Cybersecurity Operations and Tales from the Trenches
Transcript of Cybersecurity Operations and Tales from the Trenches
Cybersecurity Operations andTales from the Trenches
Conflict of Interest
•Conflict of Interest DisclosureTom Utley, Computer Engineer – B.S.
Has no real or apparent
conflicts of interest to report.
Agenda
• Security Reality Check
• Security Operations Basics
• War Stories
• Malware attack
• Phishing
• Unwanted Software – Bitcoin mining
• Ransomware
• Unknown Asset
• No-one is Exempt
Security Reality Check
Basic
Passwords / AD
Patch Management
Backups
Evolution of Security
Basic
Passwords / AD
Patch Management
Backups
Perimeter
Firewalls
SPAM / Web Filters
WAF/Proxy
Defense-in-Depth
Endpoint (AV, AEP)
DLP / SSL Inspection
Anti-DDoS/IPS/CASB
Evolution of Security
We’re good, right?
Ripped From The Headlines
RANSOMWARE HITS GEORGIA COURTS AS MUNICIPAL ATTACKS SPREAD
More than 12M people may be affected
by latest medical data breach.
Confirmed: 2 Billion Records Exposed In Massive Smart Home Device Breach
#CriminalsAreReal
Source: Verizon Data Breach Investigations Report: https://enterprise.verizon.com/resources/reports/dbir/
Current Security Performance
197 Days
Mean Time to Identify (MTTI)Malicious and Criminal Attacks
69 Days
Mean Time to Contain (MTTC)Attacks (After Detection)
365
Source: 2018 Ponemon Cost of Data Breach Report
Cybersecurity Spending as a % of all IT Spending
13.2
13.2
12.9
12.3
11.8
11.6
11
9.5 10 10.5 11 11.5 12 12.5 13 13.5
Healthcare
Government
Telecom & Tech
Finance
Education
Retail
Manufacturing
Source: 2019 Cyberthreat Defense Report – CyberEdge Group
Basic
Passwords / AD
Patch Management
Backups
Perimeter
Firewalls
SPAM / Web Filters
WAF/Proxy
Defense-in-Depth
Endpoint (AV, AEP)
DLP / SSL Inspection
Anti-DDoS/IPS/CASB
Secure by Design
Continuously Improve Security Posture
Speed-up Remediations
Policy Update
Evolution of Security
Security Operations
Log Aggregation & Correlation
Human / Threat Intelligence
Incident Detection & Response
Continuous Risk Management
Security Operations Basics
Cybersecurity Management Lifecycle
Identify Protect Detect Respond Recover
• Asset Management
• Business Environment
• Governance
• Risk Assessment
• Risk Management Strategy
• Access Control
• Awareness and Training
• Data Security
• Information Protection Processes and Procedures
• Maintenance
• Protective Technology
• Anomalies and Events
• Security Continuous Monitoring
• Detection Process
• Response Planning
• Communications
• Analysis
• Mitigation
• Improvements
• Recovery Planning
• Improvements
• Communications
1 2 3 4 5
Fundamental Operational Challenges
Too Much Noise
Alert fatigue, vendor fatigue, compliance and regulation fatigue. The journey never ends.
Security Skill Shortage
Recruiting and retaining cybersecurity talent is hard, sometimes impossible.
1. Break In
2. Install , Spread, Persist
3. Key Exchange
4. Encrypt
5. Collect Payment
6. Restore Data?
Specific Challenge: Ransomware
Source: Osterman Research, Inc.
1%
3%
4%
9%
24%
28%
31%
Business Application
USB Stick
Social Media
Don't Know
Malicious Website
Email Attachment
Email Link
Attack Vectors
Detecting Security Issues – What to collect?
• Network Based
• IDS
• Flow
• DNS
• HTTP/TLS
• DHCP
• Proxy
• iVA, eVA
• IAM
• AD Events
• IDaaS
• Server Based
• AV
• Applications
• Azure/AWS
• DB
• Client Based
• EDR/NGAV
• Event Logs
• hVA
• SaaS• AWS/Azure/GCP
• IDaaS
• O365
• Salesforce
• Box/OneDrive
• Mail Services
• Exchange
• CAS
• Cloud Mail Gateways
What’s the difference?
