Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Page 2
Contents
SectionPage
1 Executive Summary 03
2 Introduction to Services 06
3 SOC Operations - Day to Day activities 11
4 Use Cases 24
Page 4
EXECUTIVE SUMMARY
Background
Client’s Information security function currently provides detection and prevention services, such as, monitoring, incident response and investigations across the Client’s technology environment. TheSecurity strategy is to enhance and address gaps in the security monitoring function through a Security Operations Centre (SOC) service.
Our understanding of your needs
We are aware that a key objective of this engagement is to assist you with Monitoring of Information Security Threat Detection and Response Services.
Monitoring of alerts 24*7
1. Perform 24*7 monitoring of alerts generated from the implemented Splunk Enterprise Security App from BlueSwarm Facility,
Investigation and Notification
1. Analyze and investigate alerts and logs that generate the alerts2. Eliminate false positives and confirm the alerts as incidents3. Assess and prioritize potential incidents for communication and action4. Notify Client on potential and confirmed incidents5. Observer deviations from normal behaviour (Like authentication failures, incoming/outgoing traffic, changes, audit logs, etc.) and uncover activities that could undermine security of information
assets
Preliminary Incident Response
1. Provide incident details and outline preliminary incident response activities that can help contain the impact of the threat and additional investigation that may be subsequently required
Reporting
1. Provide monthly summary reports and dashboards highlighting the security posture of the Client's monitored infrastructure
2. Provide suggestions and recommendations that would enhance security of the monitoring infrastructure based on information gathered during monitoring
Page 6
BlueSwarm Approach - SOC Framework
Event Management
Incident Management
Threat Intelligence
Investigation
Daily Operations
Knowledge Management
KPIs/ Metrics
Business Continuity / Disaster Recover
Internal processes
ENHANCED
SECURITYRISK
MANAGEMENT
THREAT &
VULNERABILITY
MANAGEMENT
INCIDENT
RESPONSE
COUNTERMEASURE
PLANNING
METRICS &
REPORTING
Page 7
BlueSwarm- Overview of ServicesFlexible service offerings that allows you to consume selective components of people, process and technology
Forensic Investigation
Cyber Dashboard
Threat Hunting
Incident Response
Threat Intelligence
Security Monitoring
Monitoring of Information Security Threats
BlueSwarm
BlueSwarmProcess
BlueSwarmTools
BlueSwarmPeople
Security Monitoring offering to meet your 24x7x365 requirements through our Analysts
Threat Intelligence offering with comprehensive intelligence feeds and
reporting of current threats
Incident Response offering with “boots on the ground” service to support with incident
investigation
Threat Hunting offering to hunt for symptoms with a hypothesis that the environment is
compromised
Forensic Investigation offering with “boots on the ground” service to provide detailed
analysis of compromised systems
BlueSwarm provides flexible and customisable options that will allow you to selectively consume components of people, process and technologydepending on your strategy.
Our integrated approach provides an ability to integrate broader cyber security services, security monitoring, incident response, threat hunting,threat intelligence, forensic investigation, and cyber dashboard. This will provide additional support in handling cyber security incidents, and assessingyour defence in depth controls.
Cyber Dashboard offering with advanced detection and response capability against
threat actors
Offered Components
Optional Components
Page 8
BlueSwarm SOC ARCHITECTURE
Monitoring and Incident ResponseLog Collection Secure Communication
BlueSwarm Facility
SIEM Monitoring Workflow
Page 9
BlueSwarm- Delivery ModelOur delivery model provides cost-effective services using offshore resources
► Dedicated Team Lead will act as an extension to your team, and be the key contact for assisting security, compliance and general queries.
