Cybersecurity Operations andTales from the Trenches

Conflict of Interest

•Conflict of Interest DisclosureTom Utley, Computer Engineer – B.S.

Has no real or apparent

conflicts of interest to report.

Agenda

• Security Reality Check

• Security Operations Basics

• War Stories

• Malware attack

• Phishing

• Unwanted Software – Bitcoin mining

• Ransomware

• Unknown Asset

• No-one is Exempt

Security Reality Check

Basic

Passwords / AD

Patch Management

Backups

Evolution of Security

Basic

Passwords / AD

Patch Management

Backups

Perimeter

Firewalls

SPAM / Web Filters

WAF/Proxy

Defense-in-Depth

Endpoint (AV, AEP)

DLP / SSL Inspection

Anti-DDoS/IPS/CASB

Evolution of Security

We’re good, right?

Ripped From The Headlines

RANSOMWARE HITS GEORGIA COURTS AS MUNICIPAL ATTACKS SPREAD

More than 12M people may be affected

by latest medical data breach.

Confirmed: 2 Billion Records Exposed In Massive Smart Home Device Breach

#CriminalsAreReal

Source: Verizon Data Breach Investigations Report: https://enterprise.verizon.com/resources/reports/dbir/

Current Security Performance

197 Days

Mean Time to Identify (MTTI)Malicious and Criminal Attacks

69 Days

Mean Time to Contain (MTTC)Attacks (After Detection)

365

Source: 2018 Ponemon Cost of Data Breach Report

Cybersecurity Spending as a % of all IT Spending

13.2

13.2

12.9

12.3

11.8

11.6

11

9.5 10 10.5 11 11.5 12 12.5 13 13.5

Healthcare

Government

Telecom & Tech

Finance

Education

Retail

Manufacturing

Source: 2019 Cyberthreat Defense Report – CyberEdge Group

Basic

Passwords / AD

Patch Management

Backups

Perimeter

Firewalls

SPAM / Web Filters

WAF/Proxy

Defense-in-Depth

Endpoint (AV, AEP)

DLP / SSL Inspection

Anti-DDoS/IPS/CASB

Secure by Design

Continuously Improve Security Posture

Speed-up Remediations

Policy Update

Evolution of Security

Security Operations

Log Aggregation & Correlation

Human / Threat Intelligence

Incident Detection & Response

Continuous Risk Management

Security Operations Basics

Cybersecurity Management Lifecycle

Identify Protect Detect Respond Recover

• Asset Management

• Business Environment

• Governance

• Risk Assessment

• Risk Management Strategy

• Access Control

• Awareness and Training

• Data Security

• Information Protection Processes and Procedures

• Maintenance

• Protective Technology

• Anomalies and Events

• Security Continuous Monitoring

• Detection Process

• Response Planning

• Communications

• Analysis

• Mitigation

• Improvements

• Recovery Planning

• Improvements

• Communications

1 2 3 4 5

Fundamental Operational Challenges

Too Much Noise

Alert fatigue, vendor fatigue, compliance and regulation fatigue. The journey never ends.

Security Skill Shortage

Recruiting and retaining cybersecurity talent is hard, sometimes impossible.

1. Break In

2. Install , Spread, Persist

3. Key Exchange

4. Encrypt

5. Collect Payment

6. Restore Data?

Specific Challenge: Ransomware

Source: Osterman Research, Inc.

1%

3%

4%

9%

24%

28%

31%

Business Application

USB Stick

Social Media

Don't Know

Malicious Website

Email Attachment

Email Link

Attack Vectors

Detecting Security Issues – What to collect?

• Network Based

• IDS

• Flow

• DNS

• HTTP/TLS

• DHCP

• Proxy

• iVA, eVA

• IAM

• AD Events

• IDaaS

• Server Based

• AV

• Applications

• Azure/AWS

• DB

• Client Based

• EDR/NGAV

• Event Logs

• hVA

• SaaS• AWS/Azure/GCP

• IDaaS

• O365

• Salesforce

• Box/OneDrive

• Mail Services

• Exchange

• CAS

• Cloud Mail Gateways

What’s the difference?

