Brksec 2043

Designing for Scale to
Enhance Defense, Detection

& Response
Sean Mason
Director, Incident Response
BRKSEC-2043
Cisco Spark
Questions?
Use Cisco Spark to chat with the
speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click Join the Discussion
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
Cisco Spark spaces will be cs.co/ciscolivebot#BRKSEC-2043

available until July 3, 2017.
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
Introduction
Integrated Threat Defense
Complexity
Integration, Consolidation, & Automation
IR Landscape
Threat Landscape
IR Fundamentals
Containment, Collection & Analysis
Staying Prepared
Intel Highlights
Deep Dive: Objectifying Cyber Intel Indicators
Measuring Incident Response
Closing Thoughts
Sean Mason www.SeanMason.com @SeanAMason
Florida resident
Developer for 10 years
IR for 10 years
7 certifications
ISC2 SME
BS & MBA
Career Highlight: Briefing Jeff

Immelt & The Board of GE at 30
Rock in NYC
Integrated Threat
Defense Foundation
Management
Management
Workflow
Workflow
RT IMS
HIPS
automated & manual

automated & manual
automated
ESA
External SSH
IDB Single Pane
IPS Suspect
SIEM InternalSSH
Management
Management
Knowledge
Knowledge
Wiki Repo 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Attackers Are Easily Exploiting & Bypassing Point Solutions
Antivirus
VPN
NGFW
Email
IAM IDS
Firewall
Malware
Sandbox
NGIPS
Data
Attackers Are Easily Exploiting & Bypassing Point Solutions
Antivirus
VPN
NGFW
Email
IAM IDS
Firewall
Malware
Sandbox
NGIPS Time to detection:

Data
200 Days
Only an Integrated Threat Defense Can Keep Pace
Reduce Time to :
-Detection
-Containment
-Mitigation
-Response
Systemic Response
Data
Integrated Threat Defense Architecture
Visibility Control Intelligence Context
Faster Time to Detection, Faster Time to Remediate
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Complexity
Fragmented Security Market
Complexity Fragmentation
45+ 558
Security Vendors for Security Vendors
Some Customers 2017 RSAC
(450 : 373)
Increase in Capabilities
Over time, adding incremental
solutions has plateauing capabilities
Adding on Complexity
At the cost of additional complexity
Goal for Effective Security
Integration,
Consolidation,
& Automation
The Path to Effective IR Requires
Integration Consolidation Automation
82% realize they need an
integrated security architecture
Starting with something like this
Third Party Solutions
Telemetry Enrichment
Sources
NW DDoS Hosted WAF
Feeds
Web Tools Service
Protections
Management
NGFW
Ticketing
Monitoring Investigation
NGIPS SIEM
Log Mgmt
CMDB
Linux Open
Source Tools
Log
Collector Training
Platform
Antimalware
Web
Proxies
Cloud Services
Collab Tool
Vuln Scan
Wiki IM Virtualized
Infrastructure
Email Sec
Communications, Collaboration and other IT Systems
Evolving to this
Intelligence Platforms Intel and Enrich
Telemetry and Third Party Solutions
Threat Threat Intel
Other Data Intelligence Providers
Service
Sources Provider
Solutions Malware AV Intel
Analysis Providers
Log
Enrichment
Management
Monitoring & Response Investigation Providers*
Security
Native Security Case
Logs Management
Monitoring, Service
Analytics and Digital Management
Other Sources Response Suite Forensics
Tools
Ticketing
Breach
Knowledge
Remediation Base
Cyber Security Comm &

Controls Internal
Collab Apps Training
Infra Cloud Platform
Infra
Other Wiki
Infrastructure
Communications and Infrastructure Under
Collaboration Systems Investigation
Consolidation
Also, Ive seen a looooooooooooong list of vendors that are a feature an

engine to match TI to logs/flows [SIEM does this, even if not yet at scale], UBA
for one particular use case, web proxy log analyzer [because, dude, proxy logs
are SO important! :-)], etc. Sorry, but these products are all destined to die, and
maybe the lucky few are to be acquired by larger vendors missing exactly that
one feature - Dr. Anton Chuvakin, Gartner
Features?
Prevention & Detection Scenarios
Act on
Recon Weaponization Deliver Exploitation Installation C2
Objectives
File File Behavior Behavior Code Binary Code Behavior Behavior

