS
OpenSoc - Cisco
RITA - Real Intelligence Threat Analysis
BreakoutDetection R package - Twitter
http://opensoc.github.io/
RITA - http://www.blackhillsinfosec.com/?page_id=4417
https://github.com/twitter/BreakoutDetection
Pinpointing an Attack Identification of malicious-ness
Detecting an attack - Visibility & Patterns
Known Good
Alerts
Investigation
Lessons learned
http://www.scmagazine.com/five-tips-to-detect-contain-and-control-cyber-threats/article/467856/
Detecting an attack
Preparation Identification ContainmentEradication Recovery Lessons Learned
SANS IR Steps!
Cyber Kill Chain + Extended Version
Lockheed Martin Cyber Kill Chain
“The seven steps of the Lockheed Martin Cyber Kill Chain® enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures.”
http://cyber.lockheedmartin.com/solutions/cyber-kill-chain
Cyber Kill Chain
1. Reconnaissance2.Weaponization3.Delivery4.Exploitation5.Installation6.Command & Control7.Action on Objectives
Cyber Kill Chain Extended
7 - Actions on
Objectives
Internal Kill
Chain
Target
Manipulation
Kill Chain
http://www.seantmalone.com/docs/us-16-Malone-
Using-an-Expanded-Cyber-Kill-Chain-Model-to-
Increase-Attack-Resiliency.pdf
Cyber Kill Chain Extended
Map & understanding specific systemsSubvert target systems & business processes
Raise Attackers Cost
OODA LOOP
Attackers
Observe Orient Decide Act
Your Blue Team Fighter Pilots
Goose Maverick
OODA Loop - for the defender
Practice
Be ready to change direction
Take Action
Relevance
Use to actively identify security controls
People Process Procedures
Identify Gaps
Confirm assumptions
Tune
Visibility on Blind Spots
Looking at each step allows a methodical approach to defense.
Reduces Bias and Blind spots.
Can lead to Threat Hunting
Example Time
Attachments
Malicious Attachments
https://github.com/carnal0wnage/malicious_file_maker
Malicious Attachments
Malicious Attachments
Test your email filters
Understand which attachments come through
Build | refine | controls
Malicious Attachments
Send various types of malicious attachments via multiple sources
How many emails does it take to block a sender?
What types of attachments generate alerts?
Go hunting
In summary
LOGSALERTSTHREAT INTELCORRELATIONCYBER KILL CHAIN
PROACTIVE=
Take awaysAKA - what you should remember
Total success!
❖Be proactive❖Back2Basics❖Visibility❖Context
❖Test it❖Look for it❖Patterns❖Anomalies
Total success!
Thank You!Any questions?Feel free to reach out to us later!@haydnjohnson @3ncr1pt3d