SlideShare ist ein Scribd-Unternehmen logo

Reducing cyber risks in the era of digital transformation

Sergey Soldatov
Sergey Soldatov

The session record is available here: https://www.youtube.com/watch?v=5-CoJNjtAmY Link to all sessions from Sberbank ICC: https://icc.moscow/translyatsii.html

Technologie
1 von 41
Downloaden Sie, um offline zu lesen
Reducing cyber risks in the era of digital transformation Sergey Soldatov Head of Security Operations Center, R&D Security Services
WHO AM I ? Since 2016: Head of SOC at Kaspersky lab Internal SOC Commercial MDR* services 2012 – 2016: Chief manager at RN-Inform Rosneft security services insourcing 2002 – 2012: TNK-BP Group IT security integration into business and IT operations Security controls in IT projects Security operations 2001-2002: Software developer at RIPN BMSTU graduate CISA, CISSP Speaker, writer, participant, volunteer * Managed Detection and Response
THE ERA OF DIGITAL TRANSFORMATION Business models Processes and organization Intelligence and preparation Research Professionalism More dependent on IT Raise of IT security Higher attack complexity And COST More business risks in IT Motivation
ATTACKER PERSPECTIVE Pentest-like “Offensive certified hackers” Outsourced service Profitable business Based on cutting edge research and approaches
ATTACKER PERSPECTIVE Pentest-like “Offensive certified hackers” Outsourced service Profitable business Based on cutting edge research and approaches * Tactics, techniques and procedures Classics Anti-forensics Multi-stage Modernity spirit: File less & Malware less Living off the land Bring your own land Off-the-shelf attack simulation toolsets New mysterious TTP*
LIVING OFF THE LAND Malware-less Use of built-in OS tools In-memory only (file-less) Maximum use of context knowledge (make no anomalies): Use tools that are already used Use protocols that are already used Don’t talk when the net is quiet https://www.youtube.com/watch?v=j-r6UonEkUw
BRING YOUR OWN LAND When PowerShell is not an option All requited functionality is part of specially created PE Malicious code is run in legitimate process memory – no suspicious parent- child relationship, no artefacts on disk Available in off-the-shelf adversary emulation tools (Cobalt strike) https://www.fireeye.com/blog/threat- research/2018/06/bring-your-own-land-novel-red-teaming- technique.html
AVAILABLE TOOLSETS Commercially supported and maintained Very difficult attribution Disguise capabilities: False attribution Benign activity
ATTACKER ALWAYS ATTACKS THE WEAKEST LINK http://reply-to-all.blogspot.com/2018/04/blog-post.html
Prevention Detection  Threat hunting Response …AND CYBER WEAPON FOR ALL! The resources of the attacker are limitless! https://reply-to-all.blogspot.com/2017/03/blog-post_22.html
1% OF ATTACKS – 90% OF DAMAGE 29% 70% 1% Known threats Unknown threats Sophisticated threats Targeted attacks APT Large enterprises SMB Average loss from a single targeted attack $ 2,54M $ 84K * According to Kaspersky lab and B2B international research “Enterprise information security”. Average damage from single targeted attack, including direct losses and indirect costs of restoration after the attack.
THREAT LANDSCAPE OUTRO Layers: By approach: Prevent  Detect  Hunt By technology: Entities  Behavior  Statistics  ML  DL By Kill Chain: Pre-breach  Post-breach By decision maker: Sensor  Cloud  Human By media: Endpoint  Network Cycles: Threat intel  Detect  Practice  Threat intel Hunt  Detect  Hunt
LAYERS
Prevention systems Detection systems Threat hunting ~100% known evil <100% known evil unknown evil Prevent FindDetect If possible automatically prevent… Automatic Manual Protection Detection & response Degree of uncertainty Automatic + Check APPROACH LAYERS: PREVENT  DETECT  HUNT http://reply-to-all.blogspot.com/2017/11/epp-edr.html
THREAT HUNTING 15 https://sqrrl.com/solutions/cyber-threat-hunting/ Cyber threat hunting is the practice of searching iteratively through data to detect advanced threats that evade traditional security solutions.
PROTECTION STRATEGY – WAYS OF RETREAT
Endpoint AM-engine (AM) Sandbox (SB) Advantages • Real environment • Real user activity • Unlimited processing time • No performance limitations • Low impact from True Positive Disadvan- tages • Performance Limitations • Big impact from True Positive • Artificial environment • Emulated user activity (required actions may not be fulfilled) • Limited processing time DETECT LAYERS: ANTI-MALWARE & SANDBOX • Different technologies works with different effectiveness and efficiency against different attacks • AM and SB complement each other to better cumulative detection rate