File - Name File - Path File Win Registry Key Win Process Win Registry Key
Win Process
URI Domain Name URI - URL File - Path File Win Registry Key
Win Registry Key Win Service
File - Name File - Name File
URI URL File File
URI- Domain Name URI Domain Name URI Domain Name
HTTP - GET File - Path File - Path
URI - URL
HTTP UA String URI URL File - Name URI - URL File - Name
HTTP - POST
Address e-mail Hash MD5 URI Domain Name HTTP - GET URI Domain Name
Email Header - Subject
Address ipv4-addr Hash SHA1 HTTP - POST
URI - URL URI URL
Email Header X-Mailer Address cidr HTTP UA String
HTTP - GET Hash MD5
Address ipv4-addr Hash MD5
Hash MD5 HTTP UA String Hash SHA1
Hash SHA1
Hash SHA1 Hash MD5 Address ipv4-addr
Address e-mail
Address e-mail Hash SHA1
Address ipv4-addr
Address ipv4-addr Address e-mail
Address ipv4-addr
Created by David Bianco, GE-CIRT

Platform Strengths (ex. IDS)
Act on
Objectives
File - Name File - Path File Win Registry Key Win Process Win Process Win Registry Key
URI Domain Name URI - URL File - Path File Win Registry Key Win Registry Key Win Service
URI URL File - Name File - Name File File File
HTTP - GET URI- Domain Name URI Domain Name File - Path URI Domain Name File - Path
HTTP UA String URI - URL URI URL File - Name URI - URL File - Name
Address e-mail HTTP - POST Hash MD5 URI Domain Name HTTP - GET URI Domain Name
Address ipv4-addr Email Header - Subject Hash SHA1 URI - URL HTTP - POST URI URL
Email Header X-Mailer Address cidr HTTP - GET HTTP UA String Hash MD5
Hash MD5 Address ipv4-addr HTTP UA String Hash MD5 Hash SHA1
Hash SHA1 Hash MD5 Hash SHA1 Address ipv4-addr
Address e-mail Hash SHA1 Address e-mail
Address ipv4-addr Address e-mail Address ipv4-addr
Address ipv4-addr
Notes:
Security solutions are able to investigate, analyze and monitor this indicator type
Security solutions are unable to track this indicator type. These areas represent gaps Created by David Bianco, GE-CIRT
Aggregated View
Act on
Objectives
File - Name File - Path File Win Registry Key Win Process Win Process Win Registry Key
URI Domain Name URI - URL File - Path File Win Registry Key Win Registry Key Win Service
URI URL File - Name File - Name File File File
HTTP - GET URI- Domain Name URI Domain Name File - Path URI Domain Name File - Path
HTTP UA String URI - URL URI URL File - Name URI - URL File - Name
Address e-mail HTTP - POST Hash MD5 URI Domain Name HTTP - GET URI Domain Name
Address ipv4-addr Email Header - Subject Hash SHA1 URI - URL HTTP - POST URI URL
Email Header X-Mailer Address cidr HTTP - GET HTTP UA String Hash MD5
Hash MD5 Address ipv4-addr HTTP UA String Hash MD5 Hash SHA1
Hash SHA1 Hash MD5 Hash SHA1 Address ipv4-addr
Address e-mail Hash SHA1 Address e-mail
Address ipv4-addr Address e-mail Address ipv4-addr
Notes: Address ipv4-addr

Security solutions are able to investigate, analyze and monitor this indicator type
Security solutions are unable to track this indicator type. These areas represent gaps Created by David Bianco, GE-CIRT
Coverage Gaps
Act on
Objectives
HTTP UA String File Email Header - Subject Hash MD5
File - Path Email Header X-Mailer Hash SHA1
URI - URL
Created by David Bianco, GE-CIRT

