Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Enterprise Security Monitoring

David J. Bianco
September 14, 2013
1.6k

Enterprise Security Monitoring

Talk for the Blue Team track at the inaugural BSidesAugusta

David J. Bianco

September 14, 2013
Tweet

More Decks by David J. Bianco

Transcript

  1. PRESENTED BY: © Mandiant Corporation. All rights reserved. Enterprise Security

    Monitoring Comprehensive Intel-Driven Detection David J. Bianco [email protected] BSIDES AUGUSTA 14 SEPTEMBER, 2013
  2. © Mandiant Corporation. All rights reserved.   Increased visibility across

    the entire organization   Get more value out of existing systems   Data aggregation is “hunter friendly”   Better organization around:   Detection platform coverage   Detection planning   General   Threat-specific   Prioritization of detection resources   Quicker, more accurate incident detection and response   Leverage your detection/response infra as an offensive capability Benefits of Enterprise Security Monitoring 6
  3. © Mandiant Corporation. All rights reserved. Intel-Driven Operations Process 10

    Research Analyze Conclude Observe Compare Alert Validate Contain Investigate Remediate Indicators Alerts Intel DB Detect DB Respond DB Feedback Feedback
  4. © Mandiant Corporation. All rights reserved. Intel-Driven Detection 11 Enterprise

    Security Monitor Intel NSM / IDS Detection Processing Sigs Intel Analysts Alerts & Queries Firewalls Routers Switches OS Logs App Logs Proxy Logs Web Logs Antivirus HIDS/HIPS Other Enterprise Data
  5. © Mandiant Corporation. All rights reserved. What is an indicator?

    12 A piece of information that points to a certain conclusion
  6. © Mandiant Corporation. All rights reserved. Common Indicator Data Types

    14 IPv4 Address Domain / FQDN Hash (MD5, SHA1) URL Transaction Element (User- Agent, MTA) File Name / Path Mutex Registry Value User Name Email Address
  7. © Mandiant Corporation. All rights reserved. Indicator Characteristics 15 Extractable

    Can I find this indicator in my data? Purposeful To what use will I put this indicator? Actionable If I find this indicator in my data, can I do something with that information?
  8. © Mandiant Corporation. All rights reserved. Attribution •  Who/what is

    responsible for this activity? Detection •  If this event happens, I want to know about it. Profiling •  What are the targeting parameters for this threat? Prediction •  Given the current state, what can I expect from this threat in the future? Indicator Purposes 16
  9. © Mandiant Corporation. All rights reserved. The Kill Chain 17

    Reconaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives “a systematic process to target and engage an adversary to create desired effects.” Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked August 2013)
  10. © Mandiant Corporation. All rights reserved. I don’t have a

    cool name for this. “Bed of Nails”? 20 Reconaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives
  11. © Mandiant Corporation. All rights reserved.   What scenarios do

    we need to be able to detect?   What are our options for detecting them?   What are the strengths and weaknesses of our detection program today?   What is our detection stance against specific actors?   What is our overall plan for detection across our enterprise? Intel-Driven Detection Planning 21
  12. © Mandiant Corporation. All rights reserved. What scenarios do we

    need to be able to detect? 22 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
  13. © Mandiant Corporation. All rights reserved. Detection Options - Snort

    23 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
  14. © Mandiant Corporation. All rights reserved. Detection Options - HIPS

    24 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
  15. © Mandiant Corporation. All rights reserved. Detection Options - MIR

    25 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
  16. © Mandiant Corporation. All rights reserved. Score Card: Use of

    Available Indicators 26 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
  17. © Mandiant Corporation. All rights reserved. Score Card: Pyramid Effectiveness

    of Indicators 27 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
  18. © Mandiant Corporation. All rights reserved. Score Card: Effectiveness Against

    APT-π 28 Reconaissance • URI – Domain Name • Address - ipv4-addr Weaponization Delivery • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
  19. © Mandiant Corporation. All rights reserved.   NSM:IDS :: ESM:NSM

      Collect and aggregate across your entire enterprise   Increased visibility   Maximum use of resources   Better for “hunting”   Organize intel for for better program insights   Big improvements in detection & response capabilities for minimal investment   Smart detection makes for frustrated adversaries! Summary 30