TYING CYBER ATTACKS TO BUSINESS PROCESSES, FOR FASTER MITIGATION
Anner Kushnir, VP Technology, AlgoSec
AGENDA• Introduction• Business Driven Incident Response• Technical Considerations in Remediation• Automation and Quick Access to Information• Summary
2
INTRODUCTION
BACKGROUNDThe attackers are already inside the network:• Advanced Persistent Threat (APT)• Compromised servers and desktops• Malicious insiders
What can happen during an attack: • Data is being exfiltrated
(theft, espionage)• Critical services go down• A compromised machine is part of
a DDoS attack network• …
4
CYBER ATTACK STATISTICS“Data Breaches Increase 40 Percent in 2016”- Identity Theft Resource Center (ITRC) and CyberScout
“Of the 1,000 IT leaders polled for Invincea’s 2016 Cyberthreat Defense Report, three-quarters reported that their networks had been breached in the last year, and 62 percent said they expect to suffer a successful cyberattack at some point this year”
“More than 4,000 ransomware attacks have occurred every day since the beginning of 2016 (300% increase compared to 2015)”- Computer Crime and Intellectual Property Section (CCIPS)
ADAPTIVE SECURITY• “… preventive, detective and response capabilities.” • “… context‐aware network, endpoint and application security
protection platforms”• Neil MacDonald, Peter Firstbrook, Gartner 2016
• “Leverage the Security Ecosystem from within the SIEM – Avoid Context Switching”
• “Maintain context during investigations”• Splunk Partner Information, 2016
AN INCIDENT STARTS WITH DETECTION• Technological detectors, with different methodologies:
• Signature‐based, anomaly‐detection, behavioral analytics• Network‐based, host‐based• Dedicated sensors, alerts from standard systems• Internal or from threat‐intelligence• Etc.…
• Human analysts in the “Cyber Operation Center” (COC)• Free‐search through real‐time + offline log data
Evidence of malicious activity can be observed in logs
7
THE FUNNEL: LOGS > CASES > INCIDENTS • Many systems produce logs and alerts
• Firewalls, anti‐virus, computer OS, authentication systems, ….
• Logs sent to a SIEM (Security Information and Event Management)• Huge volume, nearly all benign
• SIEM “business logic” / “event correlation”: open Cases• SOC (Security Operations Center) staff handles the cases
• Many false alarms
8
• Real cases become incidents• COC (Cyber‐Operation Center) staff handles the incidents
Their job is to detect real breaches (avoid false alarms), report the incident,analyze their impact, and stop/contain the attack.
SECURITY INCIDENT RESPONSE
Security Analysts in the COC analyze cases and incidents
9
SHOW OF HANDS
• How many people do you have in your Cyber‐Operation Center?
•We don’t have one•1‐10•More than 10
10
BUSINESS DRIVEN INCIDENT RESPONSE
INCIDENT DETECTED – NOW WHAT?• Common: (unstructured)
• “30 people on a bridge call”• “24 hours just to decide whether to isolate, and when”• “one person walking around and documenting”
• Better: use a “case management system” • within SIEM or add‐on• Collect and document evidence
• Best: • Business‐driven, Context‐aware• Actionable
12
BUSINESS‐DRIVEN TRIAGE• Identify impacted business processes
• Which business applications rely on impacted systems?• How business‐critical are these applications?• Who are the business owners?
• Identify data sensitivity• Do impacted applications handle sensitive data?• Is impacted system a “stepping stone” to sensitive data?• Can impacted system exfiltrate data?
Triage outcomes:Urgency of mitigation (now/tonight/change‐control‐window)Aggressiveness of mitigation (filter/disconnect/shutdown/patch)
13
BUSINESS‐DRIVEN CONSIDERATIONS• Weigh 2 types of risk:
• Security risk: damage of attack until it is mitigated• Operational risk: downtime during mitigation + unintended side effects
• Business criticality primarily affects the Operational Risk• Data sensitivity primarily affects the Security Risk
• … also regulatory compliance and reporting requirements
REACHABILITY CONSIDERATIONS• Assume that impacted system is “0wned”• All sensitive data on that system is exposed• … but network defenses are still in place:
• East‐West traffic filters (in a segmented datacenter)• North‐South traffic filters (perimeter firewalls)
• Can impacted system connect to Internet?• Exfiltrate local data• Command and control
• Can impacted system connect to more sensitive systems?• Lateral movement• Stepping stone
• Contain:• Remediate through automatic isolation of compromised servers from network
• Report:• Report incident to relevant teams• Maintain audit trail of actions taken
RESPONSE: TAKING ACTION
16
BUSINESS‐DRIVEN REMEDIATION: WHEN TO ISOLATE?• Timing of isolation may be important
• How urgent and how severe is the issue?• In which time‐zones are the affected application’s users in?• Possible outcomes:
• Do it now!• Use an unscheduled change‐control window (tonight)• Wait for a normal change‐control window? (next week)
17
TECHNICAL CONSIDERATIONS IN REMEDIATION
WHERE TO ISOLATE (NETWORK SEGMENT)?• Find the filtering devices closest to the impacted system
19
Impacted system
Isolation points
L2 / HOST‐BASED ISOLATION• NAC to disconnect the Ethernet port • Wireless hotspot to disconnect the mobile host• Virtual / SDN to quarantine host
• Advantage: isolate the host from all others
• Challenges: • Finding the port to disconnect (IP address ‐> L2 port number)• Blocks access from management network for patching and forensics
20
FIREWALL‐BASED ISOLATION• Use firewall(s) and filtering routers to block/restrict traffic to/from device
• Advantages: • At arms‐length from infected host, retains forensic evidence• Filtering is what firewalls do• No additional equipment required
• Challenges• Isolation is as good as network segmentation• Multiple filtering technologies and platforms – on‐prem, SDN, Cloud
21
RESTRICT RATHER THAN ISOLATE?• Put “other side” of connection in a black‐list
• Web proxy (e.g. BlueCoat, zScaler, WAF)
• Restrict infected machine to only specific services• Restrict to only internal addresses
• DLP• Disconnect from botnet C&C• Prevent participation in outbound DDoS
• Restrict to only external addresses (e.g., for web‐facing servers)• Block access to sensitive internal data• Prevent attacks on internal servers
22
AUTOMATION AND QUICK ACCESS TO INFORMATION
NUMBER OF INCIDENTS CONSTANTLY INCREASING• Shortage in security talent
Automate as much as possibleMake information easily accessible,stay in contextSaves timeLess product‐specific knowledge required to collect all incident information
25
26
AlgoSec App adds an action menu to all IP address fields
27
‐ Critical business process?(identify business impact, set priority)
‐ Who to report to?
28
29
‐ Custom business logic‐ Machine‐readable data to allow further integration
30
Can reach Internet? Data exfiltration possible
• From impacted system• To Internet
31
Can reach sensitive zone? Stepping stone Regulatory impact Reporting requirements
• From impacted system• To sensitive zone
10.3.3.3
32
33
34
35
Quick Access – Chat “bots”
SUMMARY
SUMMARY• Overview of Incident Response processes• Business Driven Incident Response• Technical Considerations in Remediation• Automation and Quick Access to Information
38
MORE RESOURCES
39
THANK YOU!
Questions: [email protected]
Top Related