be the strong link in your

Slides:



Advertisements
Similar presentations
Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP.
Advertisements

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Cyber Attack Scenario Overview Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
IBM Security Network Protection (XGS)
Ken Paiboon User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon
Network security policy: best practices
Norman SecureSurf Protect your users when surfing the Internet.
LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
Role Of Network IDS in Network Perimeter Defense.
Counterplanning Deceptions To Foil Cyber-Attack Plans Paper by: Neil C. Rowe Presentation by: Michael E. Aiello.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
An Introduction to Deception Based Technology Asif Yaqub Nick Palmer February 5, 2016.
Koustav Sadhukhan, Rao Arvind Mallari and Tarun Yadav DRDO, Ministry of Defense, INDIA Cyber Attack Thread: A Control-flow Based Approach to Deconstruct.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Ken Paiboon User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon
An Anatomy of a Targeted Cyberattack
Understanding and breaking the cyber kill chain
Security fundamentals
Proactive Incident Response
Understanding Cyber Attacks: Technical Aspects of Cyber Kill Chain
Advanced Endpoint Security Data Connectors-Charlotte January 2016
Architecture Review 10/11/2004
Your Partner for Superior Cybersecurity
CompTIA Security+ Study Guide (SY0-401)
Implementing Cisco Cybersecurity Operations
Instructor Materials Chapter 7 Network Security
Module Overview Installing and Configuring a Network Policy Server
Configuring Windows Firewall with Advanced Security
Secure Software Confidentiality Integrity Data Security Authentication
From “Groundhog Day” to “Independence Day”
Intelligence Driven Defense, The Next Generation SOC
Rules of Thumb to Mathematical Rule- A Cyber Security Journey
Jon Peppler, Menlo Security Channels
CompTIA Security+ Study Guide (SY0-401)
Closing the Breach Detection Gap
SPRING DRAGON APT - A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES
Modeling Cyberspace Operations
Secure Browsing Because malware usually doesn’t identify itself.
Information Security Session October 24, 2005
Intro to Ethical Hacking
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Cybersecurity at PJM Jonathon Monken
Home Internet Vulnerabilities
Four Generations of Security Devices Putting IDS in Context
The Next Generation Cyber Security in the 4th Industrial Revolution
Information Security Awareness
Chapter 4: Protecting the Organization
How to Mitigate the Consequences What are the Countermeasures?
Lecture 3: Secure Network Architecture
Bethesda Cybersecurity Club
Intrusion Detection system
Coordinated Security Response
ZTE Customer Request Self-Service Portal Operation Guide V1.0.5
Cybersecurity at PJM Jonathon Monken
6. Application Software Security
CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com
CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

be the strong link in your September 2014 Let HP ArcSight ESM be the strong link in your Cyber Kill Chain Pete Babcock - USAA

What is the Cyber Kill Chain? Layer 3 Layer 2 Layer 1 The Cyber Kill Chain is a taxonomy designed to measure the effectiveness of the Defense-in-Depth strategy. How far can I get?

What is the origin of the Kill Chain? The Cyber Kill Chain was socialized by Lockheed Martin. It is based on military doctrine. It was developed as a method for describing an intrusion from an attacker’s point of view. It can inform Cyber Security and Intelligence Analysis.

Cyber Kill Chain Stages Reconnaissance Weaponization Delivery Searches LinkedIn for System Administrators at USAA. Guesses their USAA email addresses based on name. Reconnaissance Obtains domain name and creates website with malware. Crafts spear phish. Weaponization Sends spear phish to targeted email addresses. Administrator clicks on link and goes to evil website. Delivery Zero day exploit on website executes on Administrator’s PC. Administrator’s PC is compromised. Exploitation Root Kit is installed on Administrator’s PC. Installation Root kit connects back to Threat Actor’s server to obtain further instructions. Establish C2 Threat Actor looks for data on Administrator’s PC. Threat Actor starts compromising other USAA machines. Actions on Objectives

What can the Kill Chain do? Each phase of the kill chain can be mapped to corresponding defensive tools and actions. An analyst who knows the stage of the Kill Chain has a basic understanding of what is being attempted and what response is called for. Defensive “Courses of Actions” are based on the Information Operations principles of: Detect, Deny, Disrupt, Degrade, Deceive & Destroy

Courses of Action Matrix Phase Detect Deny Disrupt Degrade Deceive Reconnaissance Firewall NIDS Web Logs NIPS * Weaponization DNS Monitoring Website Monitoring Delivery Antivirus Vigilant User Proxy In-Line Antivirus Exploitation NIDS Antivirus System Patching Restricted User Accounts Installation Application Logs Establish C2 CIC Malware Sandbox Actions on Objectives VLANs

What can the Kill Chain do? The sooner in the kill chain you can disrupt the attack, the better. Tracking similarities across kill chain phases can give CTOC Analysts insight into: • Threat Actor Tactics, Techniques and Procedures (TTP) • Campaign Analysis

How will USAA operationalize? 1 Integrate into ArcSight ESM Cases 2 Integrate into the CTOC Wiki 3 Integrate into the Weekly Stand-Up Briefing

Repurposing Case Fields “Energy cannot be created or destroyed, it can only be changed from one form to another.” - Albert Einstein ArcSight ESM Case Fields are kinda like that…