• SIM: Security Information Management
– Long-term storage as well as analysis and reporting of log data.
• SEM: Security Event Management
– Real-time monitoring, correlation of events, notifications and console views.
• SIEM: Combination of SIM and SEM
– Enables real-time analysis of security alerts along with storage and reporting.
» Log Management + Correlation, AI, Alerts
Strengths:
• ”Big Data” Optimized for Security Purposes
• Makes Detection and Response Possible
• Enables Compliance
Shortcomings:
• Data Firehose
• High costs (licenses, infrastructure, maintenance)
• Requires at least 3-4 FTEs (bare minimum)
SIM, SEM, SIEM
Security Operations Center
Source: SANS Institute - Building a World Class Security Operations Center: A Roadmap
SIEM
Strengths:
• Enables Detection and Response
• Combines Human experience with Technology
• Reduces MTTI & MTTC to hours/minutes
Shortcomings:
• High technology costs
• Very high staffing costs (8-12 FTEs)
• Time to Implement: 9-12 months
Staffing a SOC: People
Security operators • Helps to oversee SOC operations• Serve as focal point for managing and coordinating a response
to incidents. Security analysts • On front lines of the SOC• First to review alerts and determine their relevance and
urgency• Responsible for investigating threats• Determines appropriate steps for remediation Security researchers• Studies new strains of malware, takes them apart, determines
how they work• Share that information with others• Uses the information to better understand cyber attackers,
their attack methods and behavior profiles Security manager• Supervises SOC team and handles higher-level tasks (running
reports, managing escalation process, and reviewing incident reports)
• Monitors SOC’s performance and communicates with business leaders
Incident response team • Consists of a manager, security analysts, and security
researchers• Responsible for analyzing and responding to security breachesForensics team • Investigates breaches to determine root cause• Preserves evidence so that it can be used in a court of law• Practices proper planning, documentation, chain of custody,
and rules of evidence Compliance audit team • Performs periodic, comprehensive reviews of the IT
environment to validate organization’s compliance with regulatory requirements
• Performs risk assessments, understands applicable laws and regulations, monitors compliance efforts, and educates staff on audit findings
Development team • Maintains log source connections, API integrations, parsers,
custom workflow tools, etc. A SOC leverages a development lifecycle against its platform, similar to the development process used to write software
SOC-as-a-Service
Highly Scalable Multi-tenant ArchitectureBuilt on Cloud Infrastructure
Logs and AlertsBillions/Day
Millions/Day
1000s/Day
100s/Day
Observations
Investigations
Customer Escalations
Strengths:
• Benefits of a SOC at a fraction of the cost
• Provides Detection and Response
• Enables Compliance
• Reduces MTTI & MTTC to minutes
• Eliminates Noise
Shortcomings:
• Replaces SIEM entirely
SOC-as-a-Service – Example Approach
FW/UTM Logs
Flow Data
IDS Alerts
DNS Logs
HTTP & TLS
ADOther Logs
ServerLogs
EmailGateway
WirelessAP
Cloud
IaaS Monitoring
Network Devices
WirelessNetworks
Windows Event Logs
System Vulnerabilities
Rootkit / Compromise Alerts
Process Tables
Installed Patches
Commercial Feeds
Malware/Domain Lookup
IP Location/Reputation
Vulnerabilities
OSINT
CIS Benchmarking
Cloud SOC
Concierge Security Team (CST)
ActionableResults
ThreatIntelligence
Secure Transport Secure Transport
VulnerabilityData Nmap Data Device Inventory
ConfigurationBenchmarks
Asset Information
Incident Notifications
Trouble Tickets
Standard & Custom Reports
Trusted Advice
Vulnerability Notifications
Scanner Configuration & Monitoring
Dark Web DataPublicly Accessible
Ports/ServicesVulnerability
Data
SaaS Monitoring
Sec-aaSMonitoring
War Stories
Phishing Attack - Guess who? Wait that’s not you?