► BlueSwarm Manager to provide management oversight of the service
► Security Admins (Level 1), Security Analysts (Level 2), Threat Hunters andIncident Handlers (Level 3) operate from BlueSwarm Offices in India,Dubai and UK to meet your Tier-1, Tier-2 and Tier-3 requirements across24x7x365
► All data will reside on cloud infrastructure
► A secure connection will be established between Client premises and BlueSwarm SOC Centre
BlueSwarm Team Lead
India – Level 1/ Level 2/ Level 3
► Incident Response service that enables the ability to perform rapidinvestigation of incident, invocation of forensic investigation as required,effective containment of threat vectors and lateral movement, proactiveeradication of indicators of compromise and risk-based recovery ofbusiness operations.
Client Data and Connectivity Client
Cloud
Premises
Client Premises
CISO / Security Manager
Client
Premises
Enterprise Service Management
Client Technology Environment
24x7x365
BlueSwarmTeam Lead
Onshore Information Security Team Members
Offshore Lv1/Lv2/Lv3 Security Personnel
Offshore Incident Handlers
Technical Teams
IND
IA|
UK
|D
UB
AI
Data Sources
BlueSwarmPremises
EU |
UK
| U
SA |
DU
BA
I
DNSDatabases
Servers FirewallsAntivirus
IDS/I
PS
Page 10
BlueSwarm - Delivery ModelOur delivery model can be tailored to achieve 24*7 detection and response whilst balancing cost
Weekday Shift Model [24 hours effective coverage per day]
Weekend/Public Holiday Shift Model [24 hours effective coverage per day]
00:0012pm
8.30am
24:00
Handover and Operational Support
8.00am
Offshore
3:30pm
Below is an illustrative model for how 24*7 coverage can be achieved Monday – Friday, as well over weekends and public holidays.
8.00pm
Handover and Operational Support
Shift 1 Shift 2 Shift 2
Health Check
Health Check
Health Check
Health Check
6:30pm
Health Check
Health Check
1.00am
Health Check
4.00am
12pm
8.30am
24:00
Handover and Operational Support
8.00am
Offshore
3:30pm
8.00pm
Handover and Operational Support
Shift 1 Shift 2 Shift 2
Health Check
Health Check
Health Check
Health Check
Health Check
1.00amHealth Check
4.00am
Health Check
6:30pm
00:00
Page 11
1. SIEM – Monitoring Workflow Project Approach and Methodology
BlueSwarmSecurity
Analysts
BlueSwarm Facility,
Splunk Console
Structured Process Flow
Security Incident ?
False Positive or known issue
Issue closed
Detailed investigation
Discuss with client, gather more data
Incident Resolution & Response
ATL resolves and responds to incident
BlueSwarm assist ATL for incident resolution and response
Notify Client as Security Incident
Security Incident ?
PROCESS WORKFLOWALERT HANDLING WORKFLOW
Ticketing Portal
Preliminary Analysis
Initial Triage:
An actual incident or false alarm
Scope
and
Impact
Systems involved,
applications, OS, business
& technical owners,
Has confidential
data been exposed or exfiltrated?
Page 12
CRITICAL INCIDENT HANDLING FLOW
Malware Alert Triggers
Initial Triage• An actual incident or false alarm,• The scope and impact,• Systems involved including applications, operating systems, and business and
technical owners,• Is the incident still ongoing,• has confidential or personal data possibly been exposed or infiltrated• has there been illegal activityNotify internal management chain• Based on the severity and scope of the incident, determine if preliminary internal
notification is appropriate and to whom. • Document and execute as appropriate.
Detection/Analysis Phase
• Disconnect or isolate malware-infected systems• Analyze malware-infected systems and studying malicious file characteristics.• Review the output and status of anti-virus software• Research AV vendor databases• Analyzing network traffic for malware activity (C&C)• Research current attack intelligence and recent vulnerabilities
Response
• Notify stakeholders (status update)• Apply type-specific malware containment measures• Ensure updated antivirus signatures are deployed for host and network-based AV
products • Notify your ISP and other external parties as appropriate.• Take backups, Reformat the drive and rebuild it. Harden other relevant machines
Recommendations
• Antivirus signature check• Security Patches update• OS and Kernel level updates• Preserving the malware for further forensic investigation• Blockage of Non-standard ports
Malware Incidents (Viruses, Worms, Trojans, Rootkits, Ransomware)
Page 13
CRITICAL INCIDENT HANDLING FLOW
Initial Triage
• An actual incident or false alarm,• The scope and impact,• Systems involved including applications, operating systems, and business and
technical owners,• Is the incident still ongoing,• has confidential or personal data possibly been exposed or exfiltrated,• has there been illegal activity
Notify internal management chain• Based on the severity and scope of the incident, determine if preliminary internal
notification is appropriate and to whom. • Document and execute as appropriate.