Yes, the modified files will need to be updated on ALL Consoles… Modifying ESM Cases When using ArcSight ESM Cases, it is possible to modify them to your needs. There are 3 files that control cases: Manager /opt/arcsight/manager/config/caseui.xml Console C:\arcsight\Console\current\i18n\common\ label_strings_en.properties C:\arcsight\Console\current\i18n\common\ resource_strings_en.properties Yes, the modified files will need to be updated on ALL Consoles…

Repurposing Case Fields The Joke: You are going to use ArcSight’s Foreign Language capabilities to give a field an alias…In English! First pick a Case field that you are not using of the correct field type. Candidates can be found in the resource_strings_en.properties file. Modify the field in the resource_strings_en.properties file. If using a list field in the resource_strings_en.properties file, make sure to configure the list options.

resource_strings_en.properties Modify the Field extendedcase.attribute.vulnerabilitydata.label=Vulnerability Data extendedcase.attribute.vulnerabilitydata.shortlabel=Vulnerability Data extendedcase.attribute.history.label=Reoccurence Pain extendedcase.attribute.history.shortlabel=Reoccurence Pain extendedcase.attribute.lastoccurrencetime.label=4 - Investigation Start Time extendedcase.attribute.lastoccurrencetime.shortlabel=4 - Investigation Start Time extendedcase.attribute.resistance.label=Kill Chain Stage extendedcase.attribute.resistance.shortlabel=Kill Chain Stage extendedcase.attribute.conclusions.label=Conclusions extendedcase.attribute.conclusions.shortlabel=Conclusions List Field Options extendedcase.history=Unknown or None,Low,Medium,Please make it stop #extendedcase.resistance=High,Low,Unknown extendedcase.resistance=Unknown,Reconnaissance,Weaponization,Delivery,Exploitation,Installation,Establish C2,Actions on Objectives,Not on Kill Chain

label_strings_en.properties This file is used to rename the Case tabs and headers displayed in the ArcSight ESM Console. Manager #Cases cases.tab.initial=Initial cases.tab.attributes=Case Info cases.tab.description=Description cases.tab.securityClassification=Security Classification cases.tab.followup=Incident cases.tab.final=Analysis cases.tab.attackMechanism=Dean's Categorization cases.tab.attackAgent=Attack Agent cases.tab.incidentInformation=Incident Information cases.tab.vulnerability=Vulnerability cases.tab.other=Other cases.header.case=Case cases.header.ticket=Ticket cases.header.incidentInformation=Incident Information cases.header.securityClassification=Security Classification cases.header.securityClassificationCode=Security Classification Code

CaseUI.xml This is the xml file that defines the fields and tabs to display within a case. <editor enforceLocking="true" colorTreeBy="consequenceSeverity" width="480" height="480"> <tab name="cases.tab.final" type="base"> <component name="securityClassificationTable" type="table"> <parameter name="cases.header.case" type="header"/> <parameter name="name" type="resourceName"/> <parameter name="plannedActions" type="string"/> <parameter name="ticketType" type="stringList"/> <parameter name="stage" type="stringList"/> <parameter name="securityClassification" type="stringList"/> <parameter name="resistance" type="stringList"/> <parameter name="consequenceSeverity" type="stringList"/> <parameter name="history" type="stringList"/> <parameter name="cases.header.ticket" type="header"/> <parameter name="estimatedStartTime" type="date"/> <parameter name="detectionTime" type="date"/> <parameter name="attackTime" type="date"/> <parameter name="lastOccurrenceTime" type="date"/> <parameter name="estimatedRestoreTime" type="date"/> </component> <component name="actionsTaken" type="textarea"/> <component name="followupContact" type="textarea"/> <component name="conclusions" type="textarea"/> </tab> <tab name="cases.tab.attributes" type="base" showExport="true"> <component name="attributesTable" type="table"> <parameter name="cases.header.case" type="header"/> <parameter name="name" type="resourceName"/> <parameter name="displayId" type="int" readOnly="true"/> <parameter name="common" type="commonResourceAttrs"/> </component> <tab name="cases.tab.followup" type="base"> <component name="incidentInformationTable" type="table"> <parameter name="incidentSource1" type="string"/> <parameter name="attackMechanism" type="stringList"/> <component name="estimatedImpact" type="textarea"/> </editor>

Classify ArcSight ESM Cases

Classify ArcSight ESM Cases

Categorize CTOC Use Cases in Wiki

Categorize CTOC Use Cases in Wiki

Categorize CTOC Use Cases in Wiki

How will this be briefed?

Integrate into the Weekly Standup Briefing The CTOC gives a Weekly Briefing to USAA’s CSO and 80-100 of his direct reports and other parts of the business. 3 new slides were incorporated into the Weekly Standup Briefing slide deck to communicate the Cyber Kill Chain metrics.

Weekly Cyber Kill Chain Metrics Reconnaissance Weaponization Delivery Exploitation Installation Establish C2 Actions on Objectives

This Week’s Cyber Kill Chain

This Week’s Cyber Kill Chain Highlights Reconnaissance Multiple Failed Logins - Non-Privileged This spike was caused by USAA employees attempting (and failing) to VPN into USAA during the icy weather on Friday 1/24/14. Actions on Objectives Non-Active USAA User Name - Destination This was caused by Peoplesoft listing contactors as being terminated when, in fact, their contract was extended. More timely updates to Peoplesoft would correct this.

Why do we need the Cyber Kill Chain? “Measurement is the first step that leads to control and eventually to improvement. If you can’t measure something, you can’t understand it. If you can’t understand it, you can’t control it. If you can’t control it, you can’t improve it.” - H. James Harrington

Q&A Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.