IR
INTERNET IR
AMP
HERE AMP
HERE
FIREPOWER HERE
AMP 4 FP
AMP
LANCOPE & HERE
AMP AMP Off-net
AMP
AMP AMP
AUTOMATION
HQ Roaming
Intelligence collected &
HERE
HERE stored at the Talos level
HERE
Signatures created &
pushed out globally
FIREPOWER
FIREPOWER
AMP AMP
Maximum coverage across
AMP AMP the environment quickly
Branch
Branch BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
IR Landscape
The Evolution of IR
IR
IR Evolution & Maturity
Ad-hoc Maturing Strategic
Maturity
Dedicated
Level As Needed Part-Time Full-Time SOC/IR+ Fusion
CMM Equivalent Initial Repeatable Defined Managed Optimized
0 individuals Part time resources Handful of individuals Larger teams 15-100+
People
Specialization Formal roles May include MSS Dedicated Intel, SOC,

Shifts (possible 24x7) and IR Teams
Chaotic and relying on Situational run books; Requirements and Process is Processes are
individual heroics; some consistency Workflows measured via constantly improved,
reactive Email-based documented as metrics automated, and
Process
General purpose run- processes standard business Some automation optimized

book process Minimal Threat Broad Threat sharing
Existing IR Tribal knowledge Some improvement Sharing Hunt teams
Capabilities over time Shift turnover
SLAs
AV SIEM Continuous Monitoring Malware Analysis Intel+IR Drives

Firewalls Sandboxing Endpoint Forensics Additional Security Program
Technology
IDS/IPS Tactical Intelligence Intelligence Focus on Integrations

Some Integration Multiple Intelligence
Types
Coordination with
Physical Security
Threat Management Maturity, Sean Mason

bit.ly/IRMaturity
Ad-hoc: IR
Maturing: IR Process View
Contain &
Detect
Collect
Remediate Analyze
Strategic: Integrated Intel-driven risk mitigation
Prevention
Tactical Intel
Sources
Detection
Intel Analysis
Triage Response Lessons

Strategic Intel Hunting Learned
Analysis
Other Containment
Functions
Collection
IR Process Today, Sean Mason bit.ly/IRProcessImg
Upfront Reality
You will get breached
Prevention is not a panacea
Detection is an absolute must
Speed to discovery and containment are critical
Intel isnt just for spies
Threat Landscape
Mental Anchors
Dynamic Threats
Cyber State
Nuisance Hacktivism Insiders
Crime Sponsored/APT
Access & Defamation, Revenge, Destruction, Economic, Political

Financial
Objective Propagation Destruction, Press & Monetary Gain Gain Advantage, Destruction
Policy
Botnets & Spam Website Destruction, Credit Card Theft Intellectual Property
Example Defacements, DDOS Theft Theft, DDOS
Skill Low Low - Med Med High Very High
Sensitive Access to the Network, Intellectual Credit Card Data, Intellectual Property,
Potential Information,
Vulnerable Data
Compromising
Information
Property, Personal Negotiation,
Compromising Identifiable National Intelligence
Data Information Information, Health
Targets Records
General Malware Syrian Electronic Army, Jimmy, Suzy, Sally, Russian Business APT1, Energetic
Named LizardSquad,
Anonymous
Johnny Network (RBN) Bear
Actors
IR Fundamentals
Leadership
Credibility
Trust
Rapport
Consistency
IR Basics
Who is needed for wing-to-wing IR? Name Role Phone #
(think outside security) Ray Incident Coordinator 555-2368
Danny Incident Coordinator 555-0840
Who is on-call and when? (consider Kate Network Team 606-0842
Holidays) Jenny AD Team 867-5309