DETECT LAYERS: DAVID BIANCO'S PYRAMID OF PAIN http://detect-respond.blogspot.ru/2013/03/the-pyramid-of-pain.html Commodity Prevention/Detection tools capabilities (can be done automatically) Human Analyst required IoC,IoA AM-signatureTTP-based detect
THE CONCEPT OF ‘HUNT’ (DETECTOR, RULE) • Run untrusted code with whitelisted tool (rundll32,regsvr32,mshta,odbcconf,etc) • Office app spawns cmd/powershell/etc • Access to paste service from non-browsers • … Techniques Example:
REAL ATTACK (SIMPLIFIED) 1-day .rtf exploit winword wecloud[.]biz/m11.xls download mshta start powershell wecloud[.]biz/d.doc AppDataRoaming22682.doc winword powershell wecloud[.]biz/p1.sqlite3 AppDataRoaming46961.txt (.dll) odbcconf AppDataRoaming6F633FD53B9B6C.txt (sct) download, execute regsvr32 cmd wecloud[.]biz/mail/changelog.txt drop AppDataRoamingrad7EF08.tmpcmd powershellCobaltstrike beacon execute .hta start start download save open start download decode,store,start start execute start execute start del dropstart execute start base-64 PS start
1-day .rtf exploit winword wecloud[.]biz/m11.xls download mshta executing_hta_via_com powershell wecloud[.]biz/d.doc AppDataRoaming22682.doc winword powershell wecloud[.]biz/p1.sqlite3 AppDataRoaming46961.txt (.dll) odbcconf AppDataRoaming6F633FD53B9B6C.txt (sct) download, execute regsvr32 cmd wecloud[.]biz/mail/changelog.txt drop AppDataRoamingrad7EF08.tmpcmd powershellCobaltstrike beacon execute .hta start start download save open start download decode,store,start start execute start execute start del dropstart execute start base-64 PSstart suspicious_powershell_cmd_or_script_spawning start suspicious_powershell_cmdline_downloading suspicious_powershell_cmdline_general_obfuscation proxying_arbitrary_code_execution_through_trusted_binaries executing_with_nonexecutable_extension application_whitelisting_bypass_via_regsvr32 AV_engine_inexact_detect TTP-BASED DETECTS
MITRE ATT&CK: ADVERSARIAL TACTICS, TECHNIQUES & COMMON KNOWLEDGE https://attack.mitre.org/wiki/Main_Page
https://www.lockheedmartin.com/us/what-we- do/aerospace-defense/cyber/cyber-kill-chain.html ATTACK KILL CHAIN
ATTACK LIFECYCLE 24 Time Observable attacker activity • Reconnaissance • Weaponization • Delivery • Exploitation • Installation • Command & Control • Actions on objective Months Minutes Years Passive Stealthy Fast Pre-breach Breach Post-breach
ATTACK KILL CHAIN COVERAGE: PRE-BREACH AND POST-BREACH SCENARIOS Prevention security controls Operational security (SOC) Incident response Time Breach! Pre-breach Post-breach Previously Currently Threat hunting
POST-BREACH: MITRE ATT&CK COVERAGE Consumer: the most appropriate way to assess EDR/MDR Vendor/Provider: Self- assessment for current capabilities and improvement planning
MEDIA COVERAGE Network Endpoint Persistence Privilegeescalation Defenseevasion Credentialaccess Discovery Lateralmovement Execution Collection Exfiltration CommandandControl Initialaccess
LEVELS OF DECISION MAKING Data  Sensor detects  Process behavior  OS events Micro correlation on sensor level:  All sensor detection technologies  Reputation (cloud) Macro correlation, TTP-based detection logic:  All TTP knowledge:  Internal research  MITRE ATT&CK  Security assessment/Red teaming  Incident response practice  Monitoring practice Adjustproductdetectionlogic Human analyst work, Threat hunting:  Check behavior hypotheses about attacker  Situational awareness  Investigate borderline cases  Overall process improvement Sensors (Event sources) Cloud Products
CYCLES
30 THREAT INTELLIGENCE CYCLE FOR CONSTANT IMPROVEMENT Threat Intelligence Threat Research Products Research infrastructure Services Threat-centric Target-centric Auto-detection data, Emulation data, KSN-statistics Operational practice Threats Targets
31 SECURITY OPERATIONS CYCLE (SIMPLIFIED) Threat Intelligence Detection Investigation Remediation Lessons learned MSSP scope: Particular customer GOV/LEA scope: Country, Industry