• SIM: Security Information Management

– Long-term storage as well as analysis and reporting of log data.

• SEM: Security Event Management

– Real-time monitoring, correlation of events, notifications and console views.

• SIEM: Combination of SIM and SEM

– Enables real-time analysis of security alerts along with storage and reporting.

» Log Management + Correlation, AI, Alerts

Strengths:

• ”Big Data” Optimized for Security Purposes

• Makes Detection and Response Possible

• Enables Compliance

Shortcomings:

• Data Firehose

• High costs (licenses, infrastructure, maintenance)

• Requires at least 3-4 FTEs (bare minimum)

SIM, SEM, SIEM

Security Operations Center

Source: SANS Institute - Building a World Class Security Operations Center: A Roadmap

SIEM

Strengths:

• Enables Detection and Response

• Combines Human experience with Technology

• Reduces MTTI & MTTC to hours/minutes

Shortcomings:

• High technology costs

• Very high staffing costs (8-12 FTEs)

• Time to Implement: 9-12 months

Staffing a SOC: People

Security operators • Helps to oversee SOC operations• Serve as focal point for managing and coordinating a response

to incidents. Security analysts • On front lines of the SOC• First to review alerts and determine their relevance and

urgency• Responsible for investigating threats• Determines appropriate steps for remediation Security researchers• Studies new strains of malware, takes them apart, determines

how they work• Share that information with others• Uses the information to better understand cyber attackers,

their attack methods and behavior profiles Security manager• Supervises SOC team and handles higher-level tasks (running

reports, managing escalation process, and reviewing incident reports)

• Monitors SOC’s performance and communicates with business leaders

Incident response team • Consists of a manager, security analysts, and security

researchers• Responsible for analyzing and responding to security breachesForensics team • Investigates breaches to determine root cause• Preserves evidence so that it can be used in a court of law• Practices proper planning, documentation, chain of custody,

and rules of evidence Compliance audit team • Performs periodic, comprehensive reviews of the IT

environment to validate organization’s compliance with regulatory requirements

• Performs risk assessments, understands applicable laws and regulations, monitors compliance efforts, and educates staff on audit findings

Development team • Maintains log source connections, API integrations, parsers,

custom workflow tools, etc. A SOC leverages a development lifecycle against its platform, similar to the development process used to write software

SOC-as-a-Service

Highly Scalable Multi-tenant ArchitectureBuilt on Cloud Infrastructure

Logs and AlertsBillions/Day

Millions/Day

1000s/Day

100s/Day

Observations

Investigations

Customer Escalations

Strengths:

• Benefits of a SOC at a fraction of the cost

• Provides Detection and Response

• Enables Compliance

• Reduces MTTI & MTTC to minutes

• Eliminates Noise

Shortcomings:

• Replaces SIEM entirely

SOC-as-a-Service – Example Approach

FW/UTM Logs

Flow Data

IDS Alerts

DNS Logs

HTTP & TLS

ADOther Logs

ServerLogs

EmailGateway

WirelessAP

Cloud

IaaS Monitoring

Network Devices

WirelessNetworks

Windows Event Logs

System Vulnerabilities

Rootkit / Compromise Alerts

Process Tables

Installed Patches

Commercial Feeds

Malware/Domain Lookup

IP Location/Reputation

Vulnerabilities

OSINT

CIS Benchmarking

Cloud SOC

Concierge Security Team (CST)

ActionableResults

ThreatIntelligence

Secure Transport Secure Transport

VulnerabilityData Nmap Data Device Inventory

ConfigurationBenchmarks

Asset Information

Incident Notifications

Trouble Tickets

Standard & Custom Reports

Trusted Advice

Vulnerability Notifications

Scanner Configuration & Monitoring

Dark Web DataPublicly Accessible

Ports/ServicesVulnerability

Data

SaaS Monitoring

Sec-aaSMonitoring

War Stories

Phishing Attack - Guess who? Wait that’s not you?

