IAC 2024 - IA Fast Track to Search Focused AI Solutions
Â
David Bianco - Enterprise Security Monitoring
1. PRESENTED BY:
Š Mandiant Corporation. All rights reserved.
Enterprise Security Monitoring
Comprehensive Intel-Driven Detection
David J. Bianco
David.Bianco@mandiant.com
BSIDES AUGUSTA
14 SEPTEMBER, 2013
6. Š Mandiant Corporation. All rights reserved.
ď§âŻ Increased visibility across the entire organization
ď§âŻ Get more value out of existing systems
ď§âŻ Data aggregation is âhunter friendlyâ
ď§âŻ Better organization around:
ď§âŻ Detection platform coverage
ď§âŻ Detection planning
ď§âŻ General
ď§âŻ Threat-specific
ď§âŻ Prioritization of detection resources
ď§âŻ Quicker, more accurate incident detection and response
ď§âŻ Leverage your detection/response infra as an
offensive capability
Benefits of Enterprise Security Monitoring
6
10. Š Mandiant Corporation. All rights reserved.
Intel-Driven Operations Process
10
Research
AnalyzeConclude
Observe
Compare
Alert
Validate
Contain
InvestigateRemediate
Indicators Alerts
Intel
DB
Detect
DB
Respond
DB
Feedback Feedback
11. Š Mandiant Corporation. All rights reserved.
Intel-Driven Detection
11
Enterprise Security Monitor
Intel
NSM / IDS
Detection
Processing
Sigs
Intel
Analysts
Alerts&Queries
Firewalls
Routers
Switches
OS Logs
App Logs
Proxy Logs
Web Logs
Antivirus
HIDS/HIPS
Other Enterprise Data
12. Š Mandiant Corporation. All rights reserved.
What is an indicator?
12
A piece of information that
points to a certain
conclusion
14. Š Mandiant Corporation. All rights reserved.
Common Indicator Data Types
14
IPv4 Address
Domain /
FQDN
Hash (MD5,
SHA1)
URL
Transaction
Element (User-
Agent, MTA)
File Name /
Path
Mutex Registry Value User Name
Email Address
15. Š Mandiant Corporation. All rights reserved.
Indicator Characteristics
15
Extractable
Can I find this indicator
in my data?
Purposeful
To what use will I put
this indicator?
Actionable
If I find this indicator in
my data, can I do
something with that
information?
16. Š Mandiant Corporation. All rights reserved.
Attribution
â˘âŻ Who/what is responsible for this activity?
Detection
â˘âŻ If this event happens, I want to know about it.
Profiling
â˘âŻ What are the targeting parameters for this threat?
Prediction
â˘âŻ Given the current state, what can I expect from this threat in
the future?
Indicator Purposes
16
17. Š Mandiant Corporation. All rights reserved.
The Kill Chain
17
Reconaissance Weaponization Delivery Exploitation Installation
Command &
Control (C2)
Actions on
Objectives
âa systematic process to target
and engage an adversary to
create desired effects.â
Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chainsâ, Hutchins,
Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
(Last checked August 2013)
20. Š Mandiant Corporation. All rights reserved.
I donât have a cool name for this. âBed of Nailsâ?
20
Reconaissance Weaponization Delivery Exploitation Installation
Command &
Control (C2)
Actions on
Objectives
21. Š Mandiant Corporation. All rights reserved.
ď§âŻ What scenarios do we need to be able to detect?
ď§âŻ What are our options for detecting them?
ď§âŻ What are the strengths and weaknesses of our detection
program today?
ď§âŻ What is our detection stance against specific actors?
ď§âŻ What is our overall plan for detection across our
enterprise?
Intel-Driven Detection Planning
21
22. Š Mandiant Corporation. All rights reserved.
What scenarios do we need to be able to detect?
