Вы находитесь на странице: 1из 89

Designing for Scale to

Enhance Defense, Detection


& Response

Sean Mason
Director, Incident Response
BRKSEC-2043
Cisco Spark
Questions?
Use Cisco Spark to chat with the
speaker after the session

How
1. Find this session in the Cisco Live Mobile App
2. Click Join the Discussion
3. Install Spark or go directly to the space
4. Enter messages/questions in the space

Cisco Spark spaces will be cs.co/ciscolivebot#BRKSEC-2043


available until July 3, 2017.

2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
Introduction

Integrated Threat Defense

Complexity

Integration, Consolidation, & Automation

IR Landscape

Threat Landscape

IR Fundamentals

Containment, Collection & Analysis

Staying Prepared

Intel Highlights
Deep Dive: Objectifying Cyber Intel Indicators

Measuring Incident Response

Closing Thoughts
Sean Mason www.SeanMason.com @SeanAMason

Florida resident
Developer for 10 years
IR for 10 years
7 certifications
ISC2 SME
BS & MBA

Career Highlight: Briefing Jeff


Immelt & The Board of GE at 30
Rock in NYC

2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Integrated Threat
Defense Foundation
Management
Management
Workflow

Workflow
RT IMS

HIPS

automated & manual


automated & manual

automated
ESA

External SSH
IDB Single Pane
IPS Suspect

SIEM InternalSSH

Management
Management

Knowledge
Knowledge

Wiki Repo 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Attackers Are Easily Exploiting & Bypassing Point Solutions

Antivirus
VPN

NGFW

Email
IAM IDS
Firewall

Malware
Sandbox

NGIPS
Data
Attackers Are Easily Exploiting & Bypassing Point Solutions

Antivirus
VPN

NGFW

Email
IAM IDS
Firewall

Malware
Sandbox

NGIPS Time to detection:


Data
200 Days
Only an Integrated Threat Defense Can Keep Pace

Reduce Time to :

-Detection
-Containment
-Mitigation
-Response

Systemic Response

Data
Integrated Threat Defense Architecture
Visibility Control Intelligence Context

Faster Time to Detection, Faster Time to Remediate

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Complexity
Fragmented Security Market

Complexity Fragmentation

45+ 558
Security Vendors for Security Vendors
Some Customers 2017 RSAC
(450 : 373)

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Increase in Capabilities
Over time, adding incremental
solutions has plateauing capabilities

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Adding on Complexity
At the cost of additional complexity

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Goal for Effective Security

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Integration,
Consolidation,
& Automation
The Path to Effective IR Requires

Integration Consolidation Automation

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
The Path to Effective IR Requires

Integration Consolidation Automation

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
82% realize they need an
integrated security architecture

2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Starting with something like this
Third Party Solutions
Telemetry Enrichment
Sources
NW DDoS Hosted WAF
Feeds
Web Tools Service
Protections
Management
NGFW
Ticketing
Monitoring Investigation
NGIPS SIEM
Log Mgmt
CMDB
Linux Open
Source Tools
Log
Collector Training
Platform

Antimalware

Web
Proxies
Cloud Services
Collab Tool
Vuln Scan

Wiki IM Virtualized
Infrastructure
Email Sec
Communications, Collaboration and other IT Systems

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Evolving to this
Intelligence Platforms Intel and Enrich
Telemetry and Third Party Solutions
Threat Threat Intel
Other Data Intelligence Providers
Service
Sources Provider
Solutions Malware AV Intel
Analysis Providers

Log
Enrichment
Management
Monitoring & Response Investigation Providers*

Security
Native Security Case
Logs Management
Monitoring, Service
Analytics and Digital Management
Other Sources Response Suite Forensics
Tools

Ticketing

Breach
Knowledge
Remediation Base

Cyber Security Comm &


Controls Internal
Collab Apps Training
Infra Cloud Platform
Infra
Other Wiki
Infrastructure
Communications and Infrastructure Under
Collaboration Systems Investigation
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
The Path to Effective IR Requires

Integration Consolidation Automation

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Consolidation

Also, Ive seen a looooooooooooong list of vendors that are a feature an


engine to match TI to logs/flows [SIEM does this, even if not yet at scale], UBA
for one particular use case, web proxy log analyzer [because, dude, proxy logs
are SO important! :-)], etc. Sorry, but these products are all destined to die, and
maybe the lucky few are to be acquired by larger vendors missing exactly that
one feature - Dr. Anton Chuvakin, Gartner

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Features?