IT Roles Tasks Problems Value of TI Tactical level Network operation center (NOC) Feed indicators to security products Bad indicators cause FP Validate and prioritize indicators Security operations center (SOC) Monitor, triage Too many alerts to investigate (+ FN) Prioritize alerts Infrastructure operations (IT) Patch vulnerable systems Difficult to prioritize patches Prioritize patches Operational level IR Team Remediate Determine details of attacks Hunt for additional breaches Time-consuming to reconstruct attack from initial indicators Provide context to reconstruct attack quickly SOC Team Difficult to identify additional breaches Provide data for threat hunting Strategic level CISO Allocate resources No clear priorities for investment Priorities based on risks and likely attacks CIO Communicate to executives Executives don’t understand tech Explain adversary in terms of impact OFF-TOPIC: WHAT IS TI AND FOR WHOM IT MATTERS Source: John Friedman, Mark Bouchard, CISSP. Definitive Guide to Cyber Threat Intelligence. CyberEdge Group, LLC, 2015
INCIDENT RESPONSE IN MDR* Begin End Threat research team Incident response team Monitoring/Threathuntingteam Initial response Investigation Remediation * Managed Detection and Response
INCIDENT RESPONSE IN MDR Begin Monitoring & threat hunting operations Live response Suspicious activity detected Automatic product detection/ remediation End Continuous remediation efficiency control Remediation can be automatically provided Threat research team Incident response team Monitoring/Threathuntingteam Initial response Investigation Remediation
INCIDENT RESPONSE IN MDR Begin Monitoring & threat hunting operations Live response Suspicious activity detected Forensics Malware analysis Automatic product detection/ remediation End Deeper investigation required Additional IoC/IoA discovered Continuous remediation efficiency control Automatic remediation possible Threat research team Incident response team Monitoring/Threathuntingteam Initial response Investigation Remediation
INCIDENT RESPONSE IN MDR Begin Monitoring & threat hunting operations Live response Suspicious activity detected Forensics Malware analysis Incident response End Lessons learned Deeper investigation required Additional IoC/IoA discovered Continuous monitoring of remediation efficiency Continuous improvement Manual remediation required Threat research team Incident response team Monitoring/Threathuntingteam Initial response Investigation Remediation
INCIDENT RESPONSE IN MDR Begin Monitoring & threat hunting operations Live response Suspicious activity detected Forensics Malware analysis Incident response Automatic product detection/ remediation End Lessons learned Deeper investigation required Additional IoC/IoA discovered Continuous monitoring of remediation efficiency Continuous remediation efficiency control Continuous improvement Manual remediation required Automatic remediation possible Remediation can be automatically provided Threat research team Incident response team Monitoring/Threathuntingteam Initial response Investigation Remediation
38 • Goal: Assessment of Blue team operational efficiency and training • Threat Intelligence driven • Leaks, spear-phishing, insiders, etc. • Report artifacts for Blue team evaluation • Detailed stage by stage attack description • With timestamps, tools • IoCs & IoAs • TTPs • Optionally followed with workshop • With KL Blue team threat hunters (temporary Purple) ADVERSARY EMULATION FOR SECURITY OPERATIONS (“RED TEAMING”)
RESEARCH AS OPERATIONS Escalation for threat detection in products Digital forensics lab Semi-automatic DF SOC 2nd tier SOC 1st tier Escalation for customer specific TTP-based detection logic MDR provider cloud Sensor data Products Detection logic adaptation, manual threat hunting Global Emergency and Response Team Threat Research Targeted Attack Research Group SOC Research Detect in product: prevention or detection TTP-based detection logic development Escalation for manual DFIR Escalation for threat detection in products Security Assessment Assess products & operational efficiency
• If somebody planned to breach your systems, it will definitely happen • If we eradicated them, they will come again - they never give up • Do not rely solely on the perimeter and automatic detection/protection • Chances to detect after the breach are much higher • Prioritization on the material risk is the basis of success • Never relax: silence is a scary sound – assume breach, search, hunt THE END: THE IDEA OF ‘CYBER-IMMUNITY’ http://reply-to-all.blogspot.com/2017/07/blog-post_28.html
THANK YOU VERY MUCH! Sergey Soldatov, CISA, CISSP Head of SOC, R&D Security Services, Kaspersky lab intelligence@kaspersky.com www.kaspersky.ru