22
Reconaissance
â˘âŻFile - Name
â˘âŻFile
â˘âŻURI - URL
â˘âŻHTTP - GET
â˘âŻHTTP - User Agent
String
â˘âŻURI - Domain Name
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Weaponization
â˘âŻFile
â˘âŻFile - Path
â˘âŻURI - URL
Delivery
â˘âŻBehavior
â˘âŻFile - Full Path
â˘âŻFile - Name
â˘âŻFile
â˘âŻURI - URL
â˘âŻHTTP - POST
â˘âŻEmail Header -
Subject
â˘âŻEmail Header - X-
Mailer
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Exploitation
â˘âŻBehavior
â˘âŻWin Registry Key
â˘âŻFile - Name
â˘âŻFile
â˘âŻURI - URL
â˘âŻStreetname -
McAfee
â˘âŻStreetname -
Sophos
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - cidr
â˘âŻAddress - ipv4-addr
Installation
â˘âŻCode - Binary_Code
â˘âŻWin Process
â˘âŻWin Registry Key
â˘âŻFile - Full Path
â˘âŻFile - Name
â˘âŻFile
â˘âŻFile - Path
â˘âŻURI - URL
â˘âŻHTTP - GET
â˘âŻHTTP - User Agent
String
â˘âŻStreetname -
McAfee
â˘âŻStreetname -
Sophos
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻHash - SSDEEP
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Command &
Control (C2)
â˘âŻBehavior
â˘âŻWin Process
â˘âŻWin Registry Key
â˘âŻFile
â˘âŻURI - URL
â˘âŻHTTP - GET
â˘âŻHTTP - POST
â˘âŻHTTP - User Agent
String
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Actions on
Objectives
â˘âŻBehavior
â˘âŻWin Registry Key
â˘âŻWin Service
â˘âŻFile - Full Path
â˘âŻFile - Name
â˘âŻFile
â˘âŻFile - Path
â˘âŻURI - URL
â˘âŻStreetname -
Sophos
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - ipv4-addr
23. Š Mandiant Corporation. All rights reserved.
Detection Options - Snort
23
Reconaissance
â˘âŻFile - Name
â˘âŻFile
â˘âŻURI - URL
â˘âŻHTTP - GET
â˘âŻHTTP - User Agent
String
â˘âŻURI - Domain Name
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Weaponization
â˘âŻFile
â˘âŻFile - Path
â˘âŻURI - URL
Delivery
â˘âŻBehavior
â˘âŻFile - Full Path
â˘âŻFile - Name
â˘âŻFile
â˘âŻURI - URL
â˘âŻHTTP - POST
â˘âŻEmail Header -
Subject
â˘âŻEmail Header - X-
Mailer
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Exploitation
â˘âŻBehavior
â˘âŻWin Registry Key
â˘âŻFile - Name
â˘âŻFile
â˘âŻURI - URL
â˘âŻStreetname -
McAfee
â˘âŻStreetname -
Sophos
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - cidr
â˘âŻAddress - ipv4-addr
Installation
â˘âŻCode - Binary_Code
â˘âŻWin Process
â˘âŻWin Registry Key
â˘âŻFile - Full Path
â˘âŻFile - Name
â˘âŻFile
â˘âŻFile - Path
â˘âŻURI - URL
â˘âŻHTTP - GET
â˘âŻHTTP - User Agent
String
â˘âŻStreetname -
McAfee
â˘âŻStreetname -
Sophos
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻHash - SSDEEP
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Command &
Control (C2)
â˘âŻBehavior
â˘âŻWin Process
â˘âŻWin Registry Key
â˘âŻFile
â˘âŻURI - URL
â˘âŻHTTP - GET
â˘âŻHTTP - POST
â˘âŻHTTP - User Agent
String
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Actions on
Objectives
â˘âŻBehavior
â˘âŻWin Registry Key
â˘âŻWin Service
â˘âŻFile - Full Path
â˘âŻFile - Name
â˘âŻFile
â˘âŻFile - Path
â˘âŻURI - URL
â˘âŻStreetname -
Sophos
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - ipv4-addr
24. Š Mandiant Corporation. All rights reserved.
Detection Options - HIPS
24
Reconaissance
â˘âŻFile - Name
â˘âŻFile
â˘âŻURI - URL
â˘âŻHTTP - GET
â˘âŻHTTP - User Agent
String
â˘âŻURI - Domain Name
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Weaponization
â˘âŻFile
â˘âŻFile - Path
â˘âŻURI - URL
Delivery
â˘âŻBehavior
â˘âŻFile - Full Path
â˘âŻFile - Name
â˘âŻFile
â˘âŻURI - URL
â˘âŻHTTP - POST
â˘âŻEmail Header -
Subject
â˘âŻEmail Header - X-
Mailer
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Exploitation
â˘âŻBehavior
â˘âŻWin Registry Key
â˘âŻFile - Name
â˘âŻFile
â˘âŻURI - URL
â˘âŻStreetname -
McAfee
â˘âŻStreetname -
Sophos
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - cidr
â˘âŻAddress - ipv4-addr
Installation
â˘âŻCode - Binary_Code
â˘âŻWin Process
â˘âŻWin Registry Key
â˘âŻFile - Full Path
â˘âŻFile - Name
â˘âŻFile
â˘âŻFile - Path
â˘âŻURI - URL
â˘âŻHTTP - GET
â˘âŻHTTP - User Agent
String
â˘âŻStreetname -
McAfee
â˘âŻStreetname -
Sophos
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻHash - SSDEEP
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Command &
Control (C2)
â˘âŻBehavior
â˘âŻWin Process
â˘âŻWin Registry Key
â˘âŻFile
â˘âŻURI - URL
â˘âŻHTTP - GET
â˘âŻHTTP - POST
â˘âŻHTTP - User Agent
String
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Actions on
Objectives
â˘âŻBehavior
â˘âŻWin Registry Key
â˘âŻWin Service
â˘âŻFile - Full Path
â˘âŻFile - Name
â˘âŻFile
â˘âŻFile - Path
â˘âŻURI - URL
â˘âŻStreetname -
Sophos
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - ipv4-addr
25. Š Mandiant Corporation. All rights reserved.
Detection Options - MIR
25
Reconaissance
â˘âŻFile - Name
â˘âŻFile
â˘âŻURI - URL
â˘âŻHTTP - GET
â˘âŻHTTP - User Agent
String
â˘âŻURI - Domain Name
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Weaponization
â˘âŻFile
â˘âŻFile - Path
â˘âŻURI - URL
Delivery
â˘âŻBehavior
â˘âŻFile - Full Path
â˘âŻFile - Name
â˘âŻFile
â˘âŻURI - URL
â˘âŻHTTP - POST
â˘âŻEmail Header -
Subject
â˘âŻEmail Header - X-
Mailer
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Exploitation
â˘âŻBehavior
â˘âŻWin Registry Key
â˘âŻFile - Name
â˘âŻFile
â˘âŻURI - URL
â˘âŻStreetname -
McAfee
â˘âŻStreetname -
Sophos
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - cidr
â˘âŻAddress - ipv4-addr
Installation
â˘âŻCode - Binary_Code
â˘âŻWin Process
â˘âŻWin Registry Key
â˘âŻFile - Full Path
â˘âŻFile - Name
â˘âŻFile
â˘âŻFile - Path
â˘âŻURI - URL
â˘âŻHTTP - GET
â˘âŻHTTP - User Agent
String
â˘âŻStreetname -
McAfee
â˘âŻStreetname -
Sophos
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻHash - SSDEEP
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Command &
Control (C2)
â˘âŻBehavior
â˘âŻWin Process
â˘âŻWin Registry Key
â˘âŻFile
â˘âŻURI - URL
â˘âŻHTTP - GET
â˘âŻHTTP - POST
â˘âŻHTTP - User Agent
String
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Actions on
Objectives
â˘âŻBehavior
â˘âŻWin Registry Key
â˘âŻWin Service
â˘âŻFile - Full Path
â˘âŻFile - Name
â˘âŻFile
â˘âŻFile - Path
â˘âŻURI - URL
â˘âŻStreetname -
Sophos
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - ipv4-addr
26. Š Mandiant Corporation. All rights reserved.
Score Card: Use of Available Indicators
26
Reconaissance
â˘âŻFile - Name
â˘âŻFile
â˘âŻURI - URL
â˘âŻHTTP - GET
â˘âŻHTTP - User Agent
String
â˘âŻURI - Domain Name
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Weaponization
â˘âŻFile
â˘âŻFile - Path
â˘âŻURI - URL
Delivery
â˘âŻBehavior
â˘âŻFile - Full Path
â˘âŻFile - Name
â˘âŻFile
â˘âŻURI - URL
â˘âŻHTTP - POST
â˘âŻEmail Header -
Subject
â˘âŻEmail Header - X-
Mailer
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Exploitation
â˘âŻBehavior
â˘âŻWin Registry Key
â˘âŻFile - Name
â˘âŻFile
â˘âŻURI - URL
â˘âŻStreetname -
McAfee
â˘âŻStreetname -
Sophos
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - cidr
â˘âŻAddress - ipv4-addr
Installation
â˘âŻCode - Binary_Code
â˘âŻWin Process
â˘âŻWin Registry Key
â˘âŻFile - Full Path
â˘âŻFile - Name
â˘âŻFile
â˘âŻFile - Path
â˘âŻURI - URL
â˘âŻHTTP - GET
â˘âŻHTTP - User Agent
String
â˘âŻStreetname -
McAfee
â˘âŻStreetname -
Sophos
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻHash - SSDEEP
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Command &
Control (C2)
â˘âŻBehavior
â˘âŻWin Process
â˘âŻWin Registry Key
â˘âŻFile
â˘âŻURI - URL
â˘âŻHTTP - GET
â˘âŻHTTP - POST
â˘âŻHTTP - User Agent
String
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Actions on
Objectives
â˘âŻBehavior
â˘âŻWin Registry Key
â˘âŻWin Service
â˘âŻFile - Full Path
â˘âŻFile - Name
â˘âŻFile
â˘âŻFile - Path
â˘âŻURI - URL
â˘âŻStreetname -
Sophos
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - ipv4-addr
27. Š Mandiant Corporation. All rights reserved.
