Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intelligence Driven Defense, The Next Generation SOC

Published byHannah Shields Modified over 6 years ago

Similar presentations

Presentation on theme: "Intelligence Driven Defense, The Next Generation SOC"— Presentation transcript:

1 Intelligence Driven Defense, The Next Generation SOC
Abdulrahman Al-Manea

2 Objectives and Agenda To explain what an Intelligence Driven Defense (IDD) approach is, in relation to the Cyber Kill Chain (CKC)®, and how it plays an effective role in thwarting Advance Persistent Threats (APTs) for a Next Generation SOC. Compare Security Operations Center (SOC) vs. Next Generation SOC Explain the Cyber Kill Chain (CKC)® methodology Demonstrate an attack scenario and map it to CKC® Show how IDD can help in measuring cyber security capability effectiveness Present the Campaign Tracking metrics

3 SOC Vs Next Gen SOC (IDD)
Monitor security infrastructure alerts, heavily dependent on default system alerts with minor customization Proactively respond to cyber security incidents, heavily dependent on analyst customized rulesets and signatures

4 SOC Vs Next Gen SOC (IDD)
Monitor security infrastructure alerts, heavily dependent on default system alerts with minor customization Proactively respond to cyber security incidents, heavily dependent on analyst customized rulesets and signatures Focused on incident resolution and ticket closure i.e., a malware infected PC would get isolated and re-imaged as a resolution Focused on intelligence gathering, documentation, deployment, and intel sharing i.e., a malware infected PC would be analyzed forensically, reverse engineered,

5 SOC Vs Next Gen SOC (IDD)
Monitor security infrastructure alerts, heavily dependent on default system alerts with minor customization Proactively respond to cyber security incidents, heavily dependent on analyst customized rulesets and signatures Focused on incident resolution and ticket closure i.e., a malware infected PC would get isolated and re-imaged as a resolution Focused on intelligence gathering, documentation, deployment, and intel sharing i.e., a malware infected PC would be analyzed forensically, reverse engineered, Not equipped for detecting/investigating APT, long-term campaigns Requires higher network and system visibility than average SOC with a deployment of intelligence DB, threat hunting and Big Data.

6 SOC Vs Next Gen SOC (IDD)
Monitor security infrastructure alerts, heavily dependent on default system alerts with minor customization Proactively respond to cyber security incidents, heavily dependent on analyst customized rulesets and signatures Focused on incident resolution and ticket closure i.e., a malware infected PC would get isolated and re-imaged as a resolution Focused on intelligence gathering, documentation, deployment, and intel sharing i.e., a malware infected PC would be analyzed forensically, reverse engineered, Not equipped for detecting/investigating APT, long-term campaigns Requires higher network and system visibility than average SOC with a deployment of intelligence DB, threat hunting and Big Data. The skill set is mainly related to security system administration (i.e., Firewall, IPS/IDS, HIPS, AV, SIEM, auth systems) Skill sets mainly around forensics analysis, malware reverse engineering, attack analysis, incident handling, and system administrators

7 SOC Vs Next Gen SOC (IDD)
Monitor security infrastructure alerts, heavily dependent on default system alerts with minor customization Proactively respond to cyber security incidents, heavily dependent on analyst customized rulesets and signatures Focused on incident resolution and ticket closure i.e., a malware infected PC would get isolated and re-imaged as a resolution Focused on intelligence gathering, documentation, deployment, and intel sharing i.e., a malware infected PC would be analyzed forensically, reverse engineered, Not equipped for detecting/investigating APT, long-term campaigns Requires higher network and system visibility than average SOC with a deployment of intelligence DB, threat hunting and Big Data. The skill set is mainly related to security system administration (i.e., Firewall, IPS/IDS, HIPS, AV, SIEM, auth systems) Skill sets mainly around forensics analysis, malware reverse engineering, attack analysis, incident handling, and system administrators One crucial foundation of an IDD approach is the adoption of the CKC® threat model

8 What is the Cyber Kill Chain (CKC)®?
A Term Derived from Offensive Military Tactics, Coined by Lockheed Martin (LM) Allows for Proactive Remediation & Mitigation of Advanced Threats A 7-Step Approach Depicting Stages of any Cyber Attack: Reconnaissance Attackers preparation phase, researching about the target victim. Weaponization Coupling malware (i.e., RAT) with an exploit. Office/PDFs serve as a deliverable payload. Delivery The delivery method to victims, i.e.. with malicious links/attachments, compromised websites, and removable media. Exploitation Executing attackers code, usually through an application and/or OS vulnerability. Installation Installing a backdoor to maintain persistent access. Command & Control Beaconing traffic out to C2 where adversary can remotely control victim machine, happens through web, DNS, and/or . Actions on Objectives Installing a backdoor to maintain persistent access.

