Download Managing Security Events A model for 21st century

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
Document related concepts

Security-focused operating system wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Cyberwarfare wikipedia , lookup

Distributed firewall wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Malware wikipedia , lookup

Mobile device forensics wikipedia , lookup

Computer security wikipedia , lookup

Mobile security wikipedia , lookup

Unix security wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
Managing Security Events**
A model for 21st century information security threats
Matthew Standart, MSIM, CISSP
Senior Security Engineer
About the Speaker
Matthew Standart
• 10+ years working in IT
• 5 years directly in Forensics/Security
• Experienced examiner for Criminal and Civil Matters of all
types
• Experienced corporate investigator and examiner of all
matters (IT, Security, HR, Legal) for Defense Contractor
• MS: Information Management
• BS: Software Engineering
• CISSP, EnCE, GCFA, CCE, N+, S+ certified
Premise
1. Threats cannot be prevented, incidents will occur;
therefore incident response is inevitable.
2. Information Security Incidents are caused by threats
that operate both internally and externally.
3. By better understanding the threat landscape, we
can devise a risk-based approach to monitoring
and mitigating information security threats.
4. By strategically aligning IT to this business objective,
we can integrate efficiency and intelligence
gathering into the process.***
Functional Shift:
From Prevention to Response
• Prevention is no longer the key to security***
• The attacker has the advantage; they are more
creative at finding ways in than security experts
are able to think of ways to keep them out.***
Understanding the Threat
Landscape
1. Threats operate externally or internally
2. Threats occur directly or indirectly
• Distinguishing between threats is important to
formulate appropriate response strategy
• Many companies fail to recognize all threats,
where instead they focus on one (or even none)
threat types.***
Threat Matrix
• A visual representation of threat categories.
External
Targeted Attacks
(APT)
Non-Targeted Attacks
(Drive-Bys)
False
Positive
Internal
Insiders
(CI)
Misuse
(HR Matters)
Direct
Indirect
Traditional I/R Cycle
Events
Monitoring
Formulate
Response
Strategy
Remediation
Response
Gather Intel
Traditional Mistakes
Events
Monitoring
Breakdown #1: “Trust AV”
Remediation
Breakdown #2: “Reimage” Strategy
Breakdown #3: Not Preventing “Reinfection”
Response
Gather Intel
Formulate
Response
Strategy
HBGary
Continuous Protection Cycle
Codified Rules
Events
Plan
Prepare
Detect
Monitoring
Lessons Learned
Tracking
Formulate
Response
Strategy
Reporting/Metrics
Perimeter
Remediation
Validation
Accurate
Classification
Network
Gather Intel
Host
Execute
Response
Strategy
Enterprise Scanning
Direct
External
Disk
Threat
Intelligence
Memory
Indirect
External
False
Positive
Network
Direct
Internal
Indirect
Internal
HBGary
Integrated Approach
Codified Rules
Inoculator
Events
Active Defense
w/ DDNA
Razor
Monitoring
Lessons Learned
Tracking
Formulate
Response
Strategy
Reporting/Metrics
Razor
Remediation
Active Defense
w/ DDNA
Inoculator
Gather Intel
Active Defense
(IOC)
Threat
Intelligence
Execute
Response
Strategy
Active Defense
Active
Defense
Direct
External
Active
Defense
False
Positive
Network
Responder
Pro
Indirect
External
Direct
Internal
Indirect
Internal
Monitoring
• Generally, insufficient information is available at
the time of the detection of an adverse event to
accurately classify the threat.
• The same detection can result from different threat
agents, and with different root causes.
• This knowledge comes from the investigation,
documentation, and post-analytics of all Adverse
Events detected in an organization
Adverse Events
• An incident can be defined as an adverse event
where damage or loss has occurred
• Definitions are set by senior management
Incident Management
1. (Event) Detection logs often do not contain sufficient
information to make this distinction; therefore an
organization must devise a process to investigate events
to identify and separate incidents from adverse events.
2. The optimal IR process will consist of:
•
•
•
•
An investigation for every adverse event
Documentation for every adverse event (and incident)
Minimum required collection of data per investigation
Scalability to respond to every type of adverse event
Investigate Threats
• When a threat is detected or suspected, triage is
the first step of the response process.
• The first goal of the triage is to classify the threat,
and to determine whether the detection is an
incident or not.
• The second goal of the triage is to collect salient
