Transcription
BLUE TEAMDETECT AND DEFENDScott Lynch @packetengineer lynch@packetengineer.com5 October 2018
ABOUT THE AUTHORAdjunct Instructor - Bucks County Community College,Cisco IT AcademySecurity Operations Manager, Swedish Space CorpEx Navy Electronic Warfare Tech and P-3 IFOCCNP-Security, GIAC GNFA and GCIH
WHAT IS A BLUE TEAM“A blue team is a group of individualswho perform an analysis of informationsystems to ensure security, identifysecurity flaws, verify the effectivenessof each security measure, and tomake certain all securitymeasures will continue to be effectiveafter implementation.”1(1) Sypris Electronics. "DoDD 8570.1: Blue Team". Sypris Electronics. Retrieved July 3, 2016.
WHO IS THE BLUE TEAMI said Blue Team not Blue Man IT professionals fromdifferent backgrounds May not share the sametraining or specialty Usually made up ofsystem administrators andnetwork engineers Can include developersand other parts of org
PRINCIPLE DRIVEGoal - Visibility and Knowledge of all systems within theenterpriseTask – Monitoring of internal and external network assetsto build a big picture/baseline of ALL network trafficExpected Outcome – Fused picture of total networktraffic and operations in order to defend the enterpriseand provide incident response
HOW DO WE GET THERE Deploy systems to aid in the visibility and identificationof network traffic Develop a continuous monitoring plan of internal andexternal enterprise assets Train as a team to fight as a team Continuous development of team members throughtraining and practical exercises
CIS CRITICAL CONTROLS
INVENTORY OF ASSETSAND SOFTWARELansweeper Inventory tool usingSNMP, WMI and SSH Software andhardware info
VULNERABILITYASSESSMENTNessus byTenableOpenVAS byGreenboneNetworks
THREAT HUNTINGCyber threat hunting is "the process of proactively anditeratively searching through networks to detect andisolate advanced threats that evade existing securitysolutions."Threat hunting is aptly focused on threats. And to be athreat, an adversary must have three things: Intent Capability Opportunity to do harm
THREAT HUNTING Correlation of end point logs Netflow traffic Analysis of NIDS and HIDS Indications of compromise IOC Threat Feeds IDS and Firewall log correlation
THREAT HUNTING CONT.Looking for intra system/lateral movement
THREAT HUNTINGRESOURCES The Threat Hunting Projecthttps://www.threathunting.net/reading-list Adversary Hunting with SOF-ELKhttps://isc.sans.edu/forums/diary/Adversary hunting with SOFELK/22592/
THREAT HUNTING TOOLS Security Onion BRO NSM Scrutinizer by Plixer Netflow Syslog and WindowsEvent logs
SECURITY ONIONhttps://securityonion.net/
SECURITY ONIONOpen source NSM SNORT/SURICATA IDSBRO IDSCritical Stack Threat IntelDocker ImagesELKSysmonOSSEC NIDSInput Packet Data Full PCAP SyslogOutput Parsed data for ingestioninto ELK database Fully searchable andindexed data fromnumerous sources
BRO NSMExample Conn.loghttps://www.bro.org/
NETFLOW Packet data withoutthe payload Small overall sizecompared to fullpcap Numerous toolsavailable to captureand monitorhttps://www.plixer.com/
TOOLS BRO Network Security Monitorhttps://www.bro.org/ Security Onion https://securityonion.net/ SOF-ELK VM Distributionhttps://github.com/philhagen/sof-elk HELK NSMhttps://github.com/Cyb3rWard0g/HELK/wiki Rock NSM https://rocknsm.io/ Sysmon oads/sysmon
RESOURCES AND LINKS CIS Critical 20 Controls https://www.cisecurity.org/controls/ Peerlyst https://www.peerlyst.com Medium https://medium.com/ H&A Security Solutions https://www.hasecuritysolutions.com/ Black Hills Information Securityhttps://www.blackhillsinfosec.com/blog/ SANS Blue Team Wiki https://wiki.sans.blue/#!index.md
PEOPLE TO FOLLOW ONTWITTER Justin Henderson @SecurityMapperJohn Hubbard @SecHubbEric Conrad @eric conradIsmael Valenzuela @aboutsecurityLesley Carhart @hacks4pancakesAustin Taylor @HuntOperatorSwiftOnSecurity @SwiftOnSecuritySecurity Onion @securityonionDoug Burks @dougburksJohn Strand @strandjs
EVENTS TO FOLLOW SANS Training Events https://www.sans.org/ BsidesPhilly https://www.bsidesphilly.org/ Security 6/FrontPage Meetup https://www.meetup.com/ CSO Online List of Security html
QUESTIONS
ABOUT THE AUTHOR Adjunct Instructor - Bucks County Community College, Cisco IT Academy Security Operations Manager, Swedish Space Corp Ex Navy Electronic Warfare Tech and P-3 IFO