Detection/Analysis Phase
• Comprehensive logging flow at the application tier leading to the detection of misuse and fraud.
• Looking for unusual traffic outbound from web servers.• Looking for extra accounts or other configuration changes on servers.• Searching the special chars or phrases such as union select join and inner.
Response
• Notify stakeholders• Block source IP address and exploited account.• Mitigate the vulnerability by applying appropriate patches.• Limit the permission of web app when accessing database.
Recommendations
• Review every point where user-supplied data is handled and processed• Clean any input of characters or strings that could possibly be used maliciously
before passing it on to scripts and databases• Schedule a penetration test for Web applications that handle sensitive data of
any kind.• Developers can use automated code and vulnerability scanners to uncover
potential security issues.
Application Level Attacks (XSS,SQL Injection, Directory Traversal, Automated Scanners, etc.)
ApplicationAlert Triggers
Page 14
Event/Incident Analysis Life Cycle - 1
I. Initial Assessment Phase
B. False Positive / Known Issue ManagementInitial analysis of
the Notable Event
Known security Problem or a possible
false positive
Immediate notification to Client based
on severity / criticality ?
N
Y
Y
Y
N
Known problem with acceptable risk
False PositiveKnown false
positive
Notable Event closure
Validate against past false positives
and known problems list
Update False Positive / Known problem list
II. Information Gathering &
Investigation Phase
III B. Initiation of Incident Resolution
Phase
Notify stake holdersAnalysis /Action on
notification by Client
Incident Confirmed?
N
Notable Alerts /Events
Alert with High
Criticality
ValidationInfosec
NOC/Techops/IT Explanation
False Positive OR Environment Issue?
Y
AcceptReject
N
EVENT / INCIDENT ANALYSIS LIFE CYCLE - 1
An actual incident or false alarm
Scope
and
Impact
Systems involved,
applications, OS, business
& technical owners,
INITIAL TRIAGE
Page 15
EVENT / INCIDENT ANALYSIS LIFE CYCLE - 2
II. Information gathering & Investigation phase
Information required
Request input Agree timescale
to respondResponds
with in timeframe Failure to respond
within agreed timeframe
N
Y Y
Escalation to next level
Escalationto next level
Document delays and escalation
process
Issue resolution
Y
N
III. Final Assessment & Initiation of Incident Resolution Phase
I. Information Gathering & Investigation Phase
N
Adequate input? or Additional information
required?
Y
Involved delays and overheads
Data provided to SOC Team
Detailed investigation by SOC Team
Briefing
Detailed investigation by SOC Team
Briefing
Follow up & Support through Remedy, Email
and calls
Page 16
EVENT / INCIDENT ANALYSIS LIFE CYCLE - 3
III. Final Assessment & Initiation of Incident Resolution
B. Initiation of Incident ResolutionA. Final Assessment
Security Incident ?
