Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Let HP ArcSight ESM be the strong link in your
Cyber Kill Chain Pete Babcock - USAA
September 2014
What is the Cyber Kill Chain?
3
The Cyber Kill Chain is a taxonomy designed to measure the effectiveness of the Defense-in-Depth strategy.
Layer 3
Layer 2
Layer 1
How far can I get?
What is the origin of the Kill Chain?
4
The Cyber Kill Chain was socialized by Lockheed Martin.
It is based on military doctrine.
It was developed as a method for describing an intrusion from an attacker’s point of view.
It can inform Cyber Security and Intelligence Analysis.
5
Searches LinkedIn for System Administrators at USAA. Guesses their USAA email addresses based on name.
Obtains domain name and creates website with malware. Crafts spear phish.
Sends spear phish to targeted email addresses. Administrator clicks on link and goes to evil website.
Zero day exploit on website executes on Administrator’s PC. Administrator’s PC is compromised.
Root Kit is installed on Administrator’s PC.
Root kit connects back to Threat Actor’s server to obtain further instructions.
Threat Actor looks for data on Administrator’s PC. Threat Actor starts compromising other USAA machines.
Reconnaissance Weaponization Delivery Exploitation Installation Establish C2 Actions on Objectives
Cyber Kill Chain Stages
What can the Kill Chain do?
6
Each phase of the kill chain can be mapped to corresponding defensive tools and actions.
Defensive “Courses of Actions” are based on the Information Operations principles of:
Detect, Deny, Disrupt, Degrade, Deceive & Destroy
An analyst who knows the stage of the Kill Chain has a basic understanding of what is being attempted and what response is called for.
Courses of Action Matrix
7
Phase Detect Deny Disrupt Degrade Deceive
Reconnaissance Firewall NIDS
Web Logs
Firewall NIPS * * *
Weaponization DNS Monitoring
Website Monitoring
* * * *
Delivery Antivirus
NIDS Vigilant User
NIPS Proxy In-Line Antivirus * *
Exploitation NIDS Antivirus
Antivirus System Patching
Antivirus System Patching
Restricted User Accounts *
Installation Antivirus Application Logs * Antivirus * *
Establish C2 CIC
Malware Sandbox NIDS
Firewall NIPS * *
Actions on Objectives Application Logs Firewall
VLANs VLANs *
What can the Kill Chain do?
8
The sooner in the kill chain you can disrupt the attack, the better.
Tracking similarities across kill chain phases can give CTOC Analysts insight into: • Threat Actor Tactics, Techniques and Procedures (TTP) • Campaign Analysis
How will USAA operationalize?
9
Integrate into ArcSight ESM Cases 1 2 3
Integrate into the CTOC Wiki
Integrate into the Weekly Stand-Up Briefing
Repurposing Case Fields
10
“Energy cannot be created or destroyed, it can only be changed
from one form to another.” - Albert Einstein
ArcSight ESM Case Fields are kinda like that…
There are 3 files that control cases:
Console C:\arcsight\Console\current\i18n\common\ label_strings_en.properties C:\arcsight\Console\current\i18n\common\ resource_strings_en.properties
Manager /opt/arcsight/manager/config/caseui.xml
Modifying ESM Cases
11
When using ArcSight ESM Cases, it is possible to modify them to your needs.
Yes, the modified files will need to be updated
on ALL Consoles…
Repurposing Case Fields
12
The Joke: You are going to use ArcSight’s Foreign Language capabilities to give a field an alias… in English!
First pick a Case Field that you aren’t using of the correct field type.
Candidates can be found in the resource_strings_en.properties file.
Modify the field in the resource_strings_en.properties file.
If using a list field in the resource_strings_en.properties file, make sure to configure the list options.
resource_strings_en.properties
13
Modify the Field
extendedcase.attribute.vulnerabilitydata.label=Vulnerability Data extendedcase.attribute.vulnerabilitydata.shortlabel=Vulnerability Data extendedcase.attribute.history.label=Reoccurence Pain extendedcase.attribute.history.shortlabel=Reoccurence Pain extendedcase.attribute.lastoccurrencetime.label=4 - Investigation Start Time extendedcase.attribute.lastoccurrencetime.shortlabel=4 - Investigation Start Time extendedcase.attribute.resistance.label=Kill Chain Stage extendedcase.attribute.resistance.shortlabel=Kill Chain Stage extendedcase.attribute.conclusions.label=Conclusions extendedcase.attribute.conclusions.shortlabel=Conclusions
List Field Options
extendedcase.history=Unknown or None,Low,Medium,Please make it stop #extendedcase.resistance=High,Low,Unknown extendedcase.resistance=Unknown,Reconnaissance,Weaponization,Delivery,Exploitation,Installation,Establish C2,Actions on Objectives,Not on Kill Chain
label_strings_en.properties
14
This file is used to rename the Case tabs and headers displayed in the ArcSight ESM Console.
