1 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Cyber Threats and Security Operations Best Practices
Cory A. Mazzola, MScIA, CISSP, C|CISO, GPEN
Senior Manager, FireEye/Mandiant Consulting
Services
National Council of Postal Credit Unions
33rd Annual Conference
2 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Agenda
Introduction
Trends in Mandiant Investigations
in 2016
Threat Intelligence Update
Responding to the Threat:
Advanced Cyber Defense
Q&A
3 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Cyber Defense Consulting – who we are
4 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
IT’S A “WHO,” NOT A “WHAT”
THERE’S A HUMAN AT A
KEYBOARD
HIGHLY TAILORED AND
CUSTOMIZED ATTACKS
TARGETED SPECIFICALLY
AT YOU
THEY ARE PROFESSIONAL, ORGANIZED AND WELL FUNDED
NATION-STATE SPONSORED
ESCALATE SOPHISTICATION
OF TACTICS AS NEEDED
RELENTLESSLY FOCUSED
ON THEIR OBJECTIVE
IF YOU KICK THEM OUT THEY WILL RETURN
THEY HAVE SPECIFIC
OBJECTIVES
THEIR GOAL IS LONG-TERM
OCCUPATION
PERSISTENCE TOOLS ENSURE
ONGOING ACCESS
Why Are Targeted Attacks Different?
5 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Targeting Motivators
CYBER ESPIONAGE
TARGETS THE DIB,
MILITARY RESEARCH AND
DEVELOPMENT ORGS,
THINK TANKS, MFAs, AND
GOVERNMENT AGENCIES
COMMERCIAL ESPIONAGE
PRIVATE INDUSTRY
TARGETING DUE TO TIES
TO GOVERNMENT TIES
AND INTELLECTUAL
PROPERTY
DISRUPTION
DESTRUCTIVE ATTACKS
THAT AIMS TO DELETE
INFORMATION AND/OR
RENDER SYSTEMS
INOPERABLE
CYBERCRIME
MOTIVATED BY
FINANCIAL GAIN -
PRIMARY MISSION IS TO
STEAL INFORMATION
THAT CAN BE
MONETIZED
6 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
TRENDS IN MANDIANT INVESTIGATIONS
7 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Who is a Target?
8 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
How Compromises Are Being Detected
47% Internal 53% External
9 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Days to Discovery
10 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
M-TRENDS: MEDIAN DAYS BEFORE DISCOVERY
416
243 229 205 146
2011 2012 2013 2014 2015
11 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
M-TRENDS: INTERNAL DETECTION VS EXTERNAL NOTIFICATION
INTERNAL
INTERNAL
INTERNAL
INTERNAL
EXTERNAL
EXTERNAL
EXTERNAL
EXTERNAL
EXTERNAL
2011
2012
2013
2014
2015
12 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
APT Phishing
0%
5%
10%
15%
20%
25%
30%
35%
Day
of
Week E
was S
ent
Current Events 12%
Delivery 15%
Document 15%
Invitation 3%
IT & Security 36%
Other 17%
Translate 1%
Video 1%
89% of Phishing Email sent on Weekdays
Majority of phishing emails were IT or security related,
often attempting to impersonate the targeted company´s
IT Department or an anti-virus vendor
Phishing Themes Days Victims Received Phishing E-mails
13 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Defense Trends: 3 Common Challenges
Credentials, in general
Inability to detect
targeted attacks
Poor egress controls
14 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Attacker Trends in 2016
RISE IN BUSINESS DISRUPTION ATTACKS
MASS TARGETING OF PERSONAL DATA
OUTSOURCED SERVICE PROVIDER ABUSE
ATTACKS ON ENTERPRISE NETWORKING DEVICES
15 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
INTEGRATED CYBER DEFENSE OPERATIONS
ENTERPRISE PROTECTION & RESPONSE
16 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Cyber Defense Domains
17 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Cyber Defense Framework
18 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Security Operations Mantra
Our Mantra:
1. Combine traditional SOC and CIRT capabilities
2. Integrate Threat Intelligence
3. Enable live response and containment (at the endpoint)
- Access forensic data quickly for deeper analysis
- Leverage cyber threat intelligence for focused incident response and for containment strategies
- Integrate IOC hunting/sweeping capabilities
4. Implement use cases at each stage of the kill chain
5. Continuously improve analyst skills to increase utilization of technology
Our Goal: “Turn every incident into a 10min problem”
19 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Functional Alignment
20 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
The Analyst Role(s)
The Cyber Defense Center is organized into teams that specialize in the detection, response, and discovery for Use Cases mapped to the life cycle of an attack along the cyber kill chain.
Individual team members rotate from Detection, Response, and Discovery and may share responsibilities depending on the scope and intensity of threat activities. Accordingly, this approach enhances:
Orientation and strategy
Clarity and communications
Shared learning and contribution
Cross functional alignment
Operational resilience in response to events and hostile risk environments
21 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Draft Organizational Model
Cyber Defense Center
Threat Detection
Event Analyst
Incident Analyst
Threat Response
Incident Handler
Forensic Analyst
Threat Intel
Intel Analyst
Vulnerability Mgmt
Red Teaming
Vulnerability Assessment
Security Engineering
Use Case Engineering
Technology Integration
22 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
CDC Workflow
23 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Incident Response Process Framework
Incident Response Plan
- Roles & responsibilities, incident definitions, classification, severities, SLAs and KPIs
- Event vs. Alert vs. Incident
Communications Plan
- Internal and external
Escalation Matrix
- Who, what, where, when (time), how
Playbooks
- Repeatable triage, analysis and investigation procedures for each Use Case
24 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Use Cases
• Detection / Triage (Alerting)
• Data Loss
• Malware
• Unauthorized Access
• DoS / DDoS
• Web Attack
• Ethical Hacking
• Cyber Hunting
• Tech Integration – SIEM Engineering
• Incident Response
• Incident Reporting
25 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Incident Response Playbooks
• Detection / Triage (Alerting)
• Data Loss
• Malware (Targeted & Commodity)
• Unauthorized Access
• DoS / DDoS
• Web Attack
• Penetration Testing
• Data Spillage / Breach
• Insider Threat
• Database Activity Monitoring
26 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Playbook Overview
Functional Roles
- Event Analyst
- Incident Analyst
- Incident Responder
- Security Team Manager
- Relevant Stakeholders
• Executives
• Network Operations
• System Owners
• Security Team Members/Stakeholders
• Security Incident Management & Response (SIMR)
27 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Incident Response Plan
Executive Summary:
- Background, Mission, Scope & Goals
Assets, Threats & Severity Rating:
- Interbank Assets, Threats to Interbank, Severity Rating Guidelines
Incident Severity Ratings & Categories:
- Criteria for determining the severity of an incident and guidance for the appropriate category
Concept of Operations:
- Conceptual description of CDC mission areas, capabilities and functions
Roles & Responsibilities:
- CDC roles, duties and detailed descriptions
- Support roles and responsibilities (e.g., Service Desk)
Incident Response Process:
Appendices
28 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Incident Response Process
Preparation:
- Establishing and training of CDC resources, acquiring necessary tools, and assessing risks
Identification:
- The process through which potentially adverse events are brought to the CDC’S attention, including assigning an initial severity rating, event category, incident role (lead or support), incident ID, assignments, and status updates
Triage:
- Confirming the validity of the initial alert and determining the initial response action
Investigation:
- Analyzing systems and information to determine the facts of a security incident
Remediation:
- Planning and executing activities to contain and eradicate the threat and recover from the incident
Post-Incident:
- Assessing and documenting lessons learned and improving capabilities to enhance the organization’s ability to prevent, detect, and respond to incidents
29 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Incident Response Process Workflow
30 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Threat Intelligence
Is this targeted?
Is this part of a larger campaign?
What’s the scale?
Who else is seeing this?
What are others saying?
Or is this an insider threat?
What are the TTPs?
How do you find them?
How do you remediate?
How do you share?
31 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Hunting the network provides the capability to conduct proactive analysis to develop new IOCs
- Data mining historical data
- IOC Sweeps
A mature IOC capability includes:
- Dedicated individuals to design and build IOCs
- Develop and update IOCs regularly (IOC Editor)
- Processes and tools in place to actively check systems for IOCs
Post-incident, hunting assists in ensuring remediation and eradication activities were successful
Proactive Capabilities
32 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
TECHNOLOGY:
INTEGRATION & OPERATIONS
33 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
What Challenges do we have?
` Tools & Technology
Lack endpoint
detection
No live response
Data (event) overload
Slow searches
Rely on signature
based detection
Needle in a haystack
Incident Response
No threat intel
Lack of intel context
No hunting
Ability to quickly
sweep & contain
Leverage analytics
and anomaly detection
Governance
Wide mission
Lack required skill
sets
Compliance burden
R & R do not align
with org model
+ +
34 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
CDC Framework – Technology & Infrastructure
35 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Key Security Technologies
1. SIEM
2. Perimeter (Firewalls / Proxies)
3. IDS / IPS
4. DLP
5. Packet Capture
6. Malware Analysis
7. Forensics
8. Netflow
9. ?????
36 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Top Data Sources
1. Advanced Threat Detection
2. Web Proxy
3. DNS / DHCP
4. VPN
5. Authentication
6. FW / Netflow
“The SIEM that Cried Wolf” - https://www2.fireeye.com/managing-cyber-security-alerts.html
37 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
STRATEGY & REPORTING
CYBER KILL CHAIN & EXECUTIVE ROADMAP
38 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Use Cases
Mandiant implements use cases at each stage within the kill chain.
This ensures complete visibility and allows the CDC to detect and respond to
cyber threats earlier, in order to reduce exposure and loss.
39 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Mapping the Technology Stack – Was it blocked at the proxy?
40 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Integrated Cyber Security Roadmap
40
Phase 1 Phase 2 Phase 3
Time Frame 4 months 8 months 12 months
Outcomes & Benefits /
Deliverables
Service Catalog
Mission Statement
Gap Analysis – Observables
Recommendations Report
Proposed Organizational Model
Draft Strategic Roadmap
Physical SOC/CDC Requirements
Incident Response Plan
Workshop & Review
Security Incident
Classification
Escalation & Notification
Matrix
Criticality Worksheet
Use Case Workshops
Map Use Cases to Cyber Kill Chain
Develop Use Cases Library
Incident Response Playbooks
Use Cases 6 Operationalized Cases:
Data Loss Protection
Detection (Alerting)
Malware / Unauthorized Access
Ethical Hacking
Cyber Engineering - SIEM Support
12 Operationalized Cases:
Detection / Triage
Incident Response
Incident Reporting
Cyber Hunting (MSSP)
Ethical Hacking (P2)
Web Attack / DoS
18 Operationalized Cases
Vulnerability Assessment
Threat Intelligence
E-Discovery
Forensics (Optional)
Data Loss Prevention
Database Activity Monitoring
Cyber Engineering - Technologies
SIEM/Data Sources 5 10 20
People (Capacity) 50% 70% 95+%
Process 25% 75% 100%
Technology 45% 65% 80%
Detection Capability 25% 45% 95+%
Response Capability 20% 40% 90+%
41 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Phased Capability Approach
42 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Questions?
43 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
THANK YOU
Contact: Cory Mazzola — [email protected]