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Prevention & Detection Scenarios

Act on
Recon Weaponization Deliver Exploitation Installation C2
Objectives

File File Behavior Behavior Code Binary Code Behavior Behavior


File - Name File - Path File Win Registry Key Win Process Win Registry Key
Win Process
URI Domain Name URI - URL File - Path File Win Registry Key
Win Registry Key Win Service
File - Name File - Name File
URI URL File File
URI- Domain Name URI Domain Name URI Domain Name
HTTP - GET File - Path File - Path
URI - URL
HTTP UA String URI URL File - Name URI - URL File - Name
HTTP - POST
Address e-mail Hash MD5 URI Domain Name HTTP - GET URI Domain Name
Email Header - Subject
Address ipv4-addr Hash SHA1 HTTP - POST
URI - URL URI URL
Email Header X-Mailer Address cidr HTTP UA String
HTTP - GET Hash MD5
Address ipv4-addr Hash MD5
Hash MD5 HTTP UA String Hash SHA1
Hash SHA1
Hash SHA1 Hash MD5 Address ipv4-addr
Address e-mail
Address e-mail Hash SHA1
Address ipv4-addr
Address ipv4-addr Address e-mail
Address ipv4-addr

Created by David Bianco, GE-CIRT


BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Platform Strengths (ex. IDS)
Act on
Recon Weaponization Deliver Exploitation Installation C2
Objectives

File File Behavior Behavior Code Binary Code Behavior Behavior

File - Name File - Path File Win Registry Key Win Process Win Process Win Registry Key

URI Domain Name URI - URL File - Path File Win Registry Key Win Registry Key Win Service

URI URL File - Name File - Name File File File

HTTP - GET URI- Domain Name URI Domain Name File - Path URI Domain Name File - Path

HTTP UA String URI - URL URI URL File - Name URI - URL File - Name

Address e-mail HTTP - POST Hash MD5 URI Domain Name HTTP - GET URI Domain Name

Address ipv4-addr Email Header - Subject Hash SHA1 URI - URL HTTP - POST URI URL

Email Header X-Mailer Address cidr HTTP - GET HTTP UA String Hash MD5

Hash MD5 Address ipv4-addr HTTP UA String Hash MD5 Hash SHA1

Hash SHA1 Hash MD5 Hash SHA1 Address ipv4-addr

Address e-mail Hash SHA1 Address e-mail

Address ipv4-addr Address e-mail Address ipv4-addr

Address ipv4-addr
Notes:
Security solutions are able to investigate, analyze and monitor this indicator type
Security solutions are unable to track this indicator type. These areas represent gaps Created by David Bianco, GE-CIRT
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Aggregated View

Act on
Recon Weaponization Deliver Exploitation Installation C2
Objectives

File File Behavior Behavior Code Binary Code Behavior Behavior

File - Name File - Path File Win Registry Key Win Process Win Process Win Registry Key

URI Domain Name URI - URL File - Path File Win Registry Key Win Registry Key Win Service

URI URL File - Name File - Name File File File

HTTP - GET URI- Domain Name URI Domain Name File - Path URI Domain Name File - Path

HTTP UA String URI - URL URI URL File - Name URI - URL File - Name

Address e-mail HTTP - POST Hash MD5 URI Domain Name HTTP - GET URI Domain Name
Address ipv4-addr Email Header - Subject Hash SHA1 URI - URL HTTP - POST URI URL
Email Header X-Mailer Address cidr HTTP - GET HTTP UA String Hash MD5
Hash MD5 Address ipv4-addr HTTP UA String Hash MD5 Hash SHA1
Hash SHA1 Hash MD5 Hash SHA1 Address ipv4-addr
Address e-mail Hash SHA1 Address e-mail

Address ipv4-addr Address e-mail Address ipv4-addr

Notes: Address ipv4-addr


Security solutions are able to investigate, analyze and monitor this indicator type
Security solutions are unable to track this indicator type. These areas represent gaps Created by David Bianco, GE-CIRT
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Coverage Gaps

Act on
Recon Weaponization Deliver Exploitation Installation C2
Objectives

HTTP UA String File Email Header - Subject Hash MD5

File - Path Email Header X-Mailer Hash SHA1

URI - URL

Created by David Bianco, GE-CIRT


BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
The Path to Effective IR Requires

Integration Consolidation Automation

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
IR

INTERNET IR

AMP

HERE AMP

HERE
FIREPOWER HERE
AMP 4 FP
AMP
LANCOPE & HERE
AMP AMP Off-net
AMP
AMP AMP
AUTOMATION
HQ Roaming
Intelligence collected &
HERE
HERE stored at the Talos level
HERE
Signatures created &
pushed out globally
FIREPOWER
FIREPOWER
AMP AMP
Maximum coverage across
AMP AMP the environment quickly
Branch
Branch BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
IR Landscape
The Evolution of IR

IR

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
IR Evolution & Maturity
Ad-hoc Maturing Strategic
Maturity
Dedicated
Level As Needed Part-Time Full-Time SOC/IR+ Fusion
CMM Equivalent Initial Repeatable Defined Managed Optimized
0 individuals Part time resources Handful of individuals Larger teams 15-100+
People

Specialization Formal roles May include MSS Dedicated Intel, SOC,


Shifts (possible 24x7) and IR Teams

Chaotic and relying on Situational run books; Requirements and Process is Processes are
individual heroics; some consistency Workflows measured via constantly improved,
reactive Email-based documented as metrics automated, and
Process

General purpose run- processes standard business Some automation optimized


book process Minimal Threat Broad Threat sharing
Existing IR Tribal knowledge Some improvement Sharing Hunt teams
Capabilities over time Shift turnover
SLAs

AV SIEM Continuous Monitoring Malware Analysis Intel+IR Drives


Firewalls Sandboxing Endpoint Forensics Additional Security Program
Technology

IDS/IPS Tactical Intelligence Intelligence Focus on Integrations


Some Integration Multiple Intelligence
Types
Coordination with
Physical Security

Threat Management Maturity, Sean Mason


bit.ly/IRMaturity

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Ad-hoc: IR

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Maturing: IR Process View

Contain &
Detect
Collect

Remediate Analyze

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Strategic: Integrated Intel-driven risk mitigation

Prevention
Tactical Intel
Sources

Detection
Intel Analysis

Triage Response Lessons


Strategic Intel Hunting Learned

Analysis

Other Containment
Functions

Collection
IR Process Today, Sean Mason bit.ly/IRProcessImg

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Upfront Reality

You will get breached

Prevention is not a panacea

Detection is an absolute must

Speed to discovery and containment are critical

Intel isnt just for spies

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Threat Landscape
Mental Anchors

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Dynamic Threats
Cyber State
Nuisance Hacktivism Insiders
Crime Sponsored/APT

Access & Defamation, Revenge, Destruction, Economic, Political


Financial
Objective Propagation Destruction, Press & Monetary Gain Gain Advantage, Destruction
Policy

Botnets & Spam Website Destruction, Credit Card Theft Intellectual Property
Example Defacements, DDOS Theft Theft, DDOS

Skill Low Low - Med Med High Very High

Sensitive Access to the Network, Intellectual Credit Card Data, Intellectual Property,
Potential Information,
Vulnerable Data
Compromising
Information
Property, Personal Negotiation,
Compromising Identifiable National Intelligence
Data Information Information, Health
Targets Records

General Malware Syrian Electronic Army, Jimmy, Suzy, Sally, Russian Business APT1, Energetic
Named LizardSquad,
Anonymous
Johnny Network (RBN) Bear

Actors

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
IR Fundamentals
Leadership

Credibility
Trust
Rapport
Consistency

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
IR Basics
Who is needed for wing-to-wing IR? Name Role Phone #
(think outside security) Ray Incident Coordinator 555-2368
Danny Incident Coordinator 555-0840
Who is on-call and when? (consider Kate Network Team 606-0842

Holidays) Jenny AD Team 867-5309


Alicia CISO 489-4608
Pre-built DLs for e-mails and info Mike Incident Response 330-281-8004
Emily CIO 212-664-7665
Thinkthrough basics: Philip Legal Counsel 818-775-3993
Ramona Public Relations 212-664-7665
Phones, chat rooms, conference lines
Business Leaders?
(2+), and remote access Law Enforcement?

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Documentation
Combination of platforms
Wiki
Process platforms
Collaboration (e.g. Box,
Dropbox)
Flexibility is key
Track details on incidents
Allow for dynamic process
updates

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Runbooks

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
RACI

Who does what? (think outside security)


Set expectations
Helps define process

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Incident Severities
Define a common lexicon for incidents
Rating Impact Description
Breach 1 1 Intruder has exfiltrated sensitive data or is suspected of exfiltrating sensitive data based on volume, etc.
Breach 2 2 Intruder has exfiltrated non-sensitive data or data that will facilitate access to sensitive data
Breach 3 3 Intruder has established command and control channel from asset with ready access to sensitive data
Cat 1 4 Intruder has compromised asset with ready access to sensitive data
Cat 2 5 Intruder has compromised asset with access to sensitive data but requires privilege escalation
Cat 3 6 Intruder is attempting to exploit asset with access to sensitive data
Cat 6 7 Intruder is conducting reconnaissance against asset with access to sensitive data
Vuln 1 8 Intruder must apply little effort to compromise asset and exfiltrate sensitive data
Vuln 2 9 Intruder must apply moderate effort to compromise asset and exfiltrate sensitive data
Vuln 3 10 Intruder must apply substantial effort to compromise asset and exfiltrate sensitive data

Simplified & Flexible


Focus more on capability
Rating Description Response/Containment
Severity 0 Intruder has exfiltrated sensitive data or is currently inside network. DDOS that has impacted availability. 1 hour
Malware outbreak.
Severity 1 Indicators show that an intruder is attempting to gain a foothold or has attained an initial foothold on the 4 hours
network. DDOS that has the potential to impact availability. Malware causing disruption.
Severity 2 Compromised machine (General Malware) 72 hours

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Communication
Communicate broadly, engage others
Communication template, rhythm and formats
Mobile technology and speed of information
Incident Severity Communications Rhythm Audience
Grave (KC7) Within 1hr Conf. Call COO
2x Daily Conf. Call CSO
COB Daily E-mail CIO
General Counsel
Director of PR
CISO
Director of IR
Chief Security Architect
Significant (KC6) Within 1hr E-mail CISO
COB Daily E-mail Director of IR
Chief Security Architect
Benign (KC1-5) As needed or upon escalation Director of IR
Security Manager

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Internal Communications

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Containment,
Collection &
Analysis
Containment & Collection

Who can access compromised


devices?
How will you track down the
devices?
When do you contain?
Who makes the containment call?
What method(s) will you use?
How will you collect data?

Focus on IR Fundamentals: Containment, Sean Mason


BRKSEC-2043 bit.ly/IRContainment
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Analysis
Where are logs? Do you aggregate logs?
Does the team have access to the compromised logs & devices?
Preserve forensic evidence
Who is properly trained to do the forensics? Do they have tools?

Volatility

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Analysis Infrastructure

Analysis Servers (CPU + RAM)


Cisco UCS-C240
2.3GHz, 18 cores
200GB RAM

Storage (TB/PBs)
ResponderLaptops
MBP & Custom Gaming

Whats in Your IR Go-Bag?, Shelly Giesbrecht


bit.ly/IRGoBag

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Staying
Prepared
Lessons Learned
Kill Chain Actor Action Failure Mode Mitigation Action

Reconnaissance Potential gaps in threat tool &


Used commercial web scanner Establish detection capability
scanning capability
Weaponization

Delivery SQLI on vulnerable ASP page to Could not detect SSL traffic; Explore Secure Development &
gain admin access vulnerable to SQLI Application Security Assessments
Exploitation

Installation Failure to restrict file upload types


IIS web service used to upload Explore Secure Development &
or configure web server to not
web shell Application Security Assessments
execute uploaded files
C2 Used web shell on initially
Could not detect SSL traffic
compromised host
Actions on Intent Accessed info.txt which held Management scripts failed to Scripts retired and environment
admin account information delete info.txt after running scanned

Intelligence-Driven Computer Network Defense Informed by Analysis of


Adversary Campaigns and Intrusion Kill Chains, Lockheed Martin
bit.ly/KillChain

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Recurring Testing

Paper Test Ensure all documentation,


templates, etc are properly updated.
Table Top Exercise Verbally walking
through a number of different IR
scenarios.
Simulated Incident A more invasive
test that leverages a Red Team to
simulate an attack (or utilize existing
malware samples). Allows for a more
comprehensive test of IR.

Table Top Exercises for IR, Sean Mason


bit.ly/IRExercises

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Threat Hunting
The practice of proactively reviewing data to search for
signs of an attacker which may have evaded previous
detection.
1. Am I compromised?
2. Identifies exploitation of control gaps
3. Reduces attack surface
4. Reduces dwell/exposure time
5. New detection methods to find internal and external attackers

Great resource for more reading: http://www.threathunting.net/

A Hunting We Will Go, Sean Mason


bit.ly/IRHuntingSM
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Intel
Highlights
Kill Chain (KC)
KC1- Reconnaissance:
Recon Collecting information about the
target organization

Weapon- KC2- Weaponization: Packaging


the threat for delivery
ization

KC3- Delivery: Transmission of the


Delivery weaponized payload

KC4- Exploitation: Exploiting


Exploitation vulnerabilities on a system

KC5- Installation: Installing


Installation malware on a target

KC6- Command & Control:


C2 Providing hands on the keyboard
access to the target system

Actions on KC7- Actions on Intent: The


attacker achieves their objective
Intent (e.g. stealing information)

Intelligence-Driven Computer Network Defense Informed by Analysis of


Adversary Campaigns and Intrusion Kill Chains, Lockheed Martin
bit.ly/killchain

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Structured Intel Storage & Analysis

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Deep Dive:
Objectifying Cyber
Intel Indicators
Indicator Reality
Indicators

Time

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Current State

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Confidence & Impact
Confidence Impact Weighting

High High High/High

High Medium High/Medium

High Low High/Low

Medium High Medium/High Confidence The quality and quantity of the information

Medium Medium Medium/Medium Impact - What level of impact this Indicator will have on
your organization if it is detected
Medium Low Medium/Low

Low High Low/High

Low Medium Low/Medium

Low Low Low/Low

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Areas to Objectify
1. Threat Actors

Threat Actor Target Incidents Identified Objective Weighting

Unicorn Spider Medical Device IP 42 10

Mutant Turtles Medical Device IP 18 10

Soccer Ball PHI Data 2 6

Xfit One Credit Card Data 0 1

Roger Rabbit Hacktivism 0 1

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
2. Source

Source Incidents Identified False Positive Alert % Objective Weighting

Internal 42 24% 10

Vendor A 18 67% 8

Government 2 89% 4

Vendor B 0 88% 2

Your best source of intel should be the ones you earned on the battlefield.

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
3. Kill Chain Phase
Kill Chain Phase Objective KC1- Reconnaissance:
Recon Collecting information about the
Weighting target organization

KC7 Action on Intent 10 Weapon- KC2- Weaponization: Packaging


the threat for delivery
ization
KC6 C2 10
KC3- Delivery: Transmission of the
Delivery weaponized payload
KC5 - Installation 8
KC4- Exploitation: Exploiting
Exploitation vulnerabilities on a system
KC4 - Exploitation 7

KC5- Installation: Installing


KC3 - Delivery 6 Installation malware on a target

KC2 - Weaponization 1 KC6- Command & Control:


C2 Providing hands on the keyboard
access to the target system
KC1 - Reconnaissance 2
Actions on KC7- Actions on Intent: The
attacker achieves their objective
Intent (e.g. stealing information)

Intelligence-Driven Computer Network Defense Informed by Analysis of


Adversary Campaigns and Intrusion Kill Chains, Lockheed Martin
bit.ly/killchain
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
4. Indicator Age

Indicator Age Objective Weighting

0-3 months 10

3-6 months 8

6-12 months 6

12-24 months 4

24+ months 2

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
5. Past Performance

Incidents Identified False Positive Ratio Objective Weighting

2+ - 10

1 - 9

0 - 5

0 10-50%+ 7

0 90%+ 2

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
6. Pyramid of Pain
Pyramid Level Objective Weighting

Network/Host Artifacts 8

Domain Names 5

IP Addresses 4

Hash Values 1

The Pyramid of Pain, David Bianco


http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Scoring
Formula

1. Decide weighting for each category

2. Model multiple weights

3. There is no perfect solution

Objective Rating = .25TA + .25S + .2KC + .05Age + .15P + .1PoP

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Objective Ratings
Indicator Threat Source Kill Chain Indicator Performance Pyramid Formula Objective
Actor Date of Pain Rating

Badguy.com Unicorn Internal KC7 - AOI 12-24 2+ Incidents Domain ObjRat = 9.5
Spider months Name .25x10+.25x
10+.2x10+.0
5x10+.15x1
0+.1x5
6b4475ce9f Mutant Vendor A KC4 - 12-24 0 incidents Hash ObjRat = 6.95
9c5c4b9d2e Turtles Exploitation months .25x10+.25x
7edc8bdbf8 8+.2x7+.05x
49 4+.15x5+.1x
1
1.2.3.4 Xfit One Government KC6 C2 6-12 months 2+ incidents IP Address ObjRat = 5.25
.25x1+.25x4
+.2x9+.05x6
+.15x10+.1x
4
sdra64.exe Soccer Ball Vendor B KC5 - 24+ months 90% FP Host ObjRat = 4.8
Installation Artifact .25x6+.25x2
+.2x8+.05x2
+.15x2+.1x8

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Extra Credit
Dont just stop using math with indicators

How much does it cost to run my SOC per minute?


$3M cost 526,000 minutes = $5.71/minute

What does the average alert cost me to resolve?


$5.71 cost X 8 minutes = $45.68/alert

How many alerts can I handle a year?


$3M cost $45.68/alert = 65,674 alerts per year

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Final Thoughts
Objectify your indicators!

Focus on what is important to your organization

Take the math further; know what you can actually handle

Leverage data for resourcing conversations

Be creative! For example, rotate your indicators


BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Measuring
Incident
Response
IR Measured Cycle Times
Event (Event Time)
Event

Triage (Detect Time)


Dwell Time Event
How fast did we
Analysis find it?

Report (Report Time)


Report

IR Actions (Contain Time) How fast did we


Contain Time
Contain respond to it?
Business Impact Time
Remediation (Remediation Time)
Remediate
How fast did we
fix it?

Incident Response Metrics, Sean Mason


bit.ly/IRMetrics

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Dwell & Contain
Dwell Time Avg Time to Contain
400 40
350 35
300 30
250 25
200 20
150 Days 15 Hours
100 10
50 5
0 0

Monthly Contain Time


20 Outliers!
15
10
5 Incidents
0

Incident Response Metrics, Sean Mason


Hours bit.ly/IRMetrics

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Intel & Detection
Detection Success Intel Source Success
120 100% 120 100%
100 80% 100 80%
80 80
60% False Positives 60% False Positives
60 60
40% Incidents 40% Incidents
40 40
Success Rate 20% Success Rate
20 20% 20
0 0%
0 0%
SIEM IDS DLP Users AV MIR In-House Talos Vendor1 Vendor2

Incident Detection
20 100%

80%
15
60%
10 Incidents
40% % of Incidents
5
20%

0 0%
SIEM IDS DLP Users AV MIR
Incident Response Metrics, Sean Mason
bit.ly/IRMetrics

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Closing
Thoughts
Organizational Sustainability & Elasticity
There simply isnt enough talent
Dont hire all Senior talent
Quit complaining- go do something!
Outsource
Develop a pipeline of students & interns
Dont be a school snob
Help schools design their InfoSec programs!
https://www.iad.gov/nietp/reports/current_cae_designated_institutions.cfm
Provide opportunities both ways
Give your mid-level folks opportunities
Bring in talent outside of Incident Response
BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Final Thoughts
1. Prevention Will Fail. Invest in Intel & IR; it can be measured, evolved,
and simplified.
2. Intel is more than a nice to have- it is a requirement. It also scales.
3. Think beyond IT; Partnerships are critical to success. Educate and
form alliances in the business and externally (e.g. local FBI office,
competitors, colleges)
4. Communicate findings back into other functions; Defense is a team
sport
5. Reward your teams!

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Resources
Cisco Security
Services: https://cisco.com/go/securityservices
Blogs: https://blogs.cisco.com

Cisco Incident Response Team


If you are currently experiencing an incident, please
contact us at: 1-844-831-7715
Or email IncidentResponse@cisco.com

Sean Mason
@SeanAMason
https://SeanMason.com

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Complete Your Online
Session Evaluation
Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.

Dont forget: Cisco Live sessions will be


available for viewing on demand after the
event at www.CiscoLive.com/Online.

2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
Demos in the Cisco campus
Walk-in Self-Paced Labs
Lunch & Learn
Meet the Engineer 1:1 meetings
Related sessions

BRKSEC-2043 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Thank you