• Customer: Before SOC-as-a-Service
• Business Risk: Reputation, Customer Theft
• War Story:
— Leasing manager credentials harvested/phished by a OneDrive sharing request
— Email communication between leasing manager and tenant to finalize the lease of a luxury apartment
— Communication with the leasing manager abruptly stopped
— Hacker logs in via OWA from Africa, sets up inbox rules, and starts communicating with the tenant
— Tenant sends deposit/down payment to fraud account
— A week later leasing manager calls the tenant to see if they are still interested, tenant said “umm yeah, I sent my deposit and am planning on moving in"
Malware Attack - Contained Compromised Endpoints
• Customer: Senior Living Center
• Business Risk: Protect client records, compliance
• War Story:
— Malware delivered through phishing email to create backdoor
— AWN CST observed alert generated by endpoint agent
— New malware downloaded from suspicious website
— Same pattern repeated on another endpoint. AWN CST recognized pattern of infection
— CST advised IT-staff to block malicious website, and quarantine infected endpoints
— Customer proactively stopped infection from spreading
CAUGHT
Phishing Attack – Stopped New Infections
• Customer: Small Law Firm (10 partners)
• Business Risk: Protect Firm’s IT infrastructure
• War Story:
— Partner’s credentials harvested by phishing email
— Email sent from partner’s email to staff
— Unsuspecting employee clicked on attachment in partner’s email
— Employee’s laptop infected with key logger malware from malicious website and employee credentials are harvested
— AWN CST identified pattern and alerted IT of malicious website.
— Customer blocked malicious website and warned employees.
CAUGHT
Insider Threat – Prevented Bitcoin Mining
• Customer: Cotton Distributor
• Business Risk: Concerned about protecting integrity of data
• War Story:
— IT-staff used production server to “mine” Bitcoin.
— AWN CST noticed network traffic going to known Bitcoin mining operation
— AWN CST warned IT-staff about rogue insider.
— Customer fired employee
CAUGHT
Unauthorized FTP Service - Prevented Security Breach
• Customer: 600-bed Hospital
• Business Risk: Protect patient records, compliance
• War Story:
— Unauthorized FTP service on internet facing server.
— Enabled doctors to upload client data w/o logging in!
— Hackers uploaded malware and compromised server.
— Used DNS covert channel to communicate with CnC
— Hackers attempted to steal medical data.
— AWN CSE alerted customer of outbound CnC traffic from compromised server and unauthorized FTP svc.
— IT blocked FTP service and blocked CnC traffic to block security breach.
CAUGHT
Ransomware attack – Prevented endpoint encryption
• Customer: Supply Chain Management
• Business Risk: Concerned about 24/7 uptime of logistics solutions
• War Story:
— Ransomware delivered through email attachment
— Alerts generated by snort rule in AWN sensor
— Ransomware exchanged encryption key with CnC
— AWN CST observed of malicious traffic from compromised laptop
— AWN CST alerted customer of ransomware being delivered via email
— Customer prevented ransomware attack from spreading to other laptops and servers
CAUGHT
Unknown Asset Triggers Incident
• Customer: Healthcare Provider
• Business Risk: Unknown asset compromises corporate network
• War Story:
— Command and Control traffic identified from an unknown asset
— Validated that the existing endpoint security solution had no record of the compromise as it wasn’t installed on that device
— Research via DHCP and WAP logs identified which WAP it was connected to
— Customer and partner tracked down the device…which was owned by a vendor sales rep (giving a presentation) that was allowed on the corporate network…the device was immediately removed from the network and was found to be infected with malware
CAUGHT
Even trainers get phished!
• Business Risk: Reputation and account hijacking
• War Story:
— Corporate C level exec that had helped lead phishing training gets phished by their own spoofed email address
— Identified logon discrepancy from a foreign country and notified customer of compromised credential
— Contact list was potentially harvested, no additional email compromise was present (no emails originating from phished user, inbox rules for email exfil, etc.)
— Customer sent an email to contact list letting them know to ignore all emails coming from spoofed email addresses, also researching SPF, DKIM, and DMARC to ”help” with spoofing capabilities
CAUGHT