Score Card: Pyramid Effectiveness of Indicators
27
Reconaissance
â˘âŻFile - Name
â˘âŻFile
â˘âŻURI - URL
â˘âŻHTTP - GET
â˘âŻHTTP - User Agent
String
â˘âŻURI - Domain Name
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Weaponization
â˘âŻFile
â˘âŻFile - Path
â˘âŻURI - URL
Delivery
â˘âŻBehavior
â˘âŻFile - Full Path
â˘âŻFile - Name
â˘âŻFile
â˘âŻURI - URL
â˘âŻHTTP - POST
â˘âŻEmail Header -
Subject
â˘âŻEmail Header - X-
Mailer
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Exploitation
â˘âŻBehavior
â˘âŻWin Registry Key
â˘âŻFile - Name
â˘âŻFile
â˘âŻURI - URL
â˘âŻStreetname -
McAfee
â˘âŻStreetname -
Sophos
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - cidr
â˘âŻAddress - ipv4-addr
Installation
â˘âŻCode - Binary_Code
â˘âŻWin Process
â˘âŻWin Registry Key
â˘âŻFile - Full Path
â˘âŻFile - Name
â˘âŻFile
â˘âŻFile - Path
â˘âŻURI - URL
â˘âŻHTTP - GET
â˘âŻHTTP - User Agent
String
â˘âŻStreetname -
McAfee
â˘âŻStreetname -
Sophos
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻHash - SSDEEP
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Command &
Control (C2)
â˘âŻBehavior
â˘âŻWin Process
â˘âŻWin Registry Key
â˘âŻFile
â˘âŻURI - URL
â˘âŻHTTP - GET
â˘âŻHTTP - POST
â˘âŻHTTP - User Agent
String
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Actions on
Objectives
â˘âŻBehavior
â˘âŻWin Registry Key
â˘âŻWin Service
â˘âŻFile - Full Path
â˘âŻFile - Name
â˘âŻFile
â˘âŻFile - Path
â˘âŻURI - URL
â˘âŻStreetname -
Sophos
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - ipv4-addr
28. Š Mandiant Corporation. All rights reserved.
Score Card: Effectiveness Against APT-Ď
28
Reconaissance
â˘âŻURI â Domain Name
â˘âŻAddress - ipv4-addr
Weaponization Delivery
â˘âŻEmail Header -
Subject
â˘âŻEmail Header - X-
Mailer
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Exploitation
â˘âŻWin Registry Key
â˘âŻFile - Name
â˘âŻFile
â˘âŻURI - URL
â˘âŻStreetname -
McAfee
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - cidr
â˘âŻAddress - ipv4-addr
Installation
â˘âŻCode - Binary_Code
â˘âŻWin Process
â˘âŻWin Registry Key
â˘âŻFile - Full Path
â˘âŻFile - Name
â˘âŻFile
â˘âŻFile - Path
â˘âŻURI - URL
â˘âŻHTTP - GET
â˘âŻHTTP - User Agent
String
â˘âŻStreetname -
McAfee
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - ipv4-addr
Command &
Control (C2)
â˘âŻBehavior
â˘âŻWin Process
â˘âŻWin Registry Key
â˘âŻFile
â˘âŻURI - URL
â˘âŻHTTP - GET
â˘âŻHTTP - POST
â˘âŻHTTP - User Agent
String
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻAddress - e-mail
â˘âŻAddress - ipv4-addr
Actions on
Objectives
â˘âŻBehavior
â˘âŻWin Registry Key
â˘âŻWin Service
â˘âŻFile - Full Path
â˘âŻFile - Name
â˘âŻFile
â˘âŻFile - Path
â˘âŻURI - URL
â˘âŻStreetname -
Sophos
â˘âŻURI - Domain Name
â˘âŻHash - MD5
â˘âŻHash - SHA1
â˘âŻAddress - ipv4-addr
30. Š Mandiant Corporation. All rights reserved.
ď§âŻ NSM:IDS :: ESM:NSM
ď§âŻ Collect and aggregate across your entire enterprise
ď§âŻ Increased visibility
ď§âŻ Maximum use of resources
ď§âŻ Better for âhuntingâ
ď§âŻ Organize intel for for better program insights
ď§âŻ Big improvements in detection & response capabilities
for minimal investment
ď§âŻ Smart detection makes for frustrated adversaries!
Summary
30
31. Š Mandiant Corporation. All rights reserved.
Questions?
31
David J. Bianco
David.Bianco@mandiant.com
detect-respond.blogspot.com