Cyber Threats and Security Operations Best Practices · 2016-04-27 · cyber espionage targets the dib, military that aims to delete research and development orgs, think tanks, mfas,

1 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL

Cyber Threats and Security Operations Best Practices

Cory A. Mazzola, MScIA, CISSP, C|CISO, GPEN

Senior Manager, FireEye/Mandiant Consulting

Services

National Council of Postal Credit Unions

33rd Annual Conference

2 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL

Agenda

Introduction

Trends in Mandiant Investigations

in 2016

Threat Intelligence Update

Responding to the Threat:

Advanced Cyber Defense

Q&A


Cyber Defense Consulting – who we are


IT’S A “WHO,” NOT A “WHAT”

THERE’S A HUMAN AT A

KEYBOARD

HIGHLY TAILORED AND

CUSTOMIZED ATTACKS

TARGETED SPECIFICALLY

AT YOU

THEY ARE PROFESSIONAL, ORGANIZED AND WELL FUNDED

NATION-STATE SPONSORED

ESCALATE SOPHISTICATION

OF TACTICS AS NEEDED

RELENTLESSLY FOCUSED

ON THEIR OBJECTIVE

IF YOU KICK THEM OUT THEY WILL RETURN

THEY HAVE SPECIFIC

OBJECTIVES

THEIR GOAL IS LONG-TERM

OCCUPATION

PERSISTENCE TOOLS ENSURE

ONGOING ACCESS

Why Are Targeted Attacks Different?


Targeting Motivators

CYBER ESPIONAGE

TARGETS THE DIB,

MILITARY RESEARCH AND

DEVELOPMENT ORGS,

THINK TANKS, MFAs, AND

GOVERNMENT AGENCIES

COMMERCIAL ESPIONAGE

PRIVATE INDUSTRY

TARGETING DUE TO TIES

TO GOVERNMENT TIES

AND INTELLECTUAL

PROPERTY

DISRUPTION

DESTRUCTIVE ATTACKS

THAT AIMS TO DELETE

INFORMATION AND/OR

RENDER SYSTEMS

INOPERABLE

CYBERCRIME

MOTIVATED BY

FINANCIAL GAIN -

PRIMARY MISSION IS TO

STEAL INFORMATION

THAT CAN BE

MONETIZED


TRENDS IN MANDIANT INVESTIGATIONS


Who is a Target?


How Compromises Are Being Detected

47% Internal 53% External


Days to Discovery


M-TRENDS: MEDIAN DAYS BEFORE DISCOVERY

416

243 229 205 146

2011 2012 2013 2014 2015


M-TRENDS: INTERNAL DETECTION VS EXTERNAL NOTIFICATION

INTERNAL

INTERNAL

INTERNAL

INTERNAL

EXTERNAL

EXTERNAL

EXTERNAL

EXTERNAL

EXTERNAL

2011

2012

2013

2014

2015


APT Phishing

0%

5%

10%

15%

20%

25%

30%

35%

Day

of

Week E

-mail

was S

ent

Current Events 12%

Delivery 15%

Document 15%

Invitation 3%

IT & Security 36%

Other 17%

Translate 1%

Video 1%

89% of Phishing Email sent on Weekdays

Majority of phishing emails were IT or security related,

often attempting to impersonate the targeted company´s

IT Department or an anti-virus vendor

Phishing Themes Days Victims Received Phishing E-mails


Defense Trends: 3 Common Challenges

Credentials, in general

Inability to detect

targeted attacks

Poor egress controls


Attacker Trends in 2016

RISE IN BUSINESS DISRUPTION ATTACKS

MASS TARGETING OF PERSONAL DATA

OUTSOURCED SERVICE PROVIDER ABUSE

ATTACKS ON ENTERPRISE NETWORKING DEVICES


INTEGRATED CYBER DEFENSE OPERATIONS

ENTERPRISE PROTECTION & RESPONSE


Cyber Defense Domains


Cyber Defense Framework


Security Operations Mantra

Our Mantra:

1. Combine traditional SOC and CIRT capabilities

2. Integrate Threat Intelligence

3. Enable live response and containment (at the endpoint)

- Access forensic data quickly for deeper analysis

- Leverage cyber threat intelligence for focused incident response and for containment strategies

- Integrate IOC hunting/sweeping capabilities

4. Implement use cases at each stage of the kill chain

5. Continuously improve analyst skills to increase utilization of technology

Our Goal: “Turn every incident into a 10min problem”


Functional Alignment


The Analyst Role(s)

The Cyber Defense Center is organized into teams that specialize in the detection, response, and discovery for Use Cases mapped to the life cycle of an attack along the cyber kill chain.

Individual team members rotate from Detection, Response, and Discovery and may share responsibilities depending on the scope and intensity of threat activities. Accordingly, this approach enhances:

Orientation and strategy

Clarity and communications

Shared learning and contribution

Cross functional alignment

Operational resilience in response to events and hostile risk environments


Draft Organizational Model

Cyber Defense Center

Threat Detection

Event Analyst

Incident Analyst

Threat Response

Incident Handler

Forensic Analyst

Threat Intel

Intel Analyst

Vulnerability Mgmt

Red Teaming

Vulnerability Assessment

Security Engineering

Use Case Engineering

Technology Integration


CDC Workflow


Incident Response Process Framework

Incident Response Plan

- Roles & responsibilities, incident definitions, classification, severities, SLAs and KPIs

- Event vs. Alert vs. Incident

Communications Plan

- Internal and external

Escalation Matrix

- Who, what, where, when (time), how

Playbooks

- Repeatable triage, analysis and investigation procedures for each Use Case


Use Cases

• Detection / Triage (Alerting)

