Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Outflanking the Adversary: Designing and Implementing Active Network Defense

261 views

Published on

Presentation from Information Security Southwest 2017 covering incident response hunting operations, with two case studies.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Outflanking the Adversary: Designing and Implementing Active Network Defense

  1. 1. Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA Outflanking the Adversary Joe Slowik jfslowik@lanl.gov 08 April 2017 Designing and Implementing Active Network Defense LA-UR-17-20019
  2. 2. Active Defense: Roadmap 04/08/2017 | 2Los Alamos National Laboratory •My Background •The Current Security Mindset: Defensive! •Where We Need to Go: Active! •Saying is Easy, Doing is Harder: –Persistent, Iterative Hunting –Engaged, Practical Threat Research •Two Case Studies
  3. 3. Who Am I? 04/08/2017 | 3Los Alamos National Laboratory ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION Current: – Run the Incident Response Team at Los Alamos National Laboratory – Manage incidents, direct hunting, ingest threat intelligence
  4. 4. Where I Come From 04/08/2017 | 4Los Alamos National Laboratory • Background: ‘non-traditional’ – Philosophy student, grad school wash-out – Data mining and sales work – But I like puzzles! • Last stop before LANL: US Navy – Information Warfare Officer, 2009 to 2014 – NSA Washington, counter-terrorism work from 2010 to 2013 – Otherwise performing SIGINT threat ‘Indicator & Warning’ for ships at sea • AKA, useful, actionable threat intelligence ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  5. 5. Wait, Why does this Matter? 04/08/2017 | 5Los Alamos National Laboratory •I hate sitting still •I like to have control over ‘things’ •Moving from Navy to ‘cyber security’: –SOC/IR mindset is so passive! –Better to pursue than to wait! •So – How to Apply ‘Me’ to Network Defense? ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  6. 6. Security Today 04/08/2017 | 6Los Alamos National Laboratory White papers and ‘best practice’ documents are one thing…. …but what does ‘security’ look like in practice today? ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  7. 7. Static Defenses 04/08/2017 | 7Los Alamos National Laboratory Source: https://i1.wp.com/www.uwgbcommons.org/wp-content/uploads/2015/10/Maginot-line.jpg ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  8. 8. Relying on Technical Controls 04/08/2017 | 8Los Alamos National Laboratory Source: http://vignette3.wikia.nocookie.net/starwars/images/7/7e/Trench-run.png/revision/latest?cb=20130311051922 ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  9. 9. Ignore the Unexpected 04/08/2017 | 9Los Alamos National Laboratory Source: https://stream.org/wp-content/uploads/Black-Swan-900.jpg ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  10. 10. The State of the Present 04/08/2017 | 10Los Alamos National Laboratory –‘Analyst’ monitors SIEM –Wait for Alert –Close Alert, or Declare Incident –Lather, Rinse, Repeat Source: https://i.ytimg.com/vi/t-hZ6CmJNaI/maxresdefault.jpg ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  11. 11. Why the Present Fails 04/08/2017 | 11Los Alamos National Laboratory • Security Team ALWAYS in Reactive Mode • Cedes Initiative, Choice of ‘Battleground’ to Adversary • And… its Boring! –Non-trivial item: people like doing things vs. waiting for things –Constant ‘wait and see’ approach builds disinterest, or causes people to ‘check out’ ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  12. 12. Seeking vs. Waiting 04/08/2017 | 12Los Alamos National Laboratory • Instead of Waiting, focus on Finding –An event may have already occurred – but at least not waiting for an alarm to fire –Alerts and alarms should never be static anyway! • Take the Fight to the Adversary! –Make the adversary feel uncertain on their TTPs –Build confidence in security teams that they can engage –Make Defense Sexy ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  13. 13. Hunting for Evil – but How? 04/08/2017 | 13Los Alamos National Laboratory • Active, Patrolling Defense • Security Teams Looking for Bad • Aggressively Seeking Intrusion • Colloquially, ‘Hunting’ • Knowing the Adversary – and Deny his/her Efforts • Adapt ‘F3EA’ to Network Defense • AKA, ‘Threat Intelligence’ – But Useful! Source: https://upload.wikimedia.org/wikipedia/commons/6/6d/Carrier_Strike_Group_Twelve.jpg Source: https://i1.wp.com/www.defensemedianetwork.com/wp- content/uploads/2012/05/Special-Forces-Mentoring.jpg?fit=1280%2C852 ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  14. 14. Hunting is More than You Think 04/08/2017 | 14Los Alamos National Laboratory • Hunting: –More than ‘looking for bad things’ –Keys: repeatable, documented, instrumented • Hunting is a Process: –Track efforts –Share results –Ensure entire attack chain covered Source: http://www.ftknox.com/wp-content/uploads/2014/12/hunting- awesome-wallpapers-in-hd-free.jpg ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  15. 15. Hunting as Process 04/08/2017 | 15Los Alamos National Laboratory • Macro-level tracking • Focus on ‘Kill Chain’ stages • Ensure all steps are covered! • Day-to-day workflow tracking • Monitor hunting as-it- happens ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  16. 16. Threat Intelligence: Making it Relevant 04/08/2017 | 16Los Alamos National Laboratory Find Fix FinishExploit Analyze ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  17. 