Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Know Your Enemy: Active Defense & Penetration Testing for UtilitiesCybersecurity Summit
November 13, 2018 | Austin, Texas
Brent Heyen & Mark Johnson-BarbierSenior Principle Analysts, Cybersecurity ArchitectureSalt River [email protected] [email protected]
Dan GunterPrincipal Threat AnalystDragos, Inc.d t @d
3
Agenda
• What is Active Defense?• Who is your Enemy?• What is Threat Intelligence?• Applying Knowledge of your Enemy
oOur Story as a Maturity Model: Low, Medium, HighoHelpful ideas for ALL organizations
4
What is Active Defense?• Sliding Scale of Cybersecurity
• Active Defense: process of analysts monitoring for, responding to, and learning form adversaries internal to the network
5
Who is your Enemy?• Enemy, Adversary, Threat
InsidersCompetitorsCrime groupsHacktivistsNation StatesAPTsTerroristsScript-Kiddies
6
How the Enemy Operates
7
What is Threat Intelligence?“evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace” - Gartner
9
Applying Adversary Knowledge
10
Our Story Begins…
$Positive Outcomes
11
Maturity Level: Low
12
Controls To Focus On
Legal Controls
Technical Controls
Procedural Controls
Risk-based framework: What reduces most risk?
Maturity Level: Low
13
• Risk Formula:
RISK = LIKELIHOOD X IMPACT
Maturity Level: Low
14
• Risk Formula:
RISK = LIKELIHOOD X IMPACT
THREAT X VULNERABILTYCONSEQUENCE
Maturity Level: Low
15
• Risk Formula:
RISK =
THREAT X VULNERABILITY X CONSEQUENCE
• Vulnerability-Centric Approach• Automate • Do we ever get to 0?
Maturity Level: Low
16
• Risk Formula:
RISK =
THREAT X VULNERABILITY X CONSEQUENCE
• Consequence-Centric Approach• Often already considered in ICS: Safety Culture
Maturity Level: Low
17
• Risk Formula:
RISK =
THREAT X VULNERABILITY X CONSEQUENCE
• Threat-Centric Approach• Don’t Give Up on
Prevention!
Maturity Level: Low
18
What We Can Detect
Security Tool
Alerts
IOCs
Limited Logs & Visibility
Maturity Level: Low
Run All the IOCs(Manually & Point In Time)
Respond to Security Alerts
Collection Management Framework
19
o Keys to Success Develop asset visibility Understand your defensive posture
Maturity Level: Low
20
o Visibility What is current environment understanding?
―Devices―Protocols
Can "normal" be defined?―Behaviors
Maturity Level: Low
21
oWhat is my current defensive posture?
Maturity Level: Low
22
Maturity Level: Low
Source Location DurationHMI Windows Event Logs Operator Workstation 60 daysDomain Controller Event Logs All Domain Controllers 48 hoursRaw Packet Capture L3/L4 Boundary 72 hoursBro Connection Logs From Raw PCAP 72 hours
Collection Management Framework
oWhat is my current defensive posture?
23
o Success Conditions Asset visibility:
―Can identify protocols and devices―Up to date network map―Can define basics of "normal" behavior
Defensive posture:― Vetted & rehearsed IR plan― Prevent, detect, respond strategy
Maturity Level: Low
24
Our Story Continued…
Ukraine 2015
25
Maturity Level: Medium
Attack Analysis of Ukraine 2015
26
Maturity Level: Medium• The Value of Threat Intelligence & Threat Hunting
Centralized running of specific IOCs
based on context
Fix and mature Collection
Management Framework
Identify blind spots
Threat Hunting dashboards
Begin to focus more heavily on ICS visibility and
hunting
27
Maturity Level: Medium
• Keys to success:oEvaluate effectiveness of defense programoBuilding solid internal & external relationships
28
Maturity Level: Medium• Evaluate effectiveness of defense program
oTechnical aspects: Do defensive efforts counter attacker capabilities? Do defensive efforts counter known vulnerabilities? How do I consume threat intelligence?
oNon-technical aspects: Does my team and enterprise know what to do? Is my defensive plan synced with operational realities? Have I tested my plan beyond the security team?
29
Maturity Level: Medium• Building solid internal & external relationships
o Internally: Find your (current) allies Find your (future) allies
oExternally: Collaborate with other asset owners ISAC, InfraGard Not all vendors are dirty
• Find who you trust• Collaboration is two way street
30
Maturity Level: Medium
https://dragos.com/neighborhood-keeper.html
31
Maturity Level: Medium• Success conditions:
oEvaluate effectiveness of defense program: Areas of improvement identified Investments prioritized Plan thoroughly tested
oBuilding solid internal & external relationships Internal workflows streamlined Reducing internal fires Two way external relationships
32
Our Story Continued…
33
Maturity Level: High (Future)• Better OT Visibility with Passive Monitoring
North/South (Ingress/Egress)East/West (Lateral Movement)
Data Sources:• SPAN ports (current phase)
• Netflow (future as needed)
• Endpoint logs (future as possible)
• Firewall logs (future phase)
• PI data (future phase)
34
Maturity Level: High (Future)• Visualization and Anomaly Detection
35
Maturity Level: High (Future)• Repeatable and scalable processes
o Content Packs – Playbooks, Analytics and Query-Focused Datasets
Threat Hunting
36
Maturity Level: High (future)• Begin with the end in mind: Threat focus
37
Maturity Level: High (future)• Begin with the end in mind: Threat focus
38
Maturity Level: High (Future)• Keys to Success:
oIntegrate threat intel & consequence approachoGo deep
39
Maturity Level: High (Future)• Integrate threat intel & consequence approach
oThreat intel How well understood is attacker? What quality of data am I getting from intel sources?
oConsequence approach: Don't wait for signs of attacker research & development What are most critical parts of progress? What is my visibility around process consequence?