SOC Team final analysis
Y
False PositiveI B. Update False Positive / Known
environment issue
Preliminary/Detailed Incident handling suggestions
Incident Response
Notable Event closure
Communicate to respective stake holders with required suggestions
Monitoring Required post
Incident handling
Incident Closure
Initial Assessment Phase or Information Gathering & Investigation Phase
Y N
N
II. Information Gathering & Investigation Phase
Issue Resolved
Update of Ticket by Client
Monitor for issue Resolution
Page 17
EVENT / INCIDENT ANALYSIS LIFE CYCLE - 4 TICKET UPDATE
A. Ticket updates/follow ups
B. E-mail Response
Check mail box/Remedy for ticket updates
Respond to queries and updates as requested
Check Mail box
Send critical notificationas per monitoring in
Splunk
Ticket status
Fetch required details in
SIEM as requested in ticket and Update it
Y
N
Check for ticket status if
closed/resolved/long pending
If closed/resolved check in logs if alerts are repeating in
Splunk
Reopen the ticket
Y
Update the Incidenttracker
in Remedy with closure
comments
N
Loop the team in e-mail forfurther communications
/follow up's
Tickets with further Data inputs/Analysis required
Page 18
A Day In The Life Of Security Analyst - Level 1
Day Shift (8AM to 8PM)
Night Shift (8PM to 8AM)
8 AM Analysts check-in Facility
8.10 AM Hand-over of activity & Information
from analysts of previous shift.
8.10 AM – 8.15 AM Check Mails and ticketing portal to
be updated on ongoing incidents or things that are
suspicious that need monitoring
8.20 AM – 8.30 AMCheck the assigned clients and
commence with the monitoring & reporting part.
8.30 AM Health check of all log sources
and it happens once every 3 hours from now.
8.30 AM – 8 PM Real Time Monitoring with respect to
assigned clients and notifying stakeholders as and when
alerts/abnormality observed.
End of Shift Analysts share the Shift Handover
and Health monitoring sheet internally
8 PM Next cycle Analysts check-in Facility
8.10 PM Hand-over of activity & Information
from Day Shift analysts.
8.10 PM – 8.15 PM Check Mails and ticketing portal to
be updated on ongoing incidents or things that are
suspicious that need monitoring
8.20 PM – 8.30 PM Check the assigned clients and
commence with the real-time monitoring & reporting part.
8.30 PM Health check of all log sources
which happens once every 3 hours from now.
8.30 PM – 8 AM Real Time Monitoring with respect to
assigned clients and notifying stakeholders as and when
alerts/abnormality observed.
End of Shift Analysts share the Shift Handover
and Health monitoring sheet internally
Level 2
Level 3
SOC Manager
Interaction & Escalation Echelon Layout
Tier 1 Analysts who ascertain alerts that signal an incident, get across Tier 2 leads for Incident Response review
Level 1
Page 19
A Day In The Life Of Security Analyst - Level 2 Shift Leads
Early Morning Shift (6AM to 4PM)
Late Evening Shift (12PM to 10PM)
6 AM Lead 1 Check-in facility6 AM - 6.15 AM Sit with
Analysts and help them with their queries.
6.15 AM – 6.45 AM Check Mails and address adhoc requests
raised by clients. Assign clients to Level 1 Analysts.
6.45 AM – 9.00 AM Sharing the daily reports along with Insights
to respective stake holders
9.00 AM – 4.00 PM Working on Ad-hoc requests / Weekly /Monthly reports / Detailed
Incident Observations/ Client calls.
End of Shift (Lead 1)
12 PM Lead 2 Check-in facility
12.30 PM Understanding critical requirements from day shift
lead/ Support Level 1 with their queries if any.
12.30 PM – .4.00 PM Working on Ad-hoc requests / Weekly /Monthly reports / Detailed Incident Observations/ Client
calls.
4 PM – 4.15 PM Lead 1 leaves with hand-over of
activity & information to Lead 2.
4.15 PM – 10 PM Working on Ad-hoc requests / Weekly /Monthly
reports / Detailed Incident Observations/ Client calls.
End of Shift (Lead 2)
Page 20
Shift Handover and Health Check
8 AM to 8 PM
8 PM to 8 AM
Shift Rotations – 12 Hour Cycle
SHIFT HANDOVER
HEALTH MONITORINGEnd of Shift Cycle
Page 21
BlueSwarm Approach: Key Performance Indicators
Event/Incident Management
Analyst Productivity
Attributes Metrics Frequency Source Data
Responsiveness
Total Number of Notable Events Weekly SIEM
Number of Tickets assigned Weekly SIEM
Number of Tickets unassigned Weekly SIEM
Average Time to Respond to Queries / Key incidents Weekly SIEM
Attributes Metrics Frequency Source Data
Correlations
Total Number of Raw Events Monthly SIEM
Number of Notable Events as False Positives Monthly SIEM
Number of Notable Events as True Positives Monthly SIEM
Number of Notable Events as Incidents Monthly SIEM
Attributes Metrics Frequency Source Data
Analyst Effectiveness
Event Generation to Assignment Weekly SIEM
Assignment to Ticket Creation Weekly SIEM
Assignment to Closure Weekly SIEM
Ticket Creation to Closure Weekly Remedy
Page 22
Incident Handling & Response Strategy
Prepare Monitor Alert Triage Contain and RemediateIncident Disrupt
BlueSwarmDeliverables
Daily Weekly Monthly Quarterly
Incident tickets Analysis report
Monthly briefing
Quarterly briefing
Cyber weekly Rule review
Disable account
Remove malware
Block IPs
Block domains/URLs
Run AV scan
Update AV
Contact user
Reimage systems
IT and Security Actions
Client Operations
Client IT and Security
BlueSwarm Operations
BlueSwarm Security Operations Center
BlueSwarmCoreTeam
Secure message
BlueSwarm core technology to augment your current investments
Provides visibility into threats on end points and servers along with timeline analysis
Conducts advanced remote analysis, forensics and malware analysis
Provides event correlation, advanced search, workflow management, dashboards and reporting
Client ticket system
Request for information
Incident ticketAlert Triage
BlueSwarmCoreTeam
Page 25
BlueSwarm SOCComprehensive visibility throughout the kill chain
Attack (Kill) chain progression
Background
researchSteal dataInitial attack
Establish
foothold
Enable
persistence
Enterprise
recon
Move
laterally
Escalate
privilege
Gather and
encrypt data
Detection that
email is malicious
Detection that
communication with
attacker exists
Detection that programs
or services are malicious
Detection that reconnaissance
behavior exists
Detection that traversal
behavior exists
Detection that staging
behavior exists
Detection that privilege
escalation behavior exists
Detection that
exfiltration
behavior exists
Page 26
BlueSwarm SOCKill Chain – Use cases Map
Reconnaissance
Port Scan Detected
Potential Host Sweep Attack
Detected
Targeted port scan detected with successful
connections
Web Spider Detection
Weaponization
Inbound Threat IP
Communication
Malware/Attacks Detected on
EPO
Phishing : Email Domain Typo Squatting
Possible SSH Brute-force
Delivery
Email Spoofing Detected
Possible bad attachments being sent to multiple users
Possible mail spoofing with
malicious attachment
Exploitation
Connection from
Suspicious Process
Detected and Blocked by AV
Suspicious shell execution
from web server process
Word or Excel processes with execution of a
scripting engine
Installation
APT Hash Detected
Recurring Malware Infection
GPO Creation
Suspicious Windows
registry activity
Command & Control
APT Domain or IP Detected
Large Outbound
Bytes Transfer
Possible DNS exfiltration
Outbound Threat IP
Communication
Action
Windows firewall rule
was deleted on a system
Outbreak Observed
Network Device Rebooted
High CPU Utilization
Page 27
Threat-Centric SIEM Use CasesThreat modelling drives actionable use cases in the SIEM
Develop multi-staged complex use cases based on the threats targeting the critical assets
Threat Modelling
Implement specific rules to
alert security violations, suspicious
events, and malicious
behaviours
Security Operations
Sample Use Case Name Description Log Sources Attack Phase
Scanning
In the cloud, scanning activity can include attempts to authenticate to the management console, attempts to list and access cloud resources (instances, databases, storage buckets, etc.), and network activity on unusual ports.
VPC FlowCloudTrail
Reconnaissance
Threat IPWe leverage threat intelligence to provide detection of known threats that have alreadybeen weaponized
Threat IntelVPC FlowCloudTrail
Weaponization
Phishing
Way to get payloads to the cloud are to use traditional phishing andmalware attacks against users. An attacker can then leverage that user’s devices or credentials to deliver their payloads into the cloud environment.