Empfohlen

Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
amiable_indian
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
Dragos, Inc.
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
Rand W. Hirt
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot Essentials
Anton Chuvakin
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
Nasir Bhutta
 
Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiAnti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewski
Stonesoft
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOC
Priyanka Aash
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 

Empfohlen

Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
amiable_indian
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
Dragos, Inc.
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
Rand W. Hirt
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot Essentials
Anton Chuvakin
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
Nasir Bhutta
 
Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiAnti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewski
Stonesoft
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOC
Priyanka Aash
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Telesoft Cyber Threat Hunting Infographic
Telesoft Cyber Threat Hunting InfographicTelesoft Cyber Threat Hunting Infographic
Telesoft Cyber Threat Hunting Infographic
Sarah Chandley
 
Threat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseThreat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident Response
Infocyte
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
Ramin Farajpour Cami
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
Panda Security
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
Akash Sarode
 
Anton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability IntelligenceAnton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin
 
Evading & Bypassing Anti-Malware applications using metasploit
Evading & Bypassing Anti-Malware applications using metasploitEvading & Bypassing Anti-Malware applications using metasploit
Evading & Bypassing Anti-Malware applications using metasploit
n|u - The Open Security Community
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
n|u - The Open Security Community
 
Zero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisZero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic Analysis
Ahmed Banafa
 
SACON16 - SOC Architecture
SACON16 - SOC ArchitectureSACON16 - SOC Architecture
SACON16 - SOC Architecture
Shomiron Das Gupta
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testing
Mayank Singh
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat Intelligence
JacklynTsai
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
Morane Decriem
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?
Ramin Farajpour Cami
 
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Infocyte
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton Chuvakin
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for Security
Gabrielle Knowles
 
Custom defense - Blake final
Custom defense - Blake finalCustom defense - Blake final
Custom defense - Blake final
Minh Le
 
CYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETCYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEET
TravarsaPrivateLimit
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testing
Mayank Singh
 
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Infocyte
 

Was ist angesagt? (20)

Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Telesoft Cyber Threat Hunting Infographic
Telesoft Cyber Threat Hunting InfographicTelesoft Cyber Threat Hunting Infographic
Telesoft Cyber Threat Hunting Infographic
 
Threat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseThreat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident Response
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
Anton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability IntelligenceAnton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability Intelligence
 
Evading & Bypassing Anti-Malware applications using metasploit
Evading & Bypassing Anti-Malware applications using metasploitEvading & Bypassing Anti-Malware applications using metasploit
Evading & Bypassing Anti-Malware applications using metasploit
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
 
Zero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisZero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic Analysis
 
SACON16 - SOC Architecture
SACON16 - SOC ArchitectureSACON16 - SOC Architecture
SACON16 - SOC Architecture
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testing
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat Intelligence
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?
 
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for Security
 

Ähnlich wie Reducing cyber risks in the era of digital transformation

CYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETCYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEET
TravarsaPrivateLimit
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat Protection
Blue Coat
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
North Texas Chapter of the ISSA
 
Cyber Defense Automation
Cyber Defense AutomationCyber Defense Automation
Cyber Defense Automation
♟Sergej Epp
 

Ähnlich wie Reducing cyber risks in the era of digital transformation (20)

Custom defense - Blake final
Custom defense - Blake finalCustom defense - Blake final
Custom defense - Blake final
 
CYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETCYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEET
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat Protection
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri Diogenes
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
 
Prezentare_RSA.pptx
Prezentare_RSA.pptxPrezentare_RSA.pptx
Prezentare_RSA.pptx
 
Security Operations and Response
Security Operations and ResponseSecurity Operations and Response
Security Operations and Response
 
Cognitive automation with machine learning in cyber security
Cognitive automation with machine learning in cyber securityCognitive automation with machine learning in cyber security
Cognitive automation with machine learning in cyber security
 
Elastic Security: Your one-stop OODA loop shop
Elastic Security: Your one-stop OODA loop shopElastic Security: Your one-stop OODA loop shop
Elastic Security: Your one-stop OODA loop shop
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
 
Cyber Defense Automation
Cyber Defense AutomationCyber Defense Automation
Cyber Defense Automation
 
SplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for SecuritySplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for Security
 
SplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for SecuritySplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for Security
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
LIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming SecurityLIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming Security
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical Security
 
IBM Security Strategy
IBM Security StrategyIBM Security Strategy
IBM Security Strategy
 

Mehr von Sergey Soldatov

От мониторинга к форенсике и обратно
От мониторинга к форенсике и обратноОт мониторинга к форенсике и обратно
От мониторинга к форенсике и обратно
Sergey Soldatov
 
модульный под к документир V5
модульный под к документир V5модульный под к документир V5
модульный под к документир V5
Sergey Soldatov
 
Opensource vs. Non-opensource
Opensource vs. Non-opensourceOpensource vs. Non-opensource
Opensource vs. Non-opensource
Sergey Soldatov
 
Примерные критерии оценки IDM
Примерные критерии оценки IDMПримерные критерии оценки IDM
Примерные критерии оценки IDM
Sergey Soldatov
 

Mehr von Sergey Soldatov (20)

Metrics in Security Operations
Metrics in Security OperationsMetrics in Security Operations
Metrics in Security Operations
 
Сколько надо SOC?
Сколько надо SOC?Сколько надо SOC?
Сколько надо SOC?
 
От мониторинга к форенсике и обратно
От мониторинга к форенсике и обратноОт мониторинга к форенсике и обратно
От мониторинга к форенсике и обратно
 
Роботы среди нас!
Роботы среди нас!Роботы среди нас!
Роботы среди нас!
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Практика обнаружения атак, использующих легальные инструменты
Практика обнаружения атак, использующих легальные инструментыПрактика обнаружения атак, использующих легальные инструменты
Практика обнаружения атак, использующих легальные инструменты
 
Kaspersky managed protection
Kaspersky managed protectionKaspersky managed protection
Kaspersky managed protection
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Трудовые будни охотника на угрозы
Трудовые будни охотника на угрозыТрудовые будни охотника на угрозы
Трудовые будни охотника на угрозы
 
Охота на угрозы на BIS summit 2016
Охота на угрозы на BIS summit 2016Охота на угрозы на BIS summit 2016
Охота на угрозы на BIS summit 2016
 
Threat hunting as SOC process
Threat hunting as SOC processThreat hunting as SOC process
Threat hunting as SOC process
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Мониторинг своими руками
Мониторинг своими рукамиМониторинг своими руками
Мониторинг своими руками
 
Вопросы к DLP
Вопросы к DLPВопросы к DLP
Вопросы к DLP
 
модульный под к документир V5
модульный под к документир V5модульный под к документир V5
модульный под к документир V5
 
IDM - это непросто!
IDM - это непросто!IDM - это непросто!
IDM - это непросто!
 
Некриптографическое исследование носителей православной криптографии
Некриптографическое исследование носителей православной криптографииНекриптографическое исследование носителей православной криптографии
Некриптографическое исследование носителей православной криптографии
 
Opensource vs. Non-opensource
Opensource vs. Non-opensourceOpensource vs. Non-opensource
Opensource vs. Non-opensource
 
Примерные критерии оценки IDM
Примерные критерии оценки IDMПримерные критерии оценки IDM
Примерные критерии оценки IDM
 
PHDays '14 Cracking java pseudo random sequences by egorov & soldatov
PHDays '14 Cracking java pseudo random sequences by egorov & soldatovPHDays '14 Cracking java pseudo random sequences by egorov & soldatov
PHDays '14 Cracking java pseudo random sequences by egorov & soldatov
 

Kürzlich hochgeladen

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Kürzlich hochgeladen (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