40
Maturity Level: High (Future)• Go deep
Tradeoff of network vs host data―Network data:
» Easier to collect and analyze» Easier for attacker to hide in
―Host data» Harder to collect and analyze at scale» Harder for attacker to cover tracks» Memory vs hard disk
41
Maturity Level: High (Future)• Go deep
Sophisticated attackers will study your defenses
42
Maturity Level: High (Future)• Success conditions:
oIntegrate threat intel & consequence approach Measure defenses against attacker TTP from threat intel Use assessment & threat hunt results proactively
oGo deep Understand host & network forensic capabilities Understand limits of existing DPI Ensure DPI of industrial & high risk protocols
43
Conclusion?• Know Yourselfo Be honest about your maturity
• Know Your Enemyo What is being seeno What is possible
44
Image ReferencesSlide 4: Image Source - https://www.sans.org/reading-room/whitepapers/ActiveDefense/sliding-scale-cyber-security-36240
Slide 5: Image Source - https://researchcenter.paloaltonetworks.com/wp-content/uploads/2015/10/adversaries2-500x329.jpg
Image Source - https://blog.rapid7.com/content/images/post-images/63249/Screen%20Shot%202017-05-15%20at%207.35.41%20PM.png
Slide 6: Image Source - https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297
Slide 7: Image Source - https://www.recordedfuture.com/assets/threat-intelligence-data-1.png
Slide 8: Image Source – https://dragos.com/adversaries.html
Slide 9: Image Source - https://memegenerator.net%2Finstance%2F20650993%2Fconfused-jackie-chan-what-does-this-mean-why-does-it-matter&psig=AOvVaw0Z619hHAc3AlaDxJdNhbxm&ust=1540315855082734
Slide 10: Image Source - http://what-when-how.com/wp-content/uploads/2012/03/tmp1954_thumb_thumb.jpg
Image Source - https://www.youtube.com/watch?v=eFmDp0gcl98
Image Source - https://www.50-best.com/images/will_ferrell_memes/overwhelmed.jpg
Image Source - https://bergento.no/wp-content/uploads/2016/02/board_icon.png
Slide 11: Image Source - https://i.imgflip.com/2jb5ji.jpg
Image Source - https://bushcraftusa.com/forum/data/attachments/23/23969-85e0c9e13ca3b49146e7c651a092a838.jpg
Slide 12: Image Source -https://www.nist.gov/sites/default/files/styles/480_x_480_limit/public/images/2018/04/16/framework-01.png?itok=sTmLOvAW
Image Source - https://www.acsc.gov.au/images/acsc_logo.png?
Image Source - https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf?
Image Source - https://www.energy.gov/ceser/activities/cybersecurity-critical-energy-infrastructure/energy-sector-cybersecurity-0-1
Slide 15: Image Source - https://imgflip.com/s/meme/Third-World-Skeptical-Kid.jpg
Slide 17: Image Source - https://i.imgflip.com/1sybsj.jpg
Slide 18: Image Source - https://media.threatpost.com/wp-content/uploads/sites/103/2016/04/07000023/shutterstock_382920931.jpg
Image Source - https://www.fortinet.com/content/dam/fortinet/images/icons/benefits/icon-benefits-multiple-platform-support.svg
Image Source - https://alertcyber.com/wp-content/uploads/2015/12/Advanced_Icon.png
Slide 21: Image Source - https://www.sans.org/reading-room/whitepapers/ActiveDefense/sliding-scale-cyber-security-36240
Slide 24: Image Source - https://www.eenews.net/image_assets/2016/07/image_asset_12194.jpg
Slide 25: Image Source - https://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf?
Image Source - https://i1.wp.com/advancedpersistentsecurity.net/wp-content/uploads/2017/01/Triangle.png?ssl=1
Slide 26: Image Source - https://www.fortinet.com/content/dam/fortinet/images/icons/benefits/icon-benefits-multiple-platform-support.svg
Image Source - https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index/_jcr_content/Grid/category_atl/layout-category-atl/blade/bladeContents/spotlight/image.img.png/1531981328095.png
Image Source - https://media.threatpost.com/wp-content/uploads/sites/103/2016/04/07000023/shutterstock_382920931.jpg
Image Source - https://www.siemworks.com/images/Solutions/icons/dashboard-icon.png
Image Source - https://www.nozominetworks.com/wp-content/uploads/2017/12/icons-industrial.jpg
Slide 30: Image Source - https://dragos.com/neighborhood-keeper.html
Slide 32: Image Source - https://coachgeline.files.wordpress.com/2015/10/worksmarter.jpg
Slide 33: Image Source - https://www.controlglobal.com/assets/Uploads/_resampled/ResizedImage661719-cover-fig1-FIN.png
Slide 35: Image Source – The Matrix
Image Source – https://dragos.com
Slide 41: Image Source - https://memegenerator.net/instance/81107451/desk-flip-rage-guy-spend-weekend-imaging-and-analyzing-hard-drive-malware-was-memory-resident