9 Attack Scenario Analyze Detected Synthesize Phase Attacker A Recon
list harvesting (List A) Benign doc: newsLetter.pdf Weaponi-zation Basic Encryption Algorithm Key 1, 8-bit key stored in the exploit code Delivery Subject: News Letter Update Sender: Gateway: 62.x.x.7 Exploit CVE Install C:\….\Firefox.hlp C2 41.x.x.7 [HTTP Request] Actions on Objectives N/A Analyze Detected Synthesize

10 Attack Scenario Attribution Phase Attacker A Attacker B Recon
list harvesting (List A) Benign doc: newsLetter.pdf list harvesting (List B) Benign doc: CV.pdf Weaponi-zation Basic Encryption Algorithm Key 1, 8-bit key stored in the exploit code Delivery Subject: Newsletter Update Subject: Candidate Employee Sender: Gateway: 62.x.x.7 Gateway: 210.x.x.33 Exploit CVE CVE Install C:\….\Firefox.hlp C2 41.x.x.7 [HTTP Request] Actions on Objectives N/A Attribution

11 Attack Scenario Phase Attacker A Attacker B Attacker C Recon
list harvesting (List A) Benign doc: newsLetter.pdf list harvesting (List B) Benign doc: CV.pdf list harvesting (List C) Benign doc: NewBusiness.PPT Weaponi-zation Basic Encryption Algorithm Key 1, 8-bit key stored in the exploit code Key 2, 8-bit key stored in the exploit code Delivery Subject: Newsletter Update Subject: Candidate Employee Subject: New Business Opportunity Sender: Sender: Gateway: 62.x.x.7 Gateway: 210.x.x.33 Exploit CVE CVE PPT 0-day vulnerability Install C:\….\Firefox.hlp C2 41.x.x.7 [HTTP Request] Actions on Objectives N/A

12 Deep Dive Investigation
Analysis Dynamic Analysis Static Analysis Code Analysis Code Comparison

13 Campaign Name Monthly Statistics
Campaign Tracking Campaign Name Monthly Statistics Image Source:

14 Conclusion – Dealing with APT
Looking for a needle in the needle stack Traditional commercial security products are necessary but insufficient ! Sophisticated threats demand advanced intelligence, which calls for a Next Gen SOC Implementation of all of your own extracted intelligence, makes it costly for an adversary to launch their next attack!

15 Thank You!

Download ppt "Intelligence Driven Defense, The Next Generation SOC"

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Malware\Host Analysis for Level 1 Analysts “Decrease exposure time from detection to eradication” Garrett Schubert – EMC Corporation Critical Incident.

Malware\Host Analysis for Level 1 Analysts “Decrease exposure time from detection to eradication” Garrett Schubert – EMC Corporation Critical Incident.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.

1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.
Joshua Senzer, CISSP Sr. Systems Engineer – North East Channel

Joshua Senzer, CISSP Sr. Systems Engineer – North East Channel
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
David Flournoy Bit9 Mid-Atlantic Regional Manager

David Flournoy Bit9 Mid-Atlantic Regional Manager
Cyber Crime Tanmay S Dikshit.

Cyber Crime Tanmay S Dikshit.
Information Security Issues at Casinos and eGaming

Information Security Issues at Casinos and eGaming
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Ali Alhamdan, PhD National Information Center Ministry of Interior

Ali Alhamdan, PhD National Information Center Ministry of Interior
Advanced Persistent Threats (APT) Sasha Browning.

Advanced Persistent Threats (APT) Sasha Browning.
Financial Sector Cyber Attacks Malware Types & Remediation Best Practices

Financial Sector Cyber Attacks Malware Types & Remediation Best Practices
Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.

Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
2© Copyright 2013 EMC Corporation. All rights reserved. Cyber Intelligence Fighting Cyber Crime Insert Event Date LEADERS EDGE.

2© Copyright 2013 EMC Corporation. All rights reserved. Cyber Intelligence Fighting Cyber Crime Insert Event Date LEADERS EDGE.

Similar presentations

Ads by Google