WIXLIB

Cyber Threats and Security Operations Best PracticesNational Council of Postal Credit Unions33rd Annual ConferenceCory A. Mazzola, MScIA, CISSP, C CISO, GPENSenior Manager, FireEye/Mandiant ConsultingServices Mandiant, a FireEye Company. Mandiant,All rightsa FireEyereserved.Company.CONFIDENTIALAll rights reserved. CONFIDENTIAL1

Agenda Introduction Trends in Mandiant Investigationsin 2016 Threat Intelligence Update Responding to the Threat:Advanced Cyber Defense Q&A Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL2

Cyber Defense Consulting – who we are Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL3

Why Are Targeted Attacks Different?IT’S A “WHO,”NOT A “WHAT”THERE’S A HUMAN AT AKEYBOARDHIGHLY TAILORED ANDCUSTOMIZED ATTACKSTARGETED SPECIFICALLYAT YOUTHEY AREPROFESSIONAL,ORGANIZED ANDWELL FUNDEDNATION-STATE SPONSOREDESCALATE SOPHISTICATIONOF TACTICS AS NEEDEDRELENTLESSLY FOCUSEDON THEIR OBJECTIVE Mandiant, a FireEye Company. All rights reserved. CONFIDENTIALIF YOU KICKTHEM OUT THEYWILL RETURNTHEY HAVE SPECIFICOBJECTIVESTHEIR GOAL IS LONG-TERMOCCUPATIONPERSISTENCE TOOLS ENSUREONGOING ACCESS4

Targeting IONTARGETS THE DIB,MILITARY RESEARCH ANDDEVELOPMENT ORGS,THINK TANKS, MFAs, ANDGOVERNMENT AGENCIESPRIVATE INDUSTRYTARGETING DUE TO TIESTO GOVERNMENT TIESAND INTELLECTUALPROPERTYDESTRUCTIVE ATTACKSTHAT AIMS TO DELETEINFORMATION AND/ORRENDER SYSTEMSINOPERABLE Mandiant, a FireEye Company. All rights reserved. CONFIDENTIALCYBERCRIMEMOTIVATED BYFINANCIAL GAIN PRIMARY MISSION IS TOSTEAL INFORMATIONTHAT CAN BEMONETIZED5

TRENDS IN MANDIANT INVESTIGATIONS Mandiant, a FireEye Company. Mandiant,All rightsa FireEyereserved.Company.CONFIDENTIALAll rights reserved. CONFIDENTIAL6

Who is a Target? Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL7

How Compromises Are Being Detected47% Internal Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL53% External8

Days to Discovery Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL9

M-TRENDS: MEDIAN DAYS BEFORE DISCOVERY4162432011201222920520132014 Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL146201510

M-TRENDS: INTERNAL DETECTION VS EXTERNAL RNAL Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL11

APT PhishingDays Victims Received Phishing E-mailsDay of Week E-mail was Sent35%Phishing Themes89% of Phishing Email sent on WeekdaysOther17%30%Translate1%Video1%Current Events12%25%20%IT & ion3% Mandiant, a FireEye Company. All rights reserved. CONFIDENTIALMajority of phishing emails were IT or security related,often attempting to impersonate the targeted company s12IT Department or an anti-virus vendor

Defense Trends: 3 Common ChallengesCredentials,in generalInability todetecttargetedattacks Mandiant, a FireEye Company. All rights reserved. CONFIDENTIALPoor egresscontrols13

Attacker Trends in 2016 RISE IN BUSINESS DISRUPTION ATTACKS MASS TARGETING OF PERSONAL DATA ATTACKS ON ENTERPRISE NETWORKING DEVICES OUTSOURCED SERVICE PROVIDER ABUSE Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL14

INTEGRATED CYBER DEFENSE OPERATIONSENTERPRISE PROTECTION & RESPONSE Mandiant, a FireEye Company. Mandiant,All rightsa FireEyereserved.Company.CONFIDENTIALAll rights reserved. CONFIDENTIAL15

Cyber Defense Domains Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL16

Cyber Defense Framework Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL17

Security Operations MantraOur Mantra:1.Combine traditional SOC and CIRT capabilities2.Integrate Threat Intelligence3.Enable live response and containment(at the endpoint)-Access forensic data quickly for deeper analysis-Leverage cyber threat intelligence for focused incident responseand for containment strategies-Integrate IOC hunting/sweeping capabilities4.Implement use cases at each stage of the kill chain5.Continuously improve analyst skills to increase utilizationof technologyOur Goal: “Turn every incident into a 10min problem” Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL18

Functional Alignment Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL19

The Analyst Role(s)The Cyber Defense Center is organized into teams that specializein the detection, response, and discovery for Use Cases mappedto the life cycle of an attack along the cyber kill chain.Individual team members rotate from Detection, Response, andDiscovery and may share responsibilities depending on the scopeand intensity of threat activities. Accordingly, this approachenhances: Orientation and strategy Clarity and communications Shared learning and contribution Cross functional alignment Operational resilience in response to events and hostile riskenvironments Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL20

Draft Organizational ModelCyber DefenseCenterThreatDetectionThreatResponseEvent stThreat IntelIntel Analyst Mandiant, a FireEye Company. All rights reserved. d TeamingUse tegration21

CDC Workflow Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL22

Incident Response Process Framework Incident Response Plan- Roles & responsibilities, incident definitions,classification, severities, SLAs and KPIs- Event vs. Alert vs. Incident Communications Plan- Internal and external Escalation Matrix- Who, what, where, when (time), how Playbooks- Repeatable triage, analysis and investigationprocedures for each Use Case Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL23

