Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

LK Inhouse SOC — команда, задачи, грабли


Published on

В рамках секции: Эволюция SOC — 2017: план развития

Published in: Technology
  • Be the first to comment

  • Be the first to like this

LK Inhouse SOC — команда, задачи, грабли

  1. 1. INSIDE KL SOC POSITIVE HACK DAYS, MAY 2017 Sergey Soldatov, Head of SOC
  2. 2. SCOPE • Monitoring (Alerting) • Vulnerability assessment • Incident management • … Infosecrisks Automotive toolsService Residualrisk Prevention Alerting (SOC) Threat hunting Threat hunting KLscope KMPservuce Customer operation security
  3. 3. Detect scenarios Evidence collection INCIDENT LIFECYCLE Goals Priorities Scenarios deployment Detection Data analysis Validation Categorization Prioritization Live response Memory dump Disk dump Malware analysis Live response analysis Forensic examination Network forensics Host forensics Incident Response Digital forensics, Malware analysis (respond) Threat intelligence TI, Security assessment (prepare) Threat Hunting SOC process (unknown & non- malware attacks) Prevent & Monitoring Tools, SOC (known attacks)
  5. 5. DF LAB Search for sample Play sample Ask AMR for analysis
  6. 6. SEARCH FOR INFO Hash URL IP Verdict
  7. 7. Duqu miniFlame Gauss Icefog NetTraveler Miniduke RedOctober 2010 Sofacy Carbanak Desert Falcons Equation Naikon Hellsing TeamSpy Duqu 2.0 Animal Farm Kimsuky Stuxnet Flame2011 2012 2013 2014 GREAT APT INTELLIGENCE 8 APT campaign early warning 3-5 reports/month Targeted attacks TTP Insight into non-public APTs Retrospective analysis Continuous APT campaign monitoring MRTI IoC (Open IOC/yara) Campaign artifacts Darkhotel – part 2. MsnMM Compaigns Satellite Turla Wild Neutron Blue Termite Spring Dragon
  8. 8. INTERNAL REDTEAMING Test modern TTP detection and investigation ‘Lessons learned’ after each pentest
  10. 10. LEVELS OF DETECTION Data  All AM Detects  Process behavior  OS events Micro correlation on EP level:  All EP detection technologies  Reputation Macro correlation, hypotheses:  All TTP knowledge:  Internal research GReAT, TARG, SOC, SSR  Security assessment (red team)  Incident response (DF, MA, IR)  Monitoring practice Additionalnotificationsifrequired
  11. 11. INTERNAL SERVICE LINES Project 1 Project 2 Project i 1st tier: 24x7 shift RP1 RP2 RPi 2nd tier: Responsible for project 3rd tier: SOC research All SOC detects: Alerts & Hunts SOC detects customization Hunts processing Customer detects creation Threat hunting Alerts, hunts processing Infrastructure maintenance Infrastructure development Reporting & Client management KL internal research & Infrastructure
  12. 12. QUESTIONS? Sergey Soldatov, CISA, CISSP Head of Security Operations Center