Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Blue team reboot - HackFest

504 views

Published on

Co Speaker: Cheryl Biswas

Talk Description:
How about this: a blue team talk given by red teamers. But here’s our rationale - your best defence right now is a strategic offence. The rules of the game have changed and we need to get defence up to speed.

We’ll show you what the key elements are in a good defence strategy; what you can and need to be using to full advantage. We’ll talk about the new “buzzwords” and how they apply: visibility; patterns; big data. There’s a whole lotta data to wrangle, and you aren’t seeing the whole picture if you aren’t doing things right. Threat intel is about getting the big picture as it applies to you. You’ll learn the importance of context and prioritization so that you can manipulate intel feeds to do your bidding. And then we’ll take things further and talk about hunting the adversary, using an update on proven methodologies.

We’ll show you how to understand your data, correlate threats and pin point attacks. Attendees will leave with a new understanding of the resources they have on hand, and how to leverage those into an Adaptive Proactive Defense Strategy.

Published in: Technology
  • Be the first to comment

Blue team reboot - HackFest

  1. 1. Blue Team Reboot
  2. 2. ● Security Consultant - Researcher ● Twitter: @haydnjohnson ● Talks: BsidesTO, Circle City Con, BsidesLV, SecTor ● Offsec, Purple Team, Gym?? ● Big 4 experience ● http://www.slideshare.net/HaydnJohnson Haydn Johnson
  3. 3. Cheryl Biswas ● Security researcher/analyst Threat Intel ● APTs, Mainframes, ICS SCADA, Shadow IT, StarTrek ● BSidesLV, Circle City, BSidesT0, SecTor, Hackfest, TiaraCon ● https://whitehatcheryl.wordpress.com ● Twitter: @3ncr1pt3d
  4. 4. DISCLAIMER: The views represented here are solely our own and not those of our employers, past or present, or future.
  5. 5. Blue Team Reboot
  6. 6. Props to DarkReading This started with a webinar for DarkReading on Threat Intel and how to use it effectively. We received some great feedback, a lot of interest, and built upon it for HackFest. Our Webinar: https://webinar.darkreading.com/2492?keycode=SBX &cid=smartbox_techweb_upcoming_webinars_8.500 000620
  7. 7. What We Will Cover All. That. DATA Logging towards Alerts Threat Intel Visibility Context Pinpointing an Attack Kill Chains & OODA Loops
  8. 8. Terminology IOC - Indicator of Compromise - Domain, IP address, URL IOA - Indicator of Attack COA - Course of Action - What can we do to prevent, mitigate, detect, EG - Implement a block on an email address TTP - Tactics, Techniques, and Procedures
  9. 9. Your Take-Away Lootbag What it is Relevance Example cases Tools & software applicable
  10. 10. LOGGING
  11. 11. LOGS: First Line of Defence
  12. 12. Logs CIA Confidentiality Integrity Availability
  13. 13. WHO’S IN YOUR NETWORK?
  14. 14. Web Application Logs Knock Knock Who was there? The first place to detect scanners recon data scraping
  15. 15. Firewall Logs Ingress | Egress Websites | Email | FTP End Point
  16. 16. Host Logs Whitelisting applications - KNOWN GOOD Execution of Macros Terminal Commands executed Time of logins Average use
  17. 17. Network Logs Internal traffic Domain connections Internal Scanning https://www.sans.org/reading-room/whitepapers/logging/importance- logging-traffic-monitoring-information-security-1379 2003
  18. 18. Big Data A Little Talk About ...
  19. 19. So. Much. Data Crown Jewels Relevance Asset Management
  20. 20. Create A Baseline Have a starting place Known traffic Known good Regular review Know Your Normal
  21. 21. Just Say NO!!! Macros: Disable Adobe Anything: I can’t even PowerShell: Are you worthy? Admin for all - ORLY?
  22. 22. Deny on open Macros!
  23. 23. @InvokeThreatGuy https://github.com/invokethreatguy/DC416October?files=1
  24. 24. Wait! Who’s the all-powerful admin here?
  25. 25. Tools / Software Carbon Black / Bit9 SysMon Log-MD WireShark https://www.wireshark.org/ https://msdn.microsoft.com/en-us/library/windows/desktop/dd408124(v=vs.85).aspx http://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon http://log-md.com/ http://brakeingsecurity.blogspot.ca/2015/10/2015-042-logmd-more-malware-archaeology.html
  26. 26. Logs to Alerts!
  27. 27. VISIBILITY Visibility: What’s in your sights
  28. 28. CONTEXT Context I haz meaning?
  29. 29. Bad Alerts
  30. 30. Help! Too Many!
  31. 31. Good Alerts
  32. 32. Timely
  33. 33. Relevant
  34. 34. Context
  35. 35. Actionable
  36. 36. Good Alerts Give enough information to correlate Understand all you can from the one log Actionable Standard procedures for each for IR team Time is NOT on your side
  37. 37. Example Time Workstation 2 Workstation