• Data Loss

• Malware

• Unauthorized Access

• DoS / DDoS

• Web Attack

• Ethical Hacking

• Cyber Hunting

• Tech Integration – SIEM Engineering

• Incident Response

• Incident Reporting


Incident Response Playbooks

• Detection / Triage (Alerting)

• Data Loss

• Malware (Targeted & Commodity)

• Unauthorized Access

• DoS / DDoS

• Web Attack

• Penetration Testing

• Data Spillage / Breach

• Insider Threat

• Database Activity Monitoring


Playbook Overview

Functional Roles

- Event Analyst

- Incident Analyst

- Incident Responder

- Security Team Manager

- Relevant Stakeholders

• Executives

• Network Operations

• System Owners

• Security Team Members/Stakeholders

• Security Incident Management & Response (SIMR)



Executive Summary:

- Background, Mission, Scope & Goals

Assets, Threats & Severity Rating:

- Interbank Assets, Threats to Interbank, Severity Rating Guidelines

Incident Severity Ratings & Categories:

- Criteria for determining the severity of an incident and guidance for the appropriate category

Concept of Operations:

- Conceptual description of CDC mission areas, capabilities and functions

Roles & Responsibilities:

- CDC roles, duties and detailed descriptions

- Support roles and responsibilities (e.g., Service Desk)

Incident Response Process:

Appendices


Incident Response Process

Preparation:

- Establishing and training of CDC resources, acquiring necessary tools, and assessing risks

Identification:

- The process through which potentially adverse events are brought to the CDC’S attention, including assigning an initial severity rating, event category, incident role (lead or support), incident ID, assignments, and status updates

Triage:

- Confirming the validity of the initial alert and determining the initial response action

Investigation:

- Analyzing systems and information to determine the facts of a security incident

Remediation:

- Planning and executing activities to contain and eradicate the threat and recover from the incident

Post-Incident:

- Assessing and documenting lessons learned and improving capabilities to enhance the organization’s ability to prevent, detect, and respond to incidents


Incident Response Process Workflow


Threat Intelligence

Is this targeted?

Is this part of a larger campaign?

What’s the scale?

Who else is seeing this?

What are others saying?

Or is this an insider threat?

What are the TTPs?

How do you find them?

How do you remediate?

How do you share?


Hunting the network provides the capability to conduct proactive analysis to develop new IOCs

- Data mining historical data

- IOC Sweeps

A mature IOC capability includes:

- Dedicated individuals to design and build IOCs

- Develop and update IOCs regularly (IOC Editor)

- Processes and tools in place to actively check systems for IOCs

Post-incident, hunting assists in ensuring remediation and eradication activities were successful

Proactive Capabilities


TECHNOLOGY:

INTEGRATION & OPERATIONS


What Challenges do we have?

` Tools & Technology

Lack endpoint

detection

No live response

Data (event) overload

Slow searches

Rely on signature

based detection

Needle in a haystack

Incident Response

No threat intel

Lack of intel context

No hunting

Ability to quickly

sweep & contain

Leverage analytics

and anomaly detection

Governance

Wide mission

Lack required skill

sets

Compliance burden

R & R do not align

with org model

+ +


CDC Framework – Technology & Infrastructure


Key Security Technologies

1. SIEM

2. Perimeter (Firewalls / Proxies)

3. IDS / IPS

4. DLP

5. Packet Capture

6. Malware Analysis

7. Forensics

8. Netflow

9. ?????


Top Data Sources

1. Advanced Threat Detection

2. Web Proxy

3. DNS / DHCP

4. VPN

5. Authentication

6. FW / Netflow

“The SIEM that Cried Wolf” - https://www2.fireeye.com/managing-cyber-security-alerts.html

https://www2.fireeye.com/managing-cyber-security-alerts.html








STRATEGY & REPORTING

CYBER KILL CHAIN & EXECUTIVE ROADMAP


Use Cases

Mandiant implements use cases at each stage within the kill chain.

This ensures complete visibility and allows the CDC to detect and respond to

cyber threats earlier, in order to reduce exposure and loss.


Mapping the Technology Stack – Was it blocked at the proxy?


Integrated Cyber Security Roadmap

40

Phase 1 Phase 2 Phase 3

Time Frame 4 months 8 months 12 months

Outcomes & Benefits /

Deliverables

Service Catalog

Mission Statement

Gap Analysis – Observables

Recommendations Report

Proposed Organizational Model

Draft Strategic Roadmap

Physical SOC/CDC Requirements


Workshop & Review

Security Incident

Classification

Escalation & Notification

Matrix

Criticality Worksheet

Use Case Workshops

Map Use Cases to Cyber Kill Chain

Develop Use Cases Library

Incident Response Playbooks

Use Cases 6 Operationalized Cases:

Data Loss Protection

Detection (Alerting)

Malware / Unauthorized Access

Ethical Hacking

Cyber Engineering - SIEM Support

12 Operationalized Cases:

Detection / Triage

Incident Response

Incident Reporting

Cyber Hunting (MSSP)

Ethical Hacking (P2)

Web Attack / DoS

18 Operationalized Cases

Vulnerability Assessment

Threat Intelligence

E-Discovery

Forensics (Optional)

Data Loss Prevention

Database Activity Monitoring

Cyber Engineering - Technologies

SIEM/Data Sources 5 10 20

People (Capacity) 50% 70% 95+%

Process 25% 75% 100%

Technology 45% 65% 80%

Detection Capability 25% 45% 95+%

Response Capability 20% 40% 90+%


Phased Capability Approach


Questions?


THANK YOU

Contact: Cory Mazzola — [email protected]

mailto:[email protected]



Cyber Threats and Security Operations Best Practices · 2016-04-27 · cyber espionage targets the dib, military that aims to delete research and development orgs, think tanks, mfas,

Documents