• Customer: Before SOC-as-a-Service

• Business Risk: Reputation, Customer Theft

• War Story:

— Leasing manager credentials harvested/phished by a OneDrive sharing request

— Email communication between leasing manager and tenant to finalize the lease of a luxury apartment

— Communication with the leasing manager abruptly stopped

— Hacker logs in via OWA from Africa, sets up inbox rules, and starts communicating with the tenant

— Tenant sends deposit/down payment to fraud account

— A week later leasing manager calls the tenant to see if they are still interested, tenant said “umm yeah, I sent my deposit and am planning on moving in"

Malware Attack - Contained Compromised Endpoints

• Customer: Senior Living Center

• Business Risk: Protect client records, compliance

• War Story:

— Malware delivered through phishing email to create backdoor

— AWN CST observed alert generated by endpoint agent

— New malware downloaded from suspicious website

— Same pattern repeated on another endpoint. AWN CST recognized pattern of infection

— CST advised IT-staff to block malicious website, and quarantine infected endpoints

— Customer proactively stopped infection from spreading

CAUGHT

Phishing Attack – Stopped New Infections

• Customer: Small Law Firm (10 partners)

• Business Risk: Protect Firm’s IT infrastructure

• War Story:

— Partner’s credentials harvested by phishing email

— Email sent from partner’s email to staff

— Unsuspecting employee clicked on attachment in partner’s email

— Employee’s laptop infected with key logger malware from malicious website and employee credentials are harvested

— AWN CST identified pattern and alerted IT of malicious website.

— Customer blocked malicious website and warned employees.

CAUGHT

Insider Threat – Prevented Bitcoin Mining

• Customer: Cotton Distributor

• Business Risk: Concerned about protecting integrity of data

• War Story:

— IT-staff used production server to “mine” Bitcoin.

— AWN CST noticed network traffic going to known Bitcoin mining operation

— AWN CST warned IT-staff about rogue insider.

— Customer fired employee

CAUGHT

Unauthorized FTP Service - Prevented Security Breach

• Customer: 600-bed Hospital

• Business Risk: Protect patient records, compliance

• War Story:

— Unauthorized FTP service on internet facing server.

— Enabled doctors to upload client data w/o logging in!

— Hackers uploaded malware and compromised server.

— Used DNS covert channel to communicate with CnC

— Hackers attempted to steal medical data.

— AWN CSE alerted customer of outbound CnC traffic from compromised server and unauthorized FTP svc.

— IT blocked FTP service and blocked CnC traffic to block security breach.

CAUGHT

Ransomware attack – Prevented endpoint encryption

• Customer: Supply Chain Management

• Business Risk: Concerned about 24/7 uptime of logistics solutions

• War Story:

— Ransomware delivered through email attachment

— Alerts generated by snort rule in AWN sensor

— Ransomware exchanged encryption key with CnC

— AWN CST observed of malicious traffic from compromised laptop

— AWN CST alerted customer of ransomware being delivered via email

— Customer prevented ransomware attack from spreading to other laptops and servers

CAUGHT

Unknown Asset Triggers Incident

• Customer: Healthcare Provider

• Business Risk: Unknown asset compromises corporate network

• War Story:

— Command and Control traffic identified from an unknown asset

— Validated that the existing endpoint security solution had no record of the compromise as it wasn’t installed on that device

— Research via DHCP and WAP logs identified which WAP it was connected to

— Customer and partner tracked down the device…which was owned by a vendor sales rep (giving a presentation) that was allowed on the corporate network…the device was immediately removed from the network and was found to be infected with malware

CAUGHT

Even trainers get phished!

• Business Risk: Reputation and account hijacking

• War Story:

— Corporate C level exec that had helped lead phishing training gets phished by their own spoofed email address

— Identified logon discrepancy from a foreign country and notified customer of compromised credential

— Contact list was potentially harvested, no additional email compromise was present (no emails originating from phished user, inbox rules for email exfil, etc.)

— Customer sent an email to contact list letting them know to ignore all emails coming from spoofed email addresses, also researching SPF, DKIM, and DMARC to ”help” with spoofing capabilities

CAUGHT

Thank You!

tom.utley@arcticwolf.com

www.arcticwolf.com