Endpoint logs for users accessing Cloud InfraCloudTrail
Delivery
Unauthorized API Access
Exploiting a hosted service means finding a web vulnerability, weakpassword, or other means to get access to an instance in the cloud. like abnormal API access from the infected instances and unusual network traffic.
CloudTrailVPC FlowDatabase AccessWeb Access
Exploitation
Compromised Instances
Many of the features used to detect compromised user credentials and insider threats can also be used to identify compromised instances. Unusual API access or network traffic coming from a host can indicate the installation of some new tools on that host.
CloudTrailEndpoint LogsVPC flow
Installation
Rogue Network Services
Instances in the cloud generally have fixed workloads and security groupconfigurations to forbid incoming traffic. Once an instance is compromised,and the command and control traffic originates from within the instance,those security groups are ineffective. The predictability of the workloads,however, lends itself the accurate detection of rogue network services,identified through unusual port access or traffic volumes.
VPC flow Command & Control
Mining BitcoinPublic cloud providers offer an easy way to spin up compute-denseinstances to perform lucrative endeavours like mining bitcoin.
CloudTrail Action
The heart of our security monitoring is based on threat modelling. We assess the threats targeting your critical assets and assist in developing use cases, based on realistic scenarios, that also take account of the effectiveness of existing controls.
We then implement enhancement to SIEM rules specific to the use cases to provide actionable alerts to the Security Analysts and Incident Responders.
Page 28
USE CASE MODELLING
► Business layer - describes how the use case isconnected to the organization’s business needs
► Threat layer - describes the threat that the use case isintended for. Several aspects of the threat areconsidered
► Implementation layer - aspects that are relevant forimplementation of the use case in the operationalsecurity monitoring architecture are described
Business & Compliance
ThreatLandscape
IT Landscape
Purpose Stakeholder
Drivers Output
Threats Actors
Incident Response Analysis
Log Source Scope
Detection Mechanism
Monitoring Rules
Business
Implementation
Threats
The elements that comprise the use case be divided into three layers:
Page 29
ATTACK SCENARIOS & EXAMPLE I
Reconnaissance Weaponize Delivery Exploitation Installation C2 Action
►Threat Actor Action ► Forcing User to Targeted Drive by Download
►Data sources ► Mail, Proxy, DPI, IDS/IPS
►Applicable Use Cases ► Suspicious file type download (executable, DLL, archive file, …)
► Suspicious mail headers (Intel based)
► Mismatched HREF attribute
ATTACK SCENARIO - I
Page 30
ATTACK SCENARIOS & EXAMPLE II
Reconnaissance Weaponize Delivery Exploitation Installation C2 Action
►Threat Actor Action► RDP Lateral movement
►Data sources► Win, DPI
►Applicable Use Cases► Chained RDP connections
► RDP with unusual charset
► Multiple RDP from same host in short time
ATTACK SCENARIO - II
Page 31
USE CASE DESIGNING PROCESS
•Purpose and goal of the procedure
Objective
•The threat which the logic seeks to identify
Threat•Those with
responsibility relating to the procedure
Stakeholder
•Detection Info. sources e.g. logs, packets, host configuration, CTI, etc.
Data Requirements •Content rules and
filters, etc. to process data and identify threat
Logic
•Logic validation process to confirm that it addresses the risk
Testing•Classification
category and level for the threat based on impact and urgency
Priority
•Workflow when responding to the threat
Output
Monitor andalert on
unusual AdminAccountAccess
Attacker LateralMovement anduse of Admin
accounts
L1, L2 AnalystsIncident
Coordinator,ITOPS
Microsoft DomainController,
Windows Server(various)
Reporting Engine;Enterprise Security
Alert Manager
Conduct Testwith Admin
account out ofhours
DMZ: P2DC: P1
Procedure to befollowed whenUnusual AdminAccount access
is detected
Example : Admin Credential Abuse