Use Cases Detection / Triage (Alerting)Data LossMalwareUnauthorized AccessDoS / DDoSWeb AttackEthical HackingCyber HuntingTech Integration – SIEM EngineeringIncident ResponseIncident Reporting Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL24

Incident Response Playbooks Detection / Triage (Alerting)Data LossMalware (Targeted & Commodity)Unauthorized AccessDoS / DDoSWeb AttackPenetration TestingData Spillage / BreachInsider ThreatDatabase Activity Monitoring Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL25

Playbook Overview Functional Roles-Event Analyst-Incident Analyst-Incident Responder-Security Team Manager-Relevant Stakeholders Executives Network Operations System Owners Security Team Members/Stakeholders Security Incident Management & Response (SIMR) Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL26

Incident Response Plan Executive Summary:- Assets, Threats & Severity Rating:- Criteria for determining the severity of an incident and guidance for theappropriate categoryConcept of Operations:- Interbank Assets, Threats to Interbank, Severity Rating GuidelinesIncident Severity Ratings & Categories:- Background, Mission, Scope & GoalsConceptual description of CDC mission areas, capabilities and functionsRoles & Responsibilities:-CDC roles, duties and detailed descriptions-Support roles and responsibilities (e.g., Service Desk) Incident Response Process: Appendices Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL27

Incident Response Process Preparation:- Identification:- Analyzing systems and information to determine the facts of a security incidentRemediation:- Confirming the validity of the initial alert and determining the initial responseactionInvestigation:- The process through which potentially adverse events are brought to the CDC’Sattention, including assigning an initial severity rating, event category, incidentrole (lead or support), incident ID, assignments, and status updatesTriage:- Establishing and training of CDC resources, acquiring necessary tools, andassessing risksPlanning and executing activities to contain and eradicate the threat and recoverfrom the incidentPost-Incident:-Assessing and documenting lessons learned and improving capabilities toenhance the organization’s ability to prevent, detect, and respond to incidents Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL28

Incident Response Process Workflow Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL29

Threat Intelligence Is this targeted? Is this part of a larger campaign?What’s the scale? Who else is seeing this?What are others saying? Or is this an insider threat? What are the TTPs?How do you find them? How do you remediate? How do you share? Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL30

Proactive Capabilities Hunting the network provides the capability toconduct proactive analysis to develop new IOCs- Data mining historical data- IOC Sweeps A mature IOC capability includes:- Dedicated individuals to design and build IOCs- Develop and update IOCs regularly (IOC Editor)- Processes and tools in place to actively check systemsfor IOCs Post-incident, hunting assists in ensuring remediationand eradication activities were successful Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL31

TECHNOLOGY:INTEGRATION & OPERATIONS Mandiant, a FireEye Company. Mandiant,All rightsa FireEyereserved.Company.CONFIDENTIALAll rights reserved. CONFIDENTIAL32

What Challenges do we have?Tools & Technology Incident ResponseLack endpointdetection No live response Data (event) overload Slow searches Rely on signaturebased detection Needle in a haystack Governance No threat intel Wide mission Lack of intel context No huntingLack required skillsets Ability to quicklysweep & contain Compliance burden R & R do not alignwith org model Leverage analyticsand anomaly detection Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL 33

CDC Framework – Technology & Infrastructure Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL34

Key Security Technologies1.SIEM2.Perimeter (Firewalls / Proxies)3.IDS / IPS4.DLP5.Packet Capture6.Malware Analysis7.Forensics8.Netflow9.? Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL35

Top Data Sources1.Advanced Threat Detection2.Web Proxy3.DNS / DHCP4.VPN5.Authentication6.FW / Netflow“The SIEM that Cried Wolf” - lerts.html Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL36

STRATEGY & REPORTINGCYBER KILL CHAIN & EXECUTIVE ROADMAP Mandiant, a FireEye Company. Mandiant,All rightsa FireEyereserved.Company.CONFIDENTIALAll rights reserved. CONFIDENTIAL37

Use CasesMandiant implements use cases at each stage within the kill chain.This ensures complete visibility and allows the CDC to detect and respond tocyber threats earlier, in order to reduce exposure and loss. Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL38

Mapping the Technology Stack – Was it blocked at the proxy? Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL39

Integrated Cyber Security RoadmapPhase 1Phase 2Phase 34 months8 months12 monthsOutcomes & Benefits /DeliverablesService CatalogMission StatementGap Analysis – ObservablesRecommendations ReportProposed Organizational ModelDraft Strategic RoadmapPhysical SOC/CDC RequirementsIncident Response PlanWorkshop & ReviewSecurity IncidentClassificationEscalation & NotificationMatrixCriticality WorksheetUse Case WorkshopsMap Use Cases to Cyber Kill ChainDevelop Use Cases LibraryIncident Response PlaybooksUse Cases6 Operationalized Cases:Data Loss ProtectionDetection (Alerting)Malware / Unauthorized AccessEthical HackingCyber Engineering - SIEM Support12 Operationalized Cases:Detection / TriageIncident ResponseIncident ReportingCyber Hunting (MSSP)Ethical Hacking (P2)Web Attack / DoS18 Operationalized CasesVulnerability AssessmentThreat IntelligenceE-DiscoveryForensics (Optional)Data Loss PreventionDatabase Activity MonitoringCyber Engineering - Technologies51020People (Capacity)50%70%95 %Process25%75%100%Technology45%65%80%Detection Capability25%45%95 %Response Capability20%40%90 %Time FrameSIEM/Data Sources Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL40

Phased Capability Approach Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL41

Questions? Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL42