intelligence-driven defense: successfully embedding … · threat intel in security ... •going to...

SANS Blue Team Summit

Intelligence-Driven Defense: Successfully Embedding Cyber Threat Intel in Security Operations

@aboutsecurity / Ismael Valenzuela Principal Engineer at McAfee, SANS Instructor, GSE #132

© 2018 Ismael Valenzuela | All Rights Reserved

© 2018 Ismael Valenzuela - @aboutsecurity

Where were you in 1986?

2


Where we you in 1986?

3


Cliff Stoll - 1986

5


Was it the rope or the revolver?

6

https://www.youtube.com/watch?v=1h7rLHNXio8

“I thought all I had to do was show the data and people would

understand. It doesn’t work. You have to tell a story”

Cliff Stoll – SANS CTI Summit 2017


What makes a good “story?”

7

• Who is attacking us?

• What is their motivation?

• Were they here before?

• How do they operate?

• What is the impact to our business?

• …and will they come back?


Threat Intelligence and SOC (MGT 517) –The Program

Inputs

Production• IOCs derived from internal sources

• data from NSM sources, for hunting and data mining

Consumption• External threat feeds (often paid for)

• External reputation feeds (often paid for)

• External news – “open source collection”

Artifacts

• Bulletins – notify other function areas

• Internal intelligence repository –posterity

• Incident attribution – to named actor

• NIDS / HIDS rules – future detection

• Posture enhancement reports –show the business how to improve

8



Open Source Resources

Internal Information Sources

Attribution Info

Threat Intelligence

Collect open source info

Collect internal adversary info

Retain adversarycharacteristics

Internal threat actorattribution & characteristics

Correlate events tothreat actors

Open Source Data CollectionHunting TeamsAttribution CapabilitiesAdversary Tracking



11

Suggestion to Threat Actors – Take a Selfie with Stolen LootElvis Rafael Rodriguez, left, and Emir Yasser Yeje, two of those charged in Brooklyn on Thursday, posed in March with approximately $40,000 in cash that the authorities say they were laundering.

https://www.nytimes.com/2013/05/10/nyregion/eight-charged-in-45-million-global-cyber-bank-thefts.html

https://www.nytimes.com/2013/05/10/nyregion/eight-charged-in-45-million-global-cyber-bank-thefts.html


So where do I start?

12


Where you DON’T want to start

13

• Asking for $$$$ to hire a bunch of threat intel analysts

• Going to RSA/BlackHat and buy a random TIP (or maybe two)

• Just send me feeds!!! (an overloaded SIEM once said).

• Re-attempting to start the “spreadsheet of doom”

• Try to attribute threat actors by looking at malware code, just because you’re 1337

• Adopting models just because everyone (including Gartner) says so


Successfully embedding Threat Intel in SecOps: Tips & Tricks *

* none of this replaces a well-planned and resourced threat intel program

14


Use MODELS that focus on BEHAVIOR, but remember none of them are perfect!

15

• Cyber Kill chain from Lockheed Martin

• MITRE ATT&CK Matrix

• OODA Loop

• Diamond Model

• Find, Fix, Finish, Exploit, Analyze, Disseminate (F3EAD)

• Whatever new pyramid you come up with…


Don’t forget that Threat Models aren’t just for AppSec!

16

• How are you going to prioritize what’s important to you?

• How do you know who’s after you?

• Learn from your incidents!• What were they after?

• How did they get in?

• What tools did they used?

• Start building a profile

• Don’t wait for an incident. Start mining your previous ones.


It’s all about IMPACT

17

• And impact varies greatly based on CONTEXT:• Is an nmap scan high severity or low severity?

• Is a phishing email a high severity or a low severity one?

• Depends on:• What assets are involved?

• What services do they support?

• Where are they located in your network?

• What defensive mechanisms are in place?

• What other events are these alerts connected to?

• ….


Definition of insanity = focusing on external intelligence and ignoring internal one

18

We know this… yet, when we think about intelligence the 1st thing we ask for is: 3rd party feeds for our SIEM!

The solution is not necessarily to get rid of all the low fidelity rules, but to use them strategically, leveraging “internal intelligence”


Reducing noise by using “internal” intelligence

19

Do not alert on IOC feeds, use them for enrichment!

Apply low fidelity indicators to tiers, strategically:

- High value assets- VIP users

- Users with access to crown jewels

- Business critical infrastructure

- High risk assets- Those that exhibit risky behavior (yes, like those that fail your phishing

tests!)

- Legacy software


Automation needed

20

Effectively managing, curating and applying indicators to different tiers will require significant maintenance over time.

• Threat Intelligence Platforms (TIP) are the best tools for this

• Start with open source (MISP/CRITS) then move to commercial if needed, once you understand your requirements

You will also need to collect feedback, generate your own intelligence and develop metrics to track success over time.

• Case management tools are great for this!


TheHive

21

http://chrissanders.org/2017/03/case-management-the-hive/


TheHive

22

https://blog.thehive-project.org/2017/06/19/thehive-cortex-and-misp-how-they-all-fit-together/

TheHive can receive alerts from different sources via REST API, and connect to one or several MISP instances.

Cases can be created from alerts or from scratch, and are divided into tasks and observables.

Observables can be tagged, flagged as IOCs and analyzed (via Cortex).

https://blog.thehive-project.org/2017/06/19/thehive-cortex-and-misp-how-they-all-fit-together/


Once you have these systems in place... test them!

23

Don’t wait for an incident to find out these systems don’t work for you:

• Use TTX or Red Teaming exercises

• Be specific. Rehearse scenarios that are applicable to your environment. Tell a story, document & drive change!

• Don’t be adversarial. The objective is not to win, but to learn & mature.

• Consider if you’re prepared for fully unannounced exercises or if hand holding is required.


MITRE Adversary Emulation Plan Methodology

24

https://attack.mitre.org/wiki/Adversary_Emulation_Plans


Learn through simulation: Example

• Victim: HACME Software

• Operation Name: Skeleton in the closet

• Objectives:• Exfiltration of documents.

• Target IP (code) in file shares.

• Threat Actor:• Angry Panda (Chinese group, behaves similarly to APT3)

• Initial entry point: Phishing attack

• Other tactics: persistence (scheduled task), privilege escalation (weak NTFS permissions), lateral movement (MimiKatz & PSexec) and exfiltration (http over 443, not ssl).


More automation!! – Uber Metta

26

Uber’s metta for adversarial simulationhttps://github.com/uber-common/metta

Parses yaml files with actions sorted by MITRE ATT&CK

https://github.com/uber-common/metta


More automation!! - APT Simulator, RTA, Caldera and more

27

Florian’s Roth APT simulator, a Windows Batch script that makes a system look as if it was compromisedhttps://github.com/NextronSystems/APTSimulator

Other projects:https://github.com/redcanaryco/atomic-red-team

https://www.endgame.com/blog/technical-blog/introducing-endgame-red-team-automation

https://github.com/mitre/caldera

https://github.com/NextronSystems/APTSimulator

https://github.com/redcanaryco/atomic-red-team

https://www.endgame.com/blog/technical-blog/introducing-endgame-red-team-automation

https://github.com/mitre/caldera


More automation!! – Unfetter analytic

28

A community-driven suite of open source tools leveraging the MITRE ATT&CK framework.

It collects events with Sysmon from a client machine (Windows 7) and performs CAR analytics to detect potential adversary activity

This is not designed for production use. It’s meant to be used to experiment and learn. https://iadgov.github.io/unfetter/


More automation!! – Using EMPIRE RestFul API

29

https://github.com/mohlcyber/Empire-API-Automation by @mohlcyber

https://github.com/mohlcyber/Empire-API-Automation


Don’t spend too much time collecting and little doing analysis

30

Intelligence is information that has been analyzed to answer a specific question.

Investigation playbooks guides should be about capturing questions & hypotheses• Not a scripted set of procedures & actions

• But they should lead to actions/procedures

• Actions/procedures are product/company independent

Related work

• How Analysts Approach Investigations by Chris Sanders

• Analysis of competing hypotheses by Dick Heuer (CIA)

Observation

Hypothesis

Question Answer

Conclusion

Investigative method

http://chrissanders.org/2016/05/how-analysts-approach-investigations/

https://en.wikipedia.org/wiki/Analysis_of_competing_hypotheses


Using Markdown to write investigation guides

Markdown (MD) is a plain-text format

• It allows to do basic text formatting

• It can be converted to HTML & PDF

We have extended markdown for iPBs

• Question numbering, hierarchy & order

• Question linking & PB modularity

• Tagging

• implementation& reference tracking

• Enable collaboration on Github


Capturing sections & metadata


Capturing questions

Tagging

Implementation details

Question links

Question ID


Checkout our spec on GitHub

https://github.com/Foundstone/InvestigationPlaybookSpec



Good metrics tell a good story

35

• What is success for your program?

• That definition will change depending on your stakeholder’s goals. Identify them and choose metrics that report how the program is moving towards meeting those goals.

• Tactical: alerting, rules and signature development, triage, situational awareness, indicator and feed management in TIP

• Operational: campaign tracking, identification of tools & tactics, IR support

• Strategic: architecture support, improving network defenses, risk management


Conclusions

36

• Don't get lost on the models, marketing or sales speech

• Put the focus on behavior-based methodologies vs indicators

• Divide and conquer: create threat models for zones and tiers

• Don't forget the context. It's ALL about context

• Consume and PRODUCE intelligence

• Automate all the things, but don’t forget the analyst-in-the-loop

• Focus on good quality analysis, asking the right questions

• Choose good metrics that measure success and that “tell a story” that stakeholders care about. Drive continuous improvement!


Send your feedback! - @aboutsecurity // Thank you!

Checkout our public playbook spec on GitHub:


References

The need for investigation playbooks at the SOC (SOC Summit 2017), by Ismael Valenzuela and Matias Cuenca-Acuna, McAfee.

https://www.sans.org/summit-archives/file/summit-archive-1496695240.pdf

Using Intelligence to Heighten your Defense - CTI SUMMIT 2017

https://www.youtube.com/watch?v=NRY5fKZDGVU&t=691s

Intelligence-Driven Incident Response: Outwitting the adversary by Scott. J. Roberts & Rebekah Brown, O’Reilly, 2017 https://www.amazon.com/Intelligence-Driven-Incident-Response-Outwitting-Adversary/dp/1491934948

BlackHills Webcast, John Strand, How to Use Threat Intelligence - https://www.blackhillsinfosec.com/webcast-how-to-use-threat-intelligence/


https://www.sans.org/summit-archives/file/summit-archive-1496695240.pdf

https://www.youtube.com/watch?v=NRY5fKZDGVU&t=691s

https://www.amazon.com/Intelligence-Driven-Incident-Response-Outwitting-Adversary/dp/1491934948

https://www.blackhillsinfosec.com/webcast-how-to-use-threat-intelligence/

intelligence-driven defense: successfully embedding … · threat intel in security ... •going to...

Documents