© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Let HP ArcSight ESM be the strong link in your

Cyber Kill Chain Pete Babcock - USAA

September 2014

What is the Cyber Kill Chain?

3

The Cyber Kill Chain is a taxonomy designed to measure the effectiveness of the Defense-in-Depth strategy.

Layer 3

Layer 2

Layer 1

How far can I get?

What is the origin of the Kill Chain?

4

The Cyber Kill Chain was socialized by Lockheed Martin.

It is based on military doctrine.

It was developed as a method for describing an intrusion from an attacker’s point of view.

It can inform Cyber Security and Intelligence Analysis.

5

Searches LinkedIn for System Administrators at USAA. Guesses their USAA email addresses based on name.

Obtains domain name and creates website with malware. Crafts spear phish.

Sends spear phish to targeted email addresses. Administrator clicks on link and goes to evil website.

Zero day exploit on website executes on Administrator’s PC. Administrator’s PC is compromised.

Root Kit is installed on Administrator’s PC.

Root kit connects back to Threat Actor’s server to obtain further instructions.

Threat Actor looks for data on Administrator’s PC. Threat Actor starts compromising other USAA machines.

Reconnaissance Weaponization Delivery Exploitation Installation Establish C2 Actions on Objectives

Cyber Kill Chain Stages

What can the Kill Chain do?

6

Each phase of the kill chain can be mapped to corresponding defensive tools and actions.

Defensive “Courses of Actions” are based on the Information Operations principles of:

Detect, Deny, Disrupt, Degrade, Deceive & Destroy

An analyst who knows the stage of the Kill Chain has a basic understanding of what is being attempted and what response is called for.

Courses of Action Matrix

7

Phase Detect Deny Disrupt Degrade Deceive

Reconnaissance Firewall NIDS

Web Logs

Firewall NIPS * * *

Weaponization DNS Monitoring

Website Monitoring

* * * *

Delivery Antivirus

NIDS Vigilant User

NIPS Proxy In-Line Antivirus * *

Exploitation NIDS Antivirus

Antivirus System Patching

Antivirus System Patching

Restricted User Accounts *

Installation Antivirus Application Logs * Antivirus * *

Establish C2 CIC

Malware Sandbox NIDS

Firewall NIPS * *

Actions on Objectives Application Logs Firewall

VLANs VLANs *

What can the Kill Chain do?

8

The sooner in the kill chain you can disrupt the attack, the better.

Tracking similarities across kill chain phases can give CTOC Analysts insight into: • Threat Actor Tactics, Techniques and Procedures (TTP) • Campaign Analysis

How will USAA operationalize?

9

Integrate into ArcSight ESM Cases 1 2 3

Integrate into the CTOC Wiki

Integrate into the Weekly Stand-Up Briefing

Repurposing Case Fields

10

“Energy cannot be created or destroyed, it can only be changed

from one form to another.” - Albert Einstein

ArcSight ESM Case Fields are kinda like that…

There are 3 files that control cases:

Console C:\arcsight\Console\current\i18n\common\ label_strings_en.properties C:\arcsight\Console\current\i18n\common\ resource_strings_en.properties

Manager /opt/arcsight/manager/config/caseui.xml

Modifying ESM Cases

11

When using ArcSight ESM Cases, it is possible to modify them to your needs.

Yes, the modified files will need to be updated

on ALL Consoles…

Repurposing Case Fields

12

The Joke: You are going to use ArcSight’s Foreign Language capabilities to give a field an alias… in English!

First pick a Case Field that you aren’t using of the correct field type.

Candidates can be found in the resource_strings_en.properties file.

Modify the field in the resource_strings_en.properties file.

If using a list field in the resource_strings_en.properties file, make sure to configure the list options.

resource_strings_en.properties

13

Modify the Field

extendedcase.attribute.vulnerabilitydata.label=Vulnerability Data extendedcase.attribute.vulnerabilitydata.shortlabel=Vulnerability Data extendedcase.attribute.history.label=Reoccurence Pain extendedcase.attribute.history.shortlabel=Reoccurence Pain extendedcase.attribute.lastoccurrencetime.label=4 - Investigation Start Time extendedcase.attribute.lastoccurrencetime.shortlabel=4 - Investigation Start Time extendedcase.attribute.resistance.label=Kill Chain Stage extendedcase.attribute.resistance.shortlabel=Kill Chain Stage extendedcase.attribute.conclusions.label=Conclusions extendedcase.attribute.conclusions.shortlabel=Conclusions

List Field Options

extendedcase.history=Unknown or None,Low,Medium,Please make it stop #extendedcase.resistance=High,Low,Unknown extendedcase.resistance=Unknown,Reconnaissance,Weaponization,Delivery,Exploitation,Installation,Establish C2,Actions on Objectives,Not on Kill Chain

label_strings_en.properties

14

This file is used to rename the Case tabs and headers displayed in the ArcSight ESM Console.

Manager #Cases cases.tab.initial=Initial cases.tab.attributes=Case Info cases.tab.description=Description cases.tab.securityClassification=Security Classification cases.tab.followup=Incident cases.tab.final=Analysis cases.tab.attackMechanism=Dean's Categorization cases.tab.attackAgent=Attack Agent cases.tab.incidentInformation=Incident Information cases.tab.vulnerability=Vulnerability cases.tab.other=Other

cases.header.case=Case cases.header.ticket=Ticket cases.header.incidentInformation=Incident Information cases.header.securityClassification=Security Classification cases.header.securityClassificationCode=Security Classification Code

CaseUI.xml

15

This is the xml file that defines the fields and tabs to display within a case. <editor enforceLocking="true" colorTreeBy="consequenceSeverity" width="480" height="480"> <tab name="cases.tab.final" type="base"> <component name="securityClassificationTable" type="table"> <parameter name="cases.header.case" type="header"/> <parameter name="name" type="resourceName"/> <parameter name="plannedActions" type="string"/> <parameter name="ticketType" type="stringList"/> <parameter name="stage" type="stringList"/> <parameter name="securityClassification" type="stringList"/> <parameter name="resistance" type="stringList"/> <parameter name="consequenceSeverity" type="stringList"/> <parameter name="history" type="stringList"/> <parameter name="cases.header.ticket" type="header"/> <parameter name="estimatedStartTime" type="date"/> <parameter name="detectionTime" type="date"/> <parameter name="attackTime" type="date"/> <parameter name="lastOccurrenceTime" type="date"/> <parameter name="estimatedRestoreTime" type="date"/> </component> <component name="actionsTaken" type="textarea"/>

<component name="followupContact" type="textarea"/> <component name="conclusions" type="textarea"/> </tab> <tab name="cases.tab.attributes" type="base" showExport="true"> <component name="attributesTable" type="table"> <parameter name="cases.header.case" type="header"/> <parameter name="name" type="resourceName"/> <parameter name="displayId" type="int" readOnly="true"/> <parameter name="common" type="commonResourceAttrs"/> </component> </tab> <tab name="cases.tab.followup" type="base"> <component name="incidentInformationTable" type="table"> <parameter name="incidentSource1" type="string"/> <parameter name="attackMechanism" type="stringList"/> </component> <component name="estimatedImpact" type="textarea"/> </tab> </editor>

Classify ArcSight ESM Cases

16

Classify ArcSight ESM Cases

17

Categorize CTOC Use Cases in Wiki

18

Categorize CTOC Use Cases in Wiki

19

Categorize CTOC Use Cases in Wiki

20

How will this be briefed?

21

Integrate into the weekly standup briefing

22

The CTOC gives a Weekly Briefing to USAA’s CSO and 80-100 of his direct reports and other parts of the business.

3 new slides were incorporated into the Weekly Standup Briefing slide deck to communicate the Cyber Kill Chain metrics.

Weekly Cyber Kill Chain metrics

23

0

200

400

600

800

1,000

1,200

12/10/2013 12/17/13 12/24/13 12/31/13 1/7/14 1/14/14 1/21/14 1/28/14 2/3/14

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Establish C2

Actions on Objectives

This week’s Cyber Kill Chain

24

332

40 26 10 16 2

163

0

100

200

300

400

This week’s Cyber Kill Chain highlights

25

Reconnaissance

Actions on objectives

Multiple failed logins - Non-privileged This spike was caused by USAA employees attempting (and failing) to VPN into USAA during the icy weather on Friday 1/24/14.

Non-active USAA username - Destination This was caused by Peoplesoft listing contactors as being terminated when, in fact, their contract was extended. More timely updates to Peoplesoft would correct this.

Why do we need the Cyber Kill Chain?

26

“Measurement is the first step that leads to control and eventually to improvement.

If you can’t measure something, you can’t understand it.

If you can’t understand it, you can’t control it.

If you can’t control it, you can’t improve it.”

- H. James Harrington

Q&A

27

Questions?

Use the mobile app 1. Click on Sessions 2. Click on this session 3. Click on Rate Session

Or use the hard copy surveys

Thank you for providing your feedback, which helps us enhance content for future events.

Session TB3028 Speaker Pete Babcock

Please give me your feedback

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank you

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.