In order to effectively defend your organization, you must think about the offensive strategy as well. But before we get ahead of ourselves let’s talk briefly about the building blocks of a good offense. First is an architecture that is built around a security policy that is aligned with the business risk. Risk must be understood and a cookie cutter approach must be avoided here because again every organization is different and so are their risks.
15. Strictly confidential – Do not distribute18
Layered Detection and Response
Day In the Life
KEY’S TO SUCCESS:
1. The Right People
2. Standard Processes
3. Leveraged Technology
Threat
Manager
Threat
Analyst
Threat
Analyst
Threat
Analyst
Threat
Analyst
Advanced
Analysis /
Response
Advanced
Analysis /
Response
Tier 3
• Console Monitoring
• Take action
• 5-7 minutes on average per alert
• Deep investigation
• Tuning and mitigation
• 30 minutes on average per alert
• Malware reverser
• Data pivot and trend
• Industry alert
• Threat hunting
Tier 1
Tier 2
Network
Hunter
Endpoint
Hunter
Malware
Hunter
Threat
Intel
16. Strictly confidential – Do not distribute19
SpiderLabs Cyber Threat Intelligence
The Real secret Sauce
Trustwave
Threat
Intelligence
SL-PT: CREATE
• OSX Skype Backdoor (12/16)
• Bopup Server Remote Buffer
Overflow (11/16)
• Linux Kernel Bypass
Technique (3/16)
SL-RES: ANALYZE
• Malware family discoveries:
Punkey, Alina, Backoff…
• Exploit Kit Tracking: RIG,
Neutrino, Angler, etc.
• Global Botnet Tracking:
Conficker, ZeroAccess, etc
SL-IR: INVESTIGATE
• Deep dive breach
investigations yield libraries
of IoC’s
• Actor tracking &attribution:
Carbanak (2016-17)
• Threat briefs and community
education
SL-TO: ASSIMILATE
• External and internal Threat
intel assimilation: Cymru, CB,
Homeland Security, Virus
Total, Emerging Threats, etc
• Telco Partnerships
• Continual hunting and triage
response
17. Strictly confidential – Do not distribute20
Response & Hunting in Action – Case Study
Customer: 150+ luxury hotels, Next-Gen Firewalls, Threat Prevention, MDR, IRP, Endpoint protection, strong & layered
security
Tier 1 Alert - Excessive login attempts
lead to Admin Accounts lockout
Tier 2 Escalation – Log/ MDR review
identify lateral movement and active
malware
Tier 3 Escalation - Reservation agent socially engineered to open malicious Word document.
Attacker escalated privileges, shutdown antivirus, enabled RDP and targeted customer PII and
payment card data.
Remediation – Backdoors closed &
security recommendations
implemented
MDR Hunting - Attack profile
generated. Carbanak attribution, hunt
for IoC’s identified dozens of attacker
backdoors
Enterprise Hunting: Intel fueled threat hunt across MSS enterprise. Multiple attempts
identified, all attacks stopped at initial stages. Threat Brief helped external victims identify
compromise
Type of damage cause be Cyber threats include:
Theft of identity, credit cards, intellectual property
Spoofing transaction processes such as wire transfers or access credentials
Business disruption from DDoS
Criminal extortion
Destruction (Saudi Aramco, Sony)
Influence business decisions (Sony, OPM)
Weapons proliferation (Stuxnet, Duqu, Flame)
Criminal exploitation (Ashley Madison)
In order to effectively defend your organization, you must think about the offensive strategy as well. But before we get ahead of ourselves let’s talk briefly about the building blocks of a good offense. First is an architecture that is built around a security policy that is aligned with the business risk. Risk must be understood and a cookie cutter approach must be avoided here because again every organization is different and so are their risks.
Layering on that architecture is passive defense, which is where the traditional security products would reside and the key for this stage is minimal human interaction, but clearly without the set it and forget it mentality again reinforced by the security policy.