information to support the formulation of a threat
response strategy.
Response Strategy Goals
• Threat Assessment
• Scope of Impact
• Exposure, Damage, and Losses
• Threat Intelligence Gathering
• Codify Intelligence
• Risk Identification
• Threat Identification
• Threat Containment
• Host Sanitization
• Network/Perimeter Sanitization
Triage
• Effective Triage looks for artifacts, or digital remnants, caused by
human activity or interaction with a computer system
• Noise has to be filtered out from valuable information
• The more informative/valuable or “human” the artifact, typically the
more volatile
System Artifacts
Core OS Files
Less Volatile
Human Artifacts
Patches
Updates
Corporate Software
Personal Software
Event Logs
Internet History
User Files/Documents
Date/Time Stamps
Malware
More Volatile
Digital Artifacts
• File System:
• Event Logs
• Events such as process start/stop, logon/logoff
• Internet History Records
• URLs accessed, Files downloaded
• File System Metadata ($MFT)
• Files Created/Accessed/Modified
• Files
• Malware/Droppers, Hack Tools, Exfil Data
• Registry
• Modified Keys (Services, Run)
• MRU Keys (OpenSaveMRU, LastVisitedMRU)
Digital Artifacts Continued
• Memory:
•
•
•
•
Processes/Modules
Binary Strings
Network Connections
Website Data
• Malware (Reverse Engineering)
• C2 Domains
• Compile Time
• Registry Keys
Threat Matrix
• A visual representation of threat categories.
External
Targeted Attacks
(APT)
Non-Targeted Attacks
(Drive-Bys)
False
Positive
Internal
Insiders
(CI)
Misuse
(HR Matters)
Direct
Indirect
Threat Matrix
• Traditional Response Methodology
External
(offline) Forensics
Live Collection
Live Collection
Internal
(offline) Forensics
Live Collection
Direct
Indirect
Threat Matrix
• New Response Methodology, integrating Enterprise Forensic
Technology
External
Live (network) Forensics
Traditional (offline) Forensics
Live (network) Forensics
Live (network)
Forensics
Internal
Live (network) Forensics
Traditional (offline) Forensics
Live (network) Forensics
Direct
Indirect
Live Forensics
• New technologies allow for live “forensically
sound” acquisition of digital artifacts
• Initial Triage is the process of searching for and
collecting common digital artifacts in support of the
detected event
• “Low-hanging fruit” concept
• Why take down and forensically image a system if
all you need is the history file and event logs?
Impact of Policy and Process
Improvement
Ratio of Cases handled via Offline Forensics vs Live Forensics
60%
50%
40%
49%
47%
44%
42%
36%
39%
Implementation of Live Forensic Methodology
30%
Ratio
20%
9%
10%
11%
9%
10% 11%
13%
0%
Jan Feb Mar Apr May Jun
Jul Aug Sep Oct Nov Dec
Timeline
• Effective timelines come from joining various digital artifacts based on
date/time and activity
• Timelines can help determine attack vector, date of compromise, exposure,
and actions by an unauthorized intruder
Source
Date/Time
Activity
IE History
9/28/2010 13:44:47
http://compromisedsite.com/index.php
IE History
9/28/2010 13:45:05
http://baddomain.net/malware.exe
File System
9/28/2010 13:45:08
[Created] C:\Documents And Settings\Bob\malware.exe
Event Logs
9/28/2010 13:45:09
[Event ID 592] A new process has been created: malware.exe
File System
9/28/2010 13:45:11
[Created] C:\Documents And Settings\Administrator\dropper.exe
File System
9/28/2010 13:45:12
[Created] C:\Windows\System32\service32.exe
Event Logs
9/28/2010 13:45:13
[Event ID 592] A new process has been created: service32.exe
File System
9/29/2010 01:14:55
[Accessed] telnet.exe
Using Active Defense for Triage
• Live Memory/Binary Analysis
• Remote File Browser
• Timeline
• MFT Analysis (Feature Request)
• EVT Analysis (Feature Request)
• Registry Analysis (Feature Request)
• History Analysis (Feature Request)
• Multiple File Search/Collection (Feature Request)
Remediate Threats
• Extract Indicators of Compromise from Digital
Artifacts:
•
•
•
•
File Names
Binary Strings
Registry Keys
File Metadata (Create/Access Time)
• Scan Network Hosts for same IOCs
• Clean Systems with Positive Hits
Reports
Related documents
A. Explain the nature of marketing plans. B. Explain the role
A. Explain the nature of marketing plans. B. Explain the role
A. Explain the nature of marketing plans. B. Explain the role of
A. Explain the nature of marketing plans. B. Explain the role of
Testimony - American Security Project
Testimony - American Security Project
Managing Security Events 101
Managing Security Events 101
FORENSICS Computer Forensics
FORENSICS Computer Forensics
Overview of Database Security
Overview of Database Security
12/2 study guide ch 17 due
12/2 study guide ch 17 due
A Global Disease Needs a Global Response
A Global Disease Needs a Global Response
Elevation of Privilege
Elevation of Privilege
Web server software
Web server software