17. Not Just Indicators 04/08/2017 | 17Los Alamos National Laboratory Source: http://detect-respond.blogspot.com/2013/03/the-pyramid-of- pain.html • Push adversary by targeting TTPs • ‘Indicators’ for sensors and machines • Occupy conceptual ‘strategic terrain’ ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  18. 18. Actionable Threat Intelligence Technical • Malware analysis • Network forensics Tradecraft • Pivot Analysis • Behavioral Analysis Collaboration • Share with enterprise • Seek and provide feedback Information to Intelligence 04/08/2017 | 18Los Alamos National Laboratory ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  19. 19. Intelligence to Action 04/08/2017 | 19Los Alamos National Laboratory • Continue monitoring generic TTPs • Identify means to track & identify general intrusion characteristics General TTPs • Focus on specific threats • Identify TTPs, trends, and mitigation techniques • Posture defense toward actor intentions and capabilities APT Actor Profiles • What pathways exist for which we have no coverage? • Do our defensive TTPs translate across all systems (Linux, macOS) and environments (classified networks, protected enclaves)? Identify Gaps ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  20. 20. Case Study: The Dukes 04/08/2017 | 20Los Alamos National Laboratory • 09 November: Initial reports on APT-related phishing • Next steps: – See if any received locally – If received, launch the Incident Response Plan! – If NOT received – gather available information and analyze to bolster defenses ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  21. 21. Case Study: The Dukes 04/08/2017 | 21Los Alamos National Laboratory • Divide and conquer: – Look for more information – Break up analysis among SMEs • Good news: no indications of local infection • Better news: we are well- placed to catch badness – PowerDuke script utilizes similar Powershell commands as Powersploit and Ransomware ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  22. 22. Case Study: The Dukes 04/08/2017 | 22Los Alamos National Laboratory • Work on general Powershell maliciousness and ransomware activity yielded host-based signatures – Monitored via Windows Logging Service (WLS), tracked via Splunk – Detection, not prevention – but places us FAR closer to initial infection • Focus on general TTPs resulted in a signature that would catch a nation-state actor ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  23. 23. Case Study: The Dukes 04/08/2017 | 23Los Alamos National Laboratory • Initial instrumentation facilitated subsequent analysis: – Able to spend more time on ‘higher level’ analysis – Identified embedded PE in PNG stored as ADS – Took leadership role in coordinating response at multiple DOE sites • Confirm reported items, identify additional ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  24. 24. Case Study: StoneDrill 04/08/2017 | 24Los Alamos National Laboratory • 07 March – Kaspersky Labs releases ‘StoneDrill’ report • Destructive malware campaign, evolution from ‘Shamoon’ • Although target focus outside our scope, TTPs of interest • Same ‘wiper’ characteristics from original Shamoon copied in other campaigns – from Sony to crimeware • Expectation: similar TTPs will emerge from other actors, need to be prepared ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  25. 25. Case Study: StoneDrill 04/08/2017 | 25Los Alamos National Laboratory • Initial steps: read report, acquire samples, validate observations • Local analysis confirms Kaspersky conclusions: malware is noisy on host • Initial observations: – Focus on uncommon “cmd /c” calls to WMIC and REG – VERY odd ping – Many things to key on here ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  26. 26. Case Study: StoneDrill 04/08/2017 | 26Los Alamos National Laboratory • Workflow: – Grab Samples – Analyze samples – Identify static and behavioral detection possibilities • Tools: – Nothing special – ‘strings’ can be helpful – Custom sandbox environment – Add others as necessary Samples Captured from VirusTotal: Plain-text Strings: Run-Time Activity: ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  27. 27. Case Study: StoneDrill 04/08/2017 | 27Los Alamos National Laboratory • Next steps: – Analyze host-based indicators – determine if valuable or noisy – If sufficiently unique, alert and instrument to detect • Results: – REG and wmic calls from “cmd /c” sufficiently rare to create new alerts – PING to “1.0.0.0” essentially unique – created as an alert • What value do we gain? – Insight into entire class of host execution and modification that we were previously not monitoring – Some attack vector-specific alerting of less value – Overall: network is more closely monitored, new general TTPs incorporated into defenses ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  28. 28. Putting it All Together 04/08/2017 | 28Los Alamos National Laboratory • ‘Network Defense Intelligence’ and Hunting Feed Each Other – Intel: what is new and emerging – Hunting: what is actively targeted, what can we see • Process must be iterative – Security as a ‘stream’ and not individual events – Each alert, each false positive has a lesson informing overall security • People are Key – Appliances and tools are only as useful as those using – Smart, curious people with attention to detail, love of puzzles NECESSARY ORIGINS WAITING SEEKING SEARCHING UNDERSTANDING APPLICATION
  29. 29. Active Defense: Now Where do We Go? 04/08/2017 | 29Los Alamos National Laboratory •Back to your Security Teams! –Spread the word, figure out what works and what doesn’t •Share ‘Best Practices’ –But also share what doesn’t work –Learn from mistakes •NEVER be Complacent
  30. 30. QUESTIONS? 04/08/2017 | 30Los Alamos National Laboratory

×