  38. 38. A: Lateral Movement @raffertylaura | @haydnjohnson https://www.youtube.com/watch?v=KO68mbk9- OU&list=PL02T0JOKYEq52plvmxiJ1cSbwUgHHvP7H&index=8
  39. 39. Windows Event Log
  40. 40. Runs PowerShell
  41. 41. Connects to Web Server
  42. 42. Threat Intel
  43. 43. Threat Intel: What it Ain’t Threat actor information Campaigns Indicators of Compromise (IOCs) Identify known threats Exploitation in the wild
  44. 44. Threat intel: What it is A product from collection, processing, exploitation, analysis dissemination and feedback of information.
  45. 45. Reducing False Positives IOC Validation Alert Tuning from IOCs https://quadrantsec.com/about/blog/the_false_positives_of_threat_intelligence/
  46. 46. Threat Reports Is it relevant to business? Could it have an impact? Are there IOCs? COA for prevention, detection, mitigation KEY CRITERIA
  47. 47. Threat Report - Example Landing Page Downloader URL C2 traffic
  48. 48. Threat Report - Example 2 http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign- evolves-adds-japan-target-list/
  49. 49. Threat Report - Example 2 C2 via blogs Hard coded tags http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign- evolves-adds-japan-target-list/
  50. 50. Threat Report - Example 2 Downloader C2
  51. 51. Threat Report - Example 2 http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign- evolves-adds-japan-target-list/
  52. 52. Threat Report - Example 2
  53. 53. Threat Report - Example 2 IOCs - MD5 Not strong but can put in place fast!
  54. 54. THREAT CORRELATION Combining Data and Threat intel
  55. 55. The 4 C’s Collect Consolidate Control Communicate
  56. 56. Visibility Take a big picture view Know what’s going on from end to end Cuz you don’t know what you don’t know
  57. 57. Context Look for the patterns
  58. 58. So you can find the anomalies
  59. 59. How to Play With Data Not what you got but how you use it Ask the right questions - get the right answers What have we been missing?
  60. 60. Security Analytics - Example The Game Changers Machine Learning Analytics IAM
  61. 61. BIG DATA - TOOLS OpenSoc - Cisco RITA - Real Intelligence Threat Analysis BreakoutDetection R package - Twitter http://opensoc.github.io/ RITA - http://www.blackhillsinfosec.com/?page_id=4417 https://github.com/twitter/BreakoutDetection
  62. 62. Pinpointing an Attack Identification of malicious-ness
  63. 63. Detecting an attack - Visibility & Patterns Known Good Alerts Investigation Lessons learned http://www.scmagazine.com/five-tips-to-detect-contain-and-control-cyber-threats/article/467856/
  64. 64. Detecting an attack Preparation Identification Containment Eradication Recovery Lessons Learned SANS IR Steps!
  65. 65. Cyber Kill Chain + Extended Version
  66. 66. Lockheed Martin Cyber Kill Chain “The seven steps of the Lockheed Martin Cyber Kill Chain® enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures.” http://cyber.lockheedmartin.com/solutions/cyber- kill-chain
  67. 67. Cyber Kill Chain 1. Reconnaissance 2.Weaponization 3.Delivery 4.Exploitation 5.Installation 6.Command & Control 7.Action on Objectives
  68. 68. Cyber Kill Chain Extended 7 - Actions on Objectives Internal Kill Chain Target Manipulation Kill Chain http://www.seantmalone.com/docs/us-16-Malone- Using-an-Expanded-Cyber-Kill-Chain-Model-to- Increase-Attack-Resiliency.pdf
  69. 69. Cyber Kill Chain Extended Map & understanding specific systems Subvert target systems & business processes Raise Attackers Cost
  70. 70. OODA LOOP Attackers Observe Orient Decide Act
  71. 71. Your Blue Team Fighter Pilots Goose Maverick
  72. 72. OODA Loop - for the defender Practice Be ready to change direction Take Action
  73. 73. Relevance Use to actively identify security controls People Process Procedures Identify Gaps Confirm assumptions Tune
  74. 74. Visibility on Blind Spots Looking at each step allows a methodical approach to defense. Reduces Bias and Blind spots. Can lead to Threat Hunting
  75. 75. Example Time Attachments
  76. 76. Malicious Attachments https://github.com/carnal0wnage/malicious_file_maker
  77. 77. Malicious Attachments
  78. 78. Malicious Attachments Test your email filters Understand which attachments come through Build | refine | controls
  79. 79. Malicious Attachments Send various types of malicious attachments via multiple sources How many emails does it take to block a sender? What types of attachments generate alerts?
  80. 80. Go hunting
  81. 81. In summary LOGS ALERTS THREAT INTEL CORRELATION CYBER KILL CHAIN PROACTIVE=
  82. 82. Take awaysAKA - what you should remember
  83. 83. Total success! ❖Be proactive ❖Back2Basics ❖Visibility ❖Context
  84. 84. ❖Test it ❖Look for it ❖Patterns ❖Anomalies Total success!
  85. 85. Thank You! Any questions? Feel free to reach out to us later! @haydnjohnson @3ncr1pt3d

×