Alicia CISO 489-4608
Pre-built DLs for e-mails and info Mike Incident Response 330-281-8004
Emily CIO 212-664-7665
Thinkthrough basics: Philip Legal Counsel 818-775-3993
Ramona Public Relations 212-664-7665
Phones, chat rooms, conference lines
Business Leaders?
(2+), and remote access Law Enforcement?
Documentation
Combination of platforms
Wiki
Process platforms
Collaboration (e.g. Box,
Dropbox)
Flexibility is key
Track details on incidents
Allow for dynamic process
updates
Runbooks
RACI
Who does what? (think outside security)

Set expectations
Helps define process
Incident Severities
Define a common lexicon for incidents
Rating Impact Description
Breach 1 1 Intruder has exfiltrated sensitive data or is suspected of exfiltrating sensitive data based on volume, etc.
Breach 2 2 Intruder has exfiltrated non-sensitive data or data that will facilitate access to sensitive data
Breach 3 3 Intruder has established command and control channel from asset with ready access to sensitive data
Cat 1 4 Intruder has compromised asset with ready access to sensitive data
Cat 2 5 Intruder has compromised asset with access to sensitive data but requires privilege escalation
Cat 3 6 Intruder is attempting to exploit asset with access to sensitive data
Cat 6 7 Intruder is conducting reconnaissance against asset with access to sensitive data
Vuln 1 8 Intruder must apply little effort to compromise asset and exfiltrate sensitive data
Vuln 2 9 Intruder must apply moderate effort to compromise asset and exfiltrate sensitive data
Vuln 3 10 Intruder must apply substantial effort to compromise asset and exfiltrate sensitive data
Simplified & Flexible

Focus more on capability
Rating Description Response/Containment
Severity 0 Intruder has exfiltrated sensitive data or is currently inside network. DDOS that has impacted availability. 1 hour
Malware outbreak.
Severity 1 Indicators show that an intruder is attempting to gain a foothold or has attained an initial foothold on the 4 hours
network. DDOS that has the potential to impact availability. Malware causing disruption.
Severity 2 Compromised machine (General Malware) 72 hours
Communication
Communicate broadly, engage others
Communication template, rhythm and formats
Mobile technology and speed of information
Incident Severity Communications Rhythm Audience
Grave (KC7) Within 1hr Conf. Call COO
2x Daily Conf. Call CSO
COB Daily E-mail CIO
General Counsel
Director of PR
CISO
Director of IR
Chief Security Architect
Significant (KC6) Within 1hr E-mail CISO
COB Daily E-mail Director of IR
Chief Security Architect
Benign (KC1-5) As needed or upon escalation Director of IR
Security Manager
Internal Communications
Containment,
Collection &
Analysis
Containment & Collection
Who can access compromised

devices?
How will you track down the
devices?
When do you contain?
Who makes the containment call?
What method(s) will you use?
How will you collect data?
Focus on IR Fundamentals: Containment, Sean Mason

BRKSEC-2043 bit.ly/IRContainment
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Analysis
Where are logs? Do you aggregate logs?
Does the team have access to the compromised logs & devices?
Preserve forensic evidence
Who is properly trained to do the forensics? Do they have tools?
Volatility
Analysis Infrastructure
Analysis Servers (CPU + RAM)

Cisco UCS-C240
2.3GHz, 18 cores
200GB RAM
Storage (TB/PBs)
ResponderLaptops
MBP & Custom Gaming
Whats in Your IR Go-Bag?, Shelly Giesbrecht

bit.ly/IRGoBag
Staying
Prepared
Lessons Learned
Kill Chain Actor Action Failure Mode Mitigation Action
Reconnaissance Potential gaps in threat tool &

Used commercial web scanner Establish detection capability
scanning capability
Weaponization
Delivery SQLI on vulnerable ASP page to Could not detect SSL traffic; Explore Secure Development &
gain admin access vulnerable to SQLI Application Security Assessments
Exploitation
Installation Failure to restrict file upload types