Manager #Cases cases.tab.initial=Initial cases.tab.attributes=Case Info cases.tab.description=Description cases.tab.securityClassification=Security Classification cases.tab.followup=Incident cases.tab.final=Analysis cases.tab.attackMechanism=Dean's Categorization cases.tab.attackAgent=Attack Agent cases.tab.incidentInformation=Incident Information cases.tab.vulnerability=Vulnerability cases.tab.other=Other
cases.header.case=Case cases.header.ticket=Ticket cases.header.incidentInformation=Incident Information cases.header.securityClassification=Security Classification cases.header.securityClassificationCode=Security Classification Code
CaseUI.xml
15
This is the xml file that defines the fields and tabs to display within a case. <editor enforceLocking="true" colorTreeBy="consequenceSeverity" width="480" height="480"> <tab name="cases.tab.final" type="base"> <component name="securityClassificationTable" type="table"> <parameter name="cases.header.case" type="header"/> <parameter name="name" type="resourceName"/> <parameter name="plannedActions" type="string"/> <parameter name="ticketType" type="stringList"/> <parameter name="stage" type="stringList"/> <parameter name="securityClassification" type="stringList"/> <parameter name="resistance" type="stringList"/> <parameter name="consequenceSeverity" type="stringList"/> <parameter name="history" type="stringList"/> <parameter name="cases.header.ticket" type="header"/> <parameter name="estimatedStartTime" type="date"/> <parameter name="detectionTime" type="date"/> <parameter name="attackTime" type="date"/> <parameter name="lastOccurrenceTime" type="date"/> <parameter name="estimatedRestoreTime" type="date"/> </component> <component name="actionsTaken" type="textarea"/>
<component name="followupContact" type="textarea"/> <component name="conclusions" type="textarea"/> </tab> <tab name="cases.tab.attributes" type="base" showExport="true"> <component name="attributesTable" type="table"> <parameter name="cases.header.case" type="header"/> <parameter name="name" type="resourceName"/> <parameter name="displayId" type="int" readOnly="true"/> <parameter name="common" type="commonResourceAttrs"/> </component> </tab> <tab name="cases.tab.followup" type="base"> <component name="incidentInformationTable" type="table"> <parameter name="incidentSource1" type="string"/> <parameter name="attackMechanism" type="stringList"/> </component> <component name="estimatedImpact" type="textarea"/> </tab> </editor>
Classify ArcSight ESM Cases
16
Classify ArcSight ESM Cases
17
Categorize CTOC Use Cases in Wiki
18
Categorize CTOC Use Cases in Wiki
19
Categorize CTOC Use Cases in Wiki
20
How will this be briefed?
21
Integrate into the weekly standup briefing
22
The CTOC gives a Weekly Briefing to USAA’s CSO and 80-100 of his direct reports and other parts of the business.
3 new slides were incorporated into the Weekly Standup Briefing slide deck to communicate the Cyber Kill Chain metrics.
Weekly Cyber Kill Chain metrics
23
0
200
400
600
800
1,000
1,200
12/10/2013 12/17/13 12/24/13 12/31/13 1/7/14 1/14/14 1/21/14 1/28/14 2/3/14
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Establish C2
Actions on Objectives
This week’s Cyber Kill Chain
24
332
40 26 10 16 2
163
0
100
200
300
400
This week’s Cyber Kill Chain highlights
25
Reconnaissance
Actions on objectives
Multiple failed logins - Non-privileged This spike was caused by USAA employees attempting (and failing) to VPN into USAA during the icy weather on Friday 1/24/14.
Non-active USAA username - Destination This was caused by Peoplesoft listing contactors as being terminated when, in fact, their contract was extended. More timely updates to Peoplesoft would correct this.
Why do we need the Cyber Kill Chain?
26
“Measurement is the first step that leads to control and eventually to improvement.
If you can’t measure something, you can’t understand it.
If you can’t understand it, you can’t control it.
If you can’t control it, you can’t improve it.”
- H. James Harrington
Q&A
27
Questions?
Use the mobile app 1. Click on Sessions 2. Click on this session 3. Click on Rate Session
Or use the hard copy surveys
Thank you for providing your feedback, which helps us enhance content for future events.
Session TB3028 Speaker Pete Babcock
Please give me your feedback
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.