Reducing cyber risks in the era of digital transformation

  • 1. Reducing cyber risks in the era of digital transformation Sergey Soldatov Head of Security Operations Center, R&D Security Services
  • 2. WHO AM I ? Since 2016: Head of SOC at Kaspersky lab Internal SOC Commercial MDR* services 2012 – 2016: Chief manager at RN-Inform Rosneft security services insourcing 2002 – 2012: TNK-BP Group IT security integration into business and IT operations Security controls in IT projects Security operations 2001-2002: Software developer at RIPN BMSTU graduate CISA, CISSP Speaker, writer, participant, volunteer * Managed Detection and Response
  • 3. THE ERA OF DIGITAL TRANSFORMATION Business models Processes and organization Intelligence and preparation Research Professionalism More dependent on IT Raise of IT security Higher attack complexity And COST More business risks in IT Motivation
  • 4. ATTACKER PERSPECTIVE Pentest-like “Offensive certified hackers” Outsourced service Profitable business Based on cutting edge research and approaches
  • 5. ATTACKER PERSPECTIVE Pentest-like “Offensive certified hackers” Outsourced service Profitable business Based on cutting edge research and approaches * Tactics, techniques and procedures Classics Anti-forensics Multi-stage Modernity spirit: File less & Malware less Living off the land Bring your own land Off-the-shelf attack simulation toolsets New mysterious TTP*
  • 6. LIVING OFF THE LAND Malware-less Use of built-in OS tools In-memory only (file-less) Maximum use of context knowledge (make no anomalies): Use tools that are already used Use protocols that are already used Don’t talk when the net is quiet https://www.youtube.com/watch?v=j-r6UonEkUw
  • 7. BRING YOUR OWN LAND When PowerShell is not an option All requited functionality is part of specially created PE Malicious code is run in legitimate process memory – no suspicious parent- child relationship, no artefacts on disk Available in off-the-shelf adversary emulation tools (Cobalt strike) https://www.fireeye.com/blog/threat- research/2018/06/bring-your-own-land-novel-red-teaming- technique.html
  • 8. AVAILABLE TOOLSETS Commercially supported and maintained Very difficult attribution Disguise capabilities: False attribution Benign activity
  • 9. ATTACKER ALWAYS ATTACKS THE WEAKEST LINK http://reply-to-all.blogspot.com/2018/04/blog-post.html
  • 10. Prevention Detection  Threat hunting Response …AND CYBER WEAPON FOR ALL! The resources of the attacker are limitless! https://reply-to-all.blogspot.com/2017/03/blog-post_22.html
  • 11. 1% OF ATTACKS – 90% OF DAMAGE 29% 70% 1% Known threats Unknown threats Sophisticated threats Targeted attacks APT Large enterprises SMB Average loss from a single targeted attack $ 2,54M $ 84K * According to Kaspersky lab and B2B international research “Enterprise information security”. Average damage from single targeted attack, including direct losses and indirect costs of restoration after the attack.
  • 12. THREAT LANDSCAPE OUTRO Layers: By approach: Prevent  Detect  Hunt By technology: Entities  Behavior  Statistics  ML  DL By Kill Chain: Pre-breach  Post-breach By decision maker: Sensor  Cloud  Human By media: Endpoint  Network Cycles: Threat intel  Detect  Practice  Threat intel Hunt  Detect  Hunt
  • 14. Prevention systems Detection systems Threat hunting ~100% known evil <100% known evil unknown evil Prevent FindDetect If possible automatically prevent… Automatic Manual Protection Detection & response Degree of uncertainty Automatic + Check APPROACH LAYERS: PREVENT  DETECT  HUNT http://reply-to-all.blogspot.com/2017/11/epp-edr.html
  • 15. THREAT HUNTING 15 https://sqrrl.com/solutions/cyber-threat-hunting/ Cyber threat hunting is the practice of searching iteratively through data to detect advanced threats that evade traditional security solutions.
  • 16. PROTECTION STRATEGY – WAYS OF RETREAT
  • 17. Endpoint AM-engine (AM) Sandbox (SB) Advantages • Real environment • Real user activity • Unlimited processing time • No performance limitations • Low impact from True Positive Disadvan- tages • Performance Limitations • Big impact from True Positive • Artificial environment • Emulated user activity (required actions may not be fulfilled) • Limited processing time DETECT LAYERS: ANTI-MALWARE & SANDBOX • Different technologies works with different effectiveness and efficiency against different attacks • AM and SB complement each other to better cumulative detection rate
  • 18. DETECT LAYERS: DAVID BIANCO'S PYRAMID OF PAIN http://detect-respond.blogspot.ru/2013/03/the-pyramid-of-pain.html Commodity Prevention/Detection tools capabilities (can be done automatically) Human Analyst required IoC,IoA AM-signatureTTP-based detect
  • 19. THE CONCEPT OF ‘HUNT’ (DETECTOR, RULE) • Run untrusted code with whitelisted tool (rundll32,regsvr32,mshta,odbcconf,etc) • Office app spawns cmd/powershell/etc • Access to paste service from non-browsers • … Techniques Example:
  • 20. REAL ATTACK (SIMPLIFIED) 1-day .rtf exploit winword wecloud[.]biz/m11.xls download mshta start powershell wecloud[.]biz/d.doc AppDataRoaming22682.doc winword powershell wecloud[.]biz/p1.sqlite3 AppDataRoaming46961.txt (.dll) odbcconf AppDataRoaming6F633FD53B9B6C.txt (sct) download, execute regsvr32 cmd wecloud[.]biz/mail/changelog.txt drop AppDataRoamingrad7EF08.tmpcmd powershellCobaltstrike beacon execute .hta start start download save open start download decode,store,start start execute start execute start del dropstart execute start base-64 PS start
  • 21. 1-day .rtf exploit winword wecloud[.]biz/m11.xls download mshta executing_hta_via_com powershell wecloud[.]biz/d.doc AppDataRoaming22682.doc winword powershell wecloud[.]biz/p1.sqlite3 AppDataRoaming46961.txt (.dll) odbcconf AppDataRoaming6F633FD53B9B6C.txt (sct) download, execute regsvr32 cmd wecloud[.]biz/mail/changelog.txt drop AppDataRoamingrad7EF08.tmpcmd powershellCobaltstrike beacon execute .hta start start download save open start download decode,store,start start execute start execute start del dropstart execute start base-64 PSstart suspicious_powershell_cmd_or_script_spawning start suspicious_powershell_cmdline_downloading suspicious_powershell_cmdline_general_obfuscation proxying_arbitrary_code_execution_through_trusted_binaries executing_with_nonexecutable_extension application_whitelisting_bypass_via_regsvr32 AV_engine_inexact_detect TTP-BASED DETECTS
  • 22. MITRE ATT&CK: ADVERSARIAL TACTICS, TECHNIQUES & COMMON KNOWLEDGE https://attack.mitre.org/wiki/Main_Page
  • 24. ATTACK LIFECYCLE 24 Time Observable attacker activity • Reconnaissance • Weaponization • Delivery • Exploitation • Installation • Command & Control • Actions on objective Months Minutes Years Passive Stealthy Fast Pre-breach Breach Post-breach
  • 25. ATTACK KILL CHAIN COVERAGE: PRE-BREACH AND POST-BREACH SCENARIOS Prevention security controls Operational security (SOC) Incident response Time Breach! Pre-breach Post-breach Previously Currently Threat hunting
  • 26. POST-BREACH: MITRE ATT&CK COVERAGE Consumer: the most appropriate way to assess EDR/MDR Vendor/Provider: Self- assessment for current capabilities and improvement planning
  • 28. LEVELS OF DECISION MAKING Data  Sensor detects  Process behavior  OS events Micro correlation on sensor level:  All sensor detection technologies  Reputation (cloud) Macro correlation, TTP-based detection logic:  All TTP knowledge:  Internal research  MITRE ATT&CK  Security assessment/Red teaming  Incident response practice  Monitoring practice Adjustproductdetectionlogic Human analyst work, Threat hunting:  Check behavior hypotheses about attacker  Situational awareness  Investigate borderline cases  Overall process improvement Sensors (Event sources) Cloud Products
  • 30. 30 THREAT INTELLIGENCE CYCLE FOR CONSTANT IMPROVEMENT Threat Intelligence Threat Research Products Research infrastructure Services Threat-centric Target-centric Auto-detection data, Emulation data, KSN-statistics Operational practice Threats Targets
  • 31. 31 SECURITY OPERATIONS CYCLE (SIMPLIFIED) Threat Intelligence Detection Investigation Remediation Lessons learned MSSP scope: Particular customer GOV/LEA scope: Country, Industry
  • 32. IT Roles Tasks Problems Value of TI Tactical level Network operation center (NOC) Feed indicators to security products Bad indicators cause FP Validate and prioritize indicators Security operations center (SOC) Monitor, triage Too many alerts to investigate (+ FN) Prioritize alerts Infrastructure operations (IT) Patch vulnerable systems Difficult to prioritize patches Prioritize patches Operational level IR Team Remediate Determine details of attacks Hunt for additional breaches Time-consuming to reconstruct attack from initial indicators Provide context to reconstruct attack quickly SOC Team Difficult to identify additional breaches Provide data for threat hunting Strategic level CISO Allocate resources No clear priorities for investment Priorities based on risks and likely attacks CIO Communicate to executives Executives don’t understand tech Explain adversary in terms of impact OFF-TOPIC: WHAT IS TI AND FOR WHOM IT MATTERS Source: John Friedman, Mark Bouchard, CISSP. Definitive Guide to Cyber Threat Intelligence. CyberEdge Group, LLC, 2015
  • 33. INCIDENT RESPONSE IN MDR* Begin End Threat research team Incident response team Monitoring/Threathuntingteam Initial response Investigation Remediation * Managed Detection and Response
  • 34. INCIDENT RESPONSE IN MDR Begin Monitoring & threat hunting operations Live response Suspicious activity detected Automatic product detection/ remediation End Continuous remediation efficiency control Remediation can be automatically provided Threat research team Incident response team Monitoring/Threathuntingteam Initial response Investigation Remediation
  • 35. INCIDENT RESPONSE IN MDR Begin Monitoring & threat hunting operations Live response Suspicious activity detected Forensics Malware analysis Automatic product detection/ remediation End Deeper investigation required Additional IoC/IoA discovered Continuous remediation efficiency control Automatic remediation possible Threat research team Incident response team Monitoring/Threathuntingteam Initial response Investigation Remediation
  • 36. INCIDENT RESPONSE IN MDR Begin Monitoring & threat hunting operations Live response Suspicious activity detected Forensics Malware analysis Incident response End Lessons learned Deeper investigation required Additional IoC/IoA discovered Continuous monitoring of remediation efficiency Continuous improvement Manual remediation required Threat research team Incident response team Monitoring/Threathuntingteam Initial response Investigation Remediation
  • 37. INCIDENT RESPONSE IN MDR Begin Monitoring & threat hunting operations Live response Suspicious activity detected Forensics Malware analysis Incident response Automatic product detection/ remediation End Lessons learned Deeper investigation required Additional IoC/IoA discovered Continuous monitoring of remediation efficiency Continuous remediation efficiency control Continuous improvement Manual remediation required Automatic remediation possible Remediation can be automatically provided Threat research team Incident response team Monitoring/Threathuntingteam Initial response Investigation Remediation
  • 38. 38 • Goal: Assessment of Blue team operational efficiency and training • Threat Intelligence driven • Leaks, spear-phishing, insiders, etc. • Report artifacts for Blue team evaluation • Detailed stage by stage attack description • With timestamps, tools • IoCs & IoAs • TTPs • Optionally followed with workshop • With KL Blue team threat hunters (temporary Purple) ADVERSARY EMULATION FOR SECURITY OPERATIONS (“RED TEAMING”)
  • 39. RESEARCH AS OPERATIONS Escalation for threat detection in products Digital forensics lab Semi-automatic DF SOC 2nd tier SOC 1st tier Escalation for customer specific TTP-based detection logic MDR provider cloud Sensor data Products Detection logic adaptation, manual threat hunting Global Emergency and Response Team Threat Research Targeted Attack Research Group SOC Research Detect in product: prevention or detection TTP-based detection logic development Escalation for manual DFIR Escalation for threat detection in products Security Assessment Assess products & operational efficiency
  • 40. • If somebody planned to breach your systems, it will definitely happen • If we eradicated them, they will come again - they never give up • Do not rely solely on the perimeter and automatic detection/protection • Chances to detect after the breach are much higher • Prioritization on the material risk is the basis of success • Never relax: silence is a scary sound – assume breach, search, hunt THE END: THE IDEA OF ‘CYBER-IMMUNITY’ http://reply-to-all.blogspot.com/2017/07/blog-post_28.html
  • 41. THANK YOU VERY MUCH! Sergey Soldatov, CISA, CISSP Head of SOC, R&D Security Services, Kaspersky lab intelligence@kaspersky.com www.kaspersky.ru