Transcription
Re-writing the CSIRTPlaybookJeff Bollinger – Infosec InvestigatorMatt Valites - Infosec Investigator
CORPORATE SECURITY PROGRAMINFOSEC54 CSIRT membersCisco Public 2013 Cisco and/or its affiliates. Allrights reserved.2
19 Data SourcesCisco Public 2013 Cisco and/or its affiliates. Allrights reserved.3
splunk 1TB Data Indexed / DayNetFlow: 15.6 Billion flows / dayCisco Public 2013 Cisco and/or its affiliates. Allrights reserved.4
2.5 Trillion DNS lookups / DayCisco Public 2013 Cisco and/or its affiliates. Allrights reserved.5
Passive DNSMultiple Data RepositoriesCisco Public 2013 Cisco and/or its affiliates. Allrights reserved.6
Our MissionMission: Protect Cisco by developing security monitoring architectureand strategyRespond to security threats using ad-hoc and prescribedmethods of incident detection and responseCisco Public 2013 Cisco and/or its affiliates. Allrights reserved.7
How did we get here?Effective CIRTs must evolve with changes in the cyberthreat landscape to remain relevant.Over the last 11 years: Organic evolution Team growth Dramatic increase in value and scope ofservice offering8
More information, more problems9
My Data is BiggerQuery Time vs. Indexed Data400356350350300250Splunk200SIEM 1150100501720Avg Query Time (seconds)Data Indexed (GB/day)10
My Data is BiggerThe old way: Buy and trust a SIEM to run canned reports Wait for updates from the vendorCisco Public 2013 Cisco and/or its affiliates. Allrights reserved.11
Scaling Problems SEIM unable toprocess reportsduring an analyst’sshiftReports brokeninto multiplesmaller ‘directionalbased reports’Inefficient way toprocess dataLed to inefficiency12
Static and Retention13
My Data is BiggerThe new way: Build your own collection infrastructure Build your own reports Research your own intelligence Operationalize and optimizeCisco Public 2013 Cisco and/or its affiliates. Allrights reserved.14
Dependencies Requires good architecture and a planRequires smart peopleScale and efficacyData managementCisco Public 2013 Cisco and/or its affiliates. Allrights reserved.15
The New WayPreviously 112,374 results Analyzed in ExcelCurrently 16 results Analyzed in Splunk Formats dataduring search16
The PlaybookCisco Public 2013 Cisco and/or its affiliates. Allrights reserved.17
Whatisaplaybook?playbook ˈplāˌbŏk nounA prescriptive collection of repeatablequeries (reports) against security event datasources that lead to incident detection andresponse.Cisco Public 2013 Cisco and/or its affiliates. Allrights reserved.18
0100003-HF-IDS-MALWARE:BOT-C2Objective:Discover and report botnet infected hosts for remediation and enhance future detection.Working:index ”ids” earliest -10m tag HF-IDS NOT (tag IN DNS OR tag DC MBOX stats countby host sort -count limit 50 rename attacker AS C2 csirtTable makeAcaseHF botSquash(C2) Action:Case generated into auto-remediation queue: CSIRT-Analysts-HFAnalysis: The generated report is high fidelity – if an IRC Join is detected, verify the NICK iscomputer generated. These events require the reimage malware remediation process. If thebot matches the Infostealer List, email client password update instructions. If a the clientaddress matches the VIP list, those hosts must be escalated to the on-duty investigator.Reference: wiki/10012, bugzilla:576, GIR: n/aCisco Public 2013 Cisco and/or its affiliates. Allrights reserved.19
WheredoIBegin? What am I trying to protect?What are the threats?How do I detect them?How do we respond?Cisco Public 2013 Cisco and/or its affiliates. Allrights reserved.20
IR Fundamentals Develop requirements on frequency, priority, and scope Ensure basic requirements: Solid systems of record Complete traffic inspection coverage Proper communication channels Ensure proper remediation controls Enforceable policies If you can build a good query, you can find malware, infected systems,and dedicated attackers If you can’t automate, investigateCisco Public 2013 Cisco and/or its affiliates. Allrights reserved.21
ThePlaybookMUST: Detect malware infected machinesDetect suspicious network activityDetect anomalous authentication attemptsDescribe and understand inbound AND outbound trafficProvide custom views into certain environmentsAdditionally: Provide summary information including trends, statistics, counts Provide usable and quick access to statistics and metrics Correlate events across all relevant data sourcesCisco Public 2013 Cisco and/or its affiliates. Allrights reserved.22
CorrelationWSAtimestamp (date)source IPsource portdestination IPdestination peCSAtimestamp (date)source IPsource portdestination IPdestination peWhy? Attribution Confirmation Temporal correlation Concurrent multi-index search(“sub-search”)How? Union JoinCisco Public 2013 Cisco and/or its affiliates. Allrights reserved.23
0800001-INV-MULTI-MALWARE:WSA validation of attempted CSA network connectionsObjective:Searches HIDS for outgoing tcp/80 connections and uses those IPs to find corresponding WSA logs to determine if the HIDSdetected connection was malicious or not.Working:index "wsa" x wbrs threat type "*" (NOT (cs referer "*")) [searchindex "csa" "attempted to initiate a connection as a client on TCP port 80” "allowed" rex "on TCP port 80 to (? csa dst ip \d \.\d \.\d \.\d ) using” dedup csa dst ip rename csa dst ip AS s ip fields s ip] rex field cs url "http:\/\/(? domain [ \/] )" rex field cs url "\/(? script name [ \/\?] )(? \?)" dedup script name dedup domain dedup c ip dedup cs urlAction:Manual investigation. Analysis may result in submitting a host for remediation.Analysis: Investigate whether HIDS detected connections may be a sign of an infected host by reviewing the WSA SIO dataand any additional event indicators.Reference: wiki/10103, bugzilla:6742, GIR: n/aCisco Public 2013 Cisco and/or its affiliates. Allrights reserved.24
Howdoweknowyou’reworking?METRICS!Top events fired per event sourceTop malicious domainTotal infected hostsTop malware type/familyHighest areas of infection (lab, DC, DMZ, etc.)Infections by theatreInfection by role/org (sales, engineering, marketing, etc.)Event rates and collection stats (total volume of alarms, thenalarms by source, index/filesize avg/day) Unique user counts avg/day Total attacks blocked by CSIRT Top infections by event source (event source detection ranking) 25
Yeah,buthowexactlydowedoit?Malware/Advanced Detectione.g. Phishing URLs in emailAnomaly Detectione.g. Two VPN logins from a single userPolicy-driven monitoring:e.g. Flows from datacenter to InternetOperational intelligence:e.g. Malware analysis for indicator discovery26
You can help! FIRST standard Information sharing – how do YOU detect threats? Strategy sessions (network agnostic)Cisco Public 2013 Cisco and/or its affiliates. Allrights reserved.27
omCisco Public 2013 Cisco and/or its affiliates. Allrights reserved.28
The!Playbook!MUST:! Detect malware infected machines Detect suspicious network activity Detect anomalous authentication attempts