IIS web service used to upload Explore Secure Development &
or configure web server to not
web shell Application Security Assessments
execute uploaded files
C2 Used web shell on initially
Could not detect SSL traffic
compromised host
Actions on Intent Accessed info.txt which held Management scripts failed to Scripts retired and environment
admin account information delete info.txt after running scanned
Intelligence-Driven Computer Network Defense Informed by Analysis of

Adversary Campaigns and Intrusion Kill Chains, Lockheed Martin
bit.ly/KillChain
Recurring Testing
Paper Test Ensure all documentation,

templates, etc are properly updated.
Table Top Exercise Verbally walking
through a number of different IR
scenarios.
Simulated Incident A more invasive
test that leverages a Red Team to
simulate an attack (or utilize existing
malware samples). Allows for a more
comprehensive test of IR.
Table Top Exercises for IR, Sean Mason

bit.ly/IRExercises
Threat Hunting
The practice of proactively reviewing data to search for
signs of an attacker which may have evaded previous
detection.
1. Am I compromised?
2. Identifies exploitation of control gaps
3. Reduces attack surface
4. Reduces dwell/exposure time
5. New detection methods to find internal and external attackers
Great resource for more reading: http://www.threathunting.net/
A Hunting We Will Go, Sean Mason

bit.ly/IRHuntingSM
Intel
Highlights
Kill Chain (KC)
KC1- Reconnaissance:
Recon Collecting information about the
target organization
Weapon- KC2- Weaponization: Packaging

the threat for delivery
ization
KC3- Delivery: Transmission of the

Delivery weaponized payload
KC4- Exploitation: Exploiting

Exploitation vulnerabilities on a system
KC5- Installation: Installing

Installation malware on a target
KC6- Command & Control:

C2 Providing hands on the keyboard
access to the target system
Actions on KC7- Actions on Intent: The

attacker achieves their objective
Intent (e.g. stealing information)

bit.ly/killchain
Structured Intel Storage & Analysis
Deep Dive:
Objectifying Cyber
Intel Indicators
Indicator Reality
Indicators
Time
Current State
Confidence & Impact
Confidence Impact Weighting
High High High/High
High Medium High/Medium
High Low High/Low
Medium High Medium/High Confidence The quality and quantity of the information
Medium Medium Medium/Medium Impact - What level of impact this Indicator will have on
your organization if it is detected
Medium Low Medium/Low
Low High Low/High
Low Medium Low/Medium
Low Low Low/Low
Areas to Objectify
1. Threat Actors
Threat Actor Target Incidents Identified Objective Weighting
Unicorn Spider Medical Device IP 42 10
Mutant Turtles Medical Device IP 18 10
Soccer Ball PHI Data 2 6
Xfit One Credit Card Data 0 1
Roger Rabbit Hacktivism 0 1
2. Source
Source Incidents Identified False Positive Alert % Objective Weighting
Internal 42 24% 10
Vendor A 18 67% 8
Government 2 89% 4
Vendor B 0 88% 2
Your best source of intel should be the ones you earned on the battlefield.
3. Kill Chain Phase
Kill Chain Phase Objective KC1- Reconnaissance:
Recon Collecting information about the
Weighting target organization
KC7 Action on Intent 10 Weapon- KC2- Weaponization: Packaging

the threat for delivery
ization
KC6 C2 10
KC3- Delivery: Transmission of the
Delivery weaponized payload
KC5 - Installation 8
KC4- Exploitation: Exploiting
Exploitation vulnerabilities on a system
KC4 - Exploitation 7
KC5- Installation: Installing

KC3 - Delivery 6 Installation malware on a target
KC2 - Weaponization 1 KC6- Command & Control:

C2 Providing hands on the keyboard
access to the target system
KC1 - Reconnaissance 2
Actions on KC7- Actions on Intent: The
attacker achieves their objective
Intent (e.g. stealing information)

bit.ly/killchain
4. Indicator Age
Indicator Age Objective Weighting
0-3 months 10
3-6 months 8
6-12 months 6
12-24 months 4
24+ months 2
5. Past Performance
Incidents Identified False Positive Ratio Objective Weighting
2+ - 10
1 - 9
0 - 5
0 10-50%+ 7
0 90%+ 2
6. Pyramid of Pain
Pyramid Level Objective Weighting
Network/Host Artifacts 8
Domain Names 5
IP Addresses 4
Hash Values 1
The Pyramid of Pain, David Bianco

http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
Scoring
Formula
1. Decide weighting for each category
2. Model multiple weights
3. There is no perfect solution
Objective Rating = .25TA + .25S + .2KC + .05Age + .15P + .1PoP
Objective Ratings
Indicator Threat Source Kill Chain Indicator Performance Pyramid Formula Objective
Actor Date of Pain Rating
Badguy.com Unicorn Internal KC7 - AOI 12-24 2+ Incidents Domain ObjRat = 9.5
Spider months Name .25x10+.25x
10+.2x10+.0
5x10+.15x1
0+.1x5
6b4475ce9f Mutant Vendor A KC4 - 12-24 0 incidents Hash ObjRat = 6.95
9c5c4b9d2e Turtles Exploitation months .25x10+.25x
7edc8bdbf8 8+.2x7+.05x
49 4+.15x5+.1x
1
1.2.3.4 Xfit One Government KC6 C2 6-12 months 2+ incidents IP Address ObjRat = 5.25
.25x1+.25x4
+.2x9+.05x6
+.15x10+.1x
4
sdra64.exe Soccer Ball Vendor B KC5 - 24+ months 90% FP Host ObjRat = 4.8
Installation Artifact .25x6+.25x2
+.2x8+.05x2
+.15x2+.1x8
Extra Credit
Dont just stop using math with indicators
How much does it cost to run my SOC per minute?

$3M cost 526,000 minutes = $5.71/minute
What does the average alert cost me to resolve?

$5.71 cost X 8 minutes = $45.68/alert
How many alerts can I handle a year?

$3M cost $45.68/alert = 65,674 alerts per year
Final Thoughts
Objectify your indicators!
Focus on what is important to your organization
Take the math further; know what you can actually handle
Leverage data for resourcing conversations
Be creative! For example, rotate your indicators

Measuring
Incident
Response
IR Measured Cycle Times
Event (Event Time)
Event
Triage (Detect Time)

Dwell Time Event
How fast did we
Analysis find it?
Report (Report Time)

Report
IR Actions (Contain Time) How fast did we

Contain Time
Contain respond to it?
Business Impact Time
Remediation (Remediation Time)
Remediate
How fast did we
fix it?
Incident Response Metrics, Sean Mason

bit.ly/IRMetrics
Dwell & Contain
Dwell Time Avg Time to Contain
400 40
350 35
300 30
250 25
200 20
150 Days 15 Hours
100 10
50 5
0 0
Monthly Contain Time

20 Outliers!
15
10
5 Incidents
0

Hours bit.ly/IRMetrics
Intel & Detection
Detection Success Intel Source Success
120 100% 120 100%
100 80% 100 80%
80 80
60% False Positives 60% False Positives
60 60
40% Incidents 40% Incidents
40 40
Success Rate 20% Success Rate
20 20% 20
0 0%
0 0%
SIEM IDS DLP Users AV MIR In-House Talos Vendor1 Vendor2
Incident Detection
20 100%
80%
15
60%
10 Incidents
40% % of Incidents
5
20%
0 0%
SIEM IDS DLP Users AV MIR
bit.ly/IRMetrics
Closing
Thoughts
Organizational Sustainability & Elasticity
There simply isnt enough talent
Dont hire all Senior talent
Quit complaining- go do something!
Outsource
Develop a pipeline of students & interns
Dont be a school snob
Help schools design their InfoSec programs!
https://www.iad.gov/nietp/reports/current_cae_designated_institutions.cfm
Provide opportunities both ways
Give your mid-level folks opportunities
Bring in talent outside of Incident Response
Final Thoughts
1. Prevention Will Fail. Invest in Intel & IR; it can be measured, evolved,
and simplified.
2. Intel is more than a nice to have- it is a requirement. It also scales.
3. Think beyond IT; Partnerships are critical to success. Educate and
form alliances in the business and externally (e.g. local FBI office,
competitors, colleges)
4. Communicate findings back into other functions; Defense is a team
sport
5. Reward your teams!
Resources
Cisco Security
Services: https://cisco.com/go/securityservices
Blogs: https://blogs.cisco.com
Cisco Incident Response Team