Now we move on to being more proactive and actively defending. Utilizing a SIEM to help with data collection and presentation to a 24x7 monitoring team that is augmented with a incident response team to identify the areas of compromise, which include reverse engineering malware to identify how passive defenses and architecture did not detect the malware.
Building off an active defense we must infuse everything with intelligence and begin to go on missions to find the threats that have circumvented all control’s and defenses thus far. These are the unkown or undetected threats, not simply the “missed” threats as many times perceived. There are two facets to hunting, identify the threat against your organization and identify threats in your organization. Both aspects must be covered.
I’ll leave you with a good non-technical example of this, as a Atlanta Falcon fan and Atlantanian many of you probably witness the greatest comeback story from Tom Brady and the Patriots…...as amazing as that story is, the bigger question that all analysts were answering on Monday morning was, “How did the Falcon’s loose with that big of a lead?” Besides some amazing math and analysts that did calcuations to determine the probabilty of it happening it could be summarized best with “The Falcons forgot to play offense when they were up by 25pts.” So the question you should ask is, “Did you forget to play offense and have faith only in your defense?”
So what types of services should a organization look at to be more offense. To understand this I want to walk through the threat continuum which highlights that when greater visibility is achieved so is greater analytics and investigation. What I see is typically companies start with compliance focused tools and services. There is low visibilty and investigation capabilities here, but it meets most regulatory requirements and shows their organizational maturity in security.
As organizations mature they begin to invest in threat monitoring which would be part of the active defense category. This is the area of table steaks for threat detection, I would even consider this to be the minimum area to begin in a enterprise threat detection program.
The area all organizations should be investing in or have a roadmap too is the green area and is focused on high visibility, analytics, and investigation. This is where Intelligence and Offense can increase your organizations threat detection and most importantly protection by leveraging security orchestration.
Breaking down a few specifics in the green, we see there being two areas of threat hunting which would include a endpoint approach as well as a network based approach. It’s a 80-20 mix between the two of them. Also part of the hunting category is identity hunting which is comprised of actively looking for your adversaries via social media, forums, and the darkweb specifically. You must be actively seeking information that would allow you to better protect your organization. This is how you get proactive and don’t wait till they try to deploy that specially crafted compromise.
The key challenges to threat hunting is that our adversaries are constantly changing their behavior, however there are patterns that we can be aware of and look for. We know that a attacker is going to target systems, upload code, create a command and control channel, and ensure they can survive a reboot. This is a consistent behavior we can include in our hunts.
We then must look for anomalies that deviate from normal behavior, that is where tools like UEBA can be highly effective which can help detect unknown or previously unseen hostile activity and last we must look for lateral movements. And when we find infected systems, we remove them immediately.
I included a summary checklist that we use when conducting hunts for our clients.
Key here is that this is less about spotting malware and more about identifying hostile behavior and containing that behavior as quickly as possible.
I’ve talked about active defense, offense, and now hunting, So the question that must be addressed is, how do we successfully hunt?
First let’s break hunting down in two categories, automated and manual. So how do we get from manual to automated, because manual is expensive as well as time consuming. Manual hunting requires a high level of skills, which we know we are at a shortage in the market. Manual also isn’t scalable across all threats, many which are imminent. We want to automate the collection and presentation of the data to the greatest extent possible for the hunt.
So looking at the Hunting Maturity Model, we first begin with basic automated alerting, which again comes from that compliance focused mentality and basic active defense. Then we incorporate threat intel indicators into our searches that move into data analyst procedures for the hunters that were previously created. Next if we identify a new threat that wasn’t previously covered we create new data analysis procedures. Once these 4 steps are complete we move onto automation, where we automate the majority of the successful data analysis and our hunters can focus in on the results.
To recap, the key objectives to a successful hunt are focused goals, limiting the searches, constantly improving based on feedback, automating, and of course measuring your success.