The document discusses security operations and strategies for getting security operations right. It begins by discussing the strategic mission of a security operations center (SOC) to manage and report risk and interrupt adversary activity to mitigate loss. It emphasizes the importance of cyber threat intelligence being central to this mission. The document then provides examples of strategies for different phases of security operations including discover, monitor, respond, automate, transform, and learn. It provides specific examples for implementing strategies like zoning and determining essential security feeds. The document also introduces and discusses the TTP0 DRONE for automating incident creation. It concludes by providing information on additional resources available from TTP0.

1. 0
Getting Security Operations
Right with TTP0
Ismael Valenzuela
SANS Instructor, McAfee
@aboutsecurity
Rob Gresham
Splunk> Phantom
@SOCologize

2. Where were you in 1986?

4. 0

5. What is the story?
https://securingtomorrow.mcafee.com/mcafee-
labs/emotet-trojan-acts-as-loader-spreads-
automatically/
Google Market Summary

6. We keep seeing the same situation...

7. SOC Strategic Mission: manage & report risk
Success: interrupt adversary
activity to mitigate loss,
managing and
communicating risk
Requires a strategic and
tactical approach to security,
where Cyber Threat
Intelligence (CTI) is central to
this mission

8. 10,000 hours or 6 months?

9. So we sat down...
• And started to think about what works...

10. 0
Monitor
Discover
RespondMeasure
Automate
Transform
Learn

11. 0Security Operations Story
30 9060
Understand the business, set initial goals
& outline a realistic, high-impact plan
Create awareness, maintain focus and
augment visibility
Report & celebrate success, identify
points of change, increase scope in spiral
motion

12. 0Security Operations Story: NSM
30 9060
Understand the business, set initial goals
& outline a realistic, high-impact plan
Create awareness, maintain focus and
augment visibility
Report & celebrate success, identify
points of change, increase scope in spiral
motion
DISCOVER… the business
MONITOR… define zones, critical assets
RESPOND… define IRP for them
AUTOMATE… core actions (Create
tickets, data transfer processes)
MEASURE… time to notify, remediate
TRANSFORM… create awareness
DISCOVER… anomalies or gaps
MONITOR… critical, high alerts
RESPOND… refine IRP
AUTOMATE… contextual data
MEASURE… time to investigate, recovery
TRANSFORM… analytical quality
DISCOVER… hunt retroactively
MONITOR… new attack points (scope)
RESPOND… apply lessons learned
AUTOMATE… response scenarios
MEASURE… alignment to business goals

13. 0Discover
What’s important, Crown Jewels, save one’s SOEL
• Understand the Business Units and talk to your IT cohorts
• Understand what’s critical to enterprise operations
• Review the Business Continuity Plan (if they have one)
• Start early, don’t wait...
“In preparing for battle I have always found that plans are useless, but
planning is indispensable.” - Dwight D. Eisenhower

14. 0Monitor
SOC Zoning
Using the concept of SOC Zones to defend your organization allows
for both IT and business context in order simplify building effective
Use-Cases
Set the stage to build efficient response processes around...
• Zones
• Categories
• Severity
• Sensitivity
• Resource Tiers

15. 0Monitor
Other Examples:
• OT/ICS
• Manufacturing
• R&D
• PCI Zones
• business-critical
application
• Cloud critical hosting
• DMZ
Zoning should be implemented
in a way that reflects business-
critical capability

16. 0Monitor
Determine
essential security
feeds and
intelligence
sources

17. 0Monitor
Effective
application of
content
(threat content
engineering)

18. 0Response
Block Processes and C2 Channels
• External Contextualization
• Internal Scoping (beyond reporting)
• Root Cause Analysis
• Triage Forensics
• Contain not remediate
• Eradicate / Recovery
• Lessons Learned

19. 0
AUTOMATE: Introducing TTP0 DRONE

20. 0Automate
Configure & automate ticket creation with DRONE, by @DFIRENCE -
https://github.com/TTP0/drone

42. 0Check out our WIKI
• https://github.com/TTP0/drone/wiki/OVERVIEW

43. 0TRANSFORM
Create awareness by telling a story -
https://github.com/TTP0/ttp0_community_templates

44. TLP: RED TLP: RED
44
JAN FEB MAR APR MAY JUN
JUL AUG SEP OCT NOV DEC
FEYE - APT1
Blog/Report
Victim
Weapons
<ActorNameHere> - <YYYY>
SPEARPHISHING

45. 00Tier Threat Response Team
Threat Mitigation and Recovery Team (12 - Team)
Incident Leader
Hunt
Scan & Assess
Vulnerability
Analysis
Risk Assessment
Find & Analyze
System Integrity
Forensics
Monitor
Network (SO,
Bro, Snort)
Host (HIPS,
Raptor, ePO)
Harden
Windows
(Applocker, GPO,
EMET)
Linux/Unix
(IPTables, rkhunter)
Infrastructure
(ACLs, MAC Blocks)
Intelligence - LE
Liaison
Incident Response
Lead
Incident Responder
SOC IR
SOC Analyst
Red Teamer
CTI Analyst
Host Forensics
Net Forensics
Host Discovery

46. 0

47. 0www.ttp0.io

48. 0What is available today
- TTP0 DRONE by @DFIRENCE
- Automates incident creation with zones, tiers, etc
- Requires python 2.7, installed TheHive
- GitHub: https://github.com/TTP0/drone
- Opbrief PPT templates by TLP
- Actor Tracker PPT templates by TLP
- 0Tier Threat Response model vs 3Tier Traditional SOC
- A curated list of awesome GitHub resources we use

49. 0What we are working on
- Security Operations Story templates
- Tying Use Case to Responses Playbooks
- Investigation and Response Metrics
- Security Operations Templates for Managers
- Tools matrix
- SWOT * TWOS Analysis
- Staff management & SOC scheduling configurations
- How To Guidelines:
- Zoning, tiers, etc.
- Use Case prioritization
- Standardize Automation Investigation Playbooks

50. 0Thanks! Follow us @TTP_0
TTP0 Founders:
Ask us how to contribute: info@ttp0.io
@dfirence @carric
Carlos Diaz Carric Dooley Rob Gresham Ismael Valenzuela
@SOCologize @aboutsecurity

51. Thank you!