If you are currently experiencing an incident, please
contact us at: 1-844-831-7715
Or email IncidentResponse@cisco.com
Sean Mason
@SeanAMason
https://SeanMason.com
Complete Your Online
Session Evaluation
Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.
Dont forget: Cisco Live sessions will be

available for viewing on demand after the
event at www.CiscoLive.com/Online.
Continue Your Education
Demos in the Cisco campus
Walk-in Self-Paced Labs
Lunch & Learn
Meet the Engineer 1:1 meetings
Related sessions
Thank you

Brksec 2043

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Brksec 2043

Încărcat de

Drepturi de autor:

Formate disponibile

Designing for Scale to

Enhance Defense, Detection

Cisco Spark spaces will be cs.co/ciscolivebot#BRKSEC-2043

Integrated Threat Defense

Integration, Consolidation, & Automation

Containment, Collection & Analysis

Measuring Incident Response

Career Highlight: Briefing Jeff

automated & manual

NGIPS Time to detection:

Faster Time to Detection, Faster Time to Remediate

Integration Consolidation Automation

Integration Consolidation Automation

Cyber Security Comm &

Integration Consolidation Automation

Also, Ive seen a looooooooooooong list of vendors that are a feature an

File File Behavior Behavior Code Binary Code Behavior Behavior

Created by David Bianco, GE-CIRT

File File Behavior Behavior Code Binary Code Behavior Behavior

URI URL File - Name File - Name File File File

Hash SHA1 Hash MD5 Hash SHA1 Address ipv4-addr

Address e-mail Hash SHA1 Address e-mail

Address ipv4-addr Address e-mail Address ipv4-addr

File File Behavior Behavior Code Binary Code Behavior Behavior

URI URL File - Name File - Name File File File

Address ipv4-addr Address e-mail Address ipv4-addr

Notes: Address ipv4-addr

HTTP UA String File Email Header - Subject Hash MD5

File - Path Email Header X-Mailer Hash SHA1

Created by David Bianco, GE-CIRT

Integration Consolidation Automation

Specialization Formal roles May include MSS Dedicated Intel, SOC,

General purpose run- processes standard business Some automation optimized

AV SIEM Continuous Monitoring Malware Analysis Intel+IR Drives

IDS/IPS Tactical Intelligence Intelligence Focus on Integrations

Threat Management Maturity, Sean Mason

Triage Response Lessons

You will get breached

Prevention is not a panacea

Detection is an absolute must

Speed to discovery and containment are critical

Intel isnt just for spies

Access & Defamation, Revenge, Destruction, Economic, Political

Skill Low Low - Med Med High Very High

Holidays) Jenny AD Team 867-5309

Who does what? (think outside security)

Simplified & Flexible

Who can access compromised

Focus on IR Fundamentals: Containment, Sean Mason

Analysis Servers (CPU + RAM)

Whats in Your IR Go-Bag?, Shelly Giesbrecht

Reconnaissance Potential gaps in threat tool &

Installation Failure to restrict file upload types

Intelligence-Driven Computer Network Defense Informed by Analysis of

Paper Test Ensure all documentation,

Table Top Exercises for IR, Sean Mason

Great resource for more reading: http://www.threathunting.net/

A Hunting We Will Go, Sean Mason

Weapon- KC2- Weaponization: Packaging

KC3- Delivery: Transmission of the

KC4- Exploitation: Exploiting

KC5- Installation: Installing

KC6- Command & Control: