Presentation is loading. Please wait.

Presentation is loading. Please wait.

be the strong link in your

Published byVirgil Bridges Modified over 6 years ago

Similar presentations

Presentation on theme: "be the strong link in your"— Presentation transcript:

1 be the strong link in your
September 2014 Let HP ArcSight ESM be the strong link in your Cyber Kill Chain Pete Babcock - USAA

2 What is the Cyber Kill Chain?
Layer 3 Layer 2 Layer 1 The Cyber Kill Chain is a taxonomy designed to measure the effectiveness of the Defense-in-Depth strategy. How far can I get?

3 What is the origin of the Kill Chain?
The Cyber Kill Chain was socialized by Lockheed Martin. It is based on military doctrine. It was developed as a method for describing an intrusion from an attacker’s point of view. It can inform Cyber Security and Intelligence Analysis.

4 Cyber Kill Chain Stages Reconnaissance Weaponization Delivery
Searches LinkedIn for System Administrators at USAA. Guesses their USAA addresses based on name. Reconnaissance Obtains domain name and creates website with malware. Crafts spear phish. Weaponization Sends spear phish to targeted addresses. Administrator clicks on link and goes to evil website. Delivery Zero day exploit on website executes on Administrator’s PC. Administrator’s PC is compromised. Exploitation Root Kit is installed on Administrator’s PC. Installation Root kit connects back to Threat Actor’s server to obtain further instructions. Establish C2 Threat Actor looks for data on Administrator’s PC. Threat Actor starts compromising other USAA machines. Actions on Objectives

5 What can the Kill Chain do?
Each phase of the kill chain can be mapped to corresponding defensive tools and actions. An analyst who knows the stage of the Kill Chain has a basic understanding of what is being attempted and what response is called for. Defensive “Courses of Actions” are based on the Information Operations principles of: Detect, Deny, Disrupt, Degrade, Deceive & Destroy

6 Courses of Action Matrix
Phase Detect Deny Disrupt Degrade Deceive Reconnaissance Firewall NIDS Web Logs NIPS * Weaponization DNS Monitoring Website Monitoring Delivery Antivirus Vigilant User Proxy In-Line Antivirus Exploitation NIDS Antivirus System Patching Restricted User Accounts Installation Application Logs Establish C2 CIC Malware Sandbox Actions on Objectives VLANs

7 What can the Kill Chain do?
The sooner in the kill chain you can disrupt the attack, the better. Tracking similarities across kill chain phases can give CTOC Analysts insight into: • Threat Actor Tactics, Techniques and Procedures (TTP) • Campaign Analysis

8 How will USAA operationalize?
1 Integrate into ArcSight ESM Cases 2 Integrate into the CTOC Wiki 3 Integrate into the Weekly Stand-Up Briefing

9 Repurposing Case Fields
“Energy cannot be created or destroyed, it can only be changed from one form to another.” - Albert Einstein ArcSight ESM Case Fields are kinda like that…

10 Yes, the modified files will need to be updated on ALL Consoles…
Modifying ESM Cases When using ArcSight ESM Cases, it is possible to modify them to your needs. There are 3 files that control cases: Manager /opt/arcsight/manager/config/caseui.xml Console C:\arcsight\Console\current\i18n\common\ label_strings_en.properties C:\arcsight\Console\current\i18n\common\ resource_strings_en.properties Yes, the modified files will need to be updated on ALL Consoles…

11 Repurposing Case Fields
The Joke: You are going to use ArcSight’s Foreign Language capabilities to give a field an alias…In English! First pick a Case field that you are not using of the correct field type. Candidates can be found in the resource_strings_en.properties file. Modify the field in the resource_strings_en.properties file. If using a list field in the resource_strings_en.properties file, make sure to configure the list options.

12 resource_strings_en.properties
Modify the Field extendedcase.attribute.vulnerabilitydata.label=Vulnerability Data extendedcase.attribute.vulnerabilitydata.shortlabel=Vulnerability Data extendedcase.attribute.history.label=Reoccurence Pain extendedcase.attribute.history.shortlabel=Reoccurence Pain extendedcase.attribute.lastoccurrencetime.label=4 - Investigation Start Time extendedcase.attribute.lastoccurrencetime.shortlabel=4 - Investigation Start Time extendedcase.attribute.resistance.label=Kill Chain Stage extendedcase.attribute.resistance.shortlabel=Kill Chain Stage extendedcase.attribute.conclusions.label=Conclusions extendedcase.attribute.conclusions.shortlabel=Conclusions List Field Options extendedcase.history=Unknown or None,Low,Medium,Please make it stop #extendedcase.resistance=High,Low,Unknown extendedcase.resistance=Unknown,Reconnaissance,Weaponization,Delivery,Exploitation,Installation,Establish C2,Actions on Objectives,Not on Kill Chain

13 label_strings_en.properties
This file is used to rename the Case tabs and headers displayed in the ArcSight ESM Console. Manager #Cases cases.tab.initial=Initial cases.tab.attributes=Case Info cases.tab.description=Description cases.tab.securityClassification=Security Classification cases.tab.followup=Incident cases.tab.final=Analysis cases.tab.attackMechanism=Dean's Categorization cases.tab.attackAgent=Attack Agent cases.tab.incidentInformation=Incident Information cases.tab.vulnerability=Vulnerability cases.tab.other=Other cases.header.case=Case cases.header.ticket=Ticket cases.header.incidentInformation=Incident Information cases.header.securityClassification=Security Classification cases.header.securityClassificationCode=Security Classification Code

14 CaseUI.xml This is the xml file that defines the fields and tabs to display within a case. <editor enforceLocking="true" colorTreeBy="consequenceSeverity" width="480" height="480"> <tab name="cases.tab.final" type="base"> <component name="securityClassificationTable" type="table"> <parameter name="cases.header.case" type="header"/> <parameter name="name" type="resourceName"/> <parameter name="plannedActions" type="string"/> <parameter name="ticketType" type="stringList"/> <parameter name="stage" type="stringList"/> <parameter name="securityClassification" type="stringList"/> <parameter name="resistance" type="stringList"/> <parameter name="consequenceSeverity" type="stringList"/> <parameter name="history" type="stringList"/> <parameter name="cases.header.ticket" type="header"/> <parameter name="estimatedStartTime" type="date"/> <parameter name="detectionTime" type="date"/> <parameter name="attackTime" type="date"/> <parameter name="lastOccurrenceTime" type="date"/> <parameter name="estimatedRestoreTime" type="date"/> </component> <component name="actionsTaken" type="textarea"/> <component name="followupContact" type="textarea"/> <component name="conclusions" type="textarea"/> </tab> <tab name="cases.tab.attributes" type="base" showExport="true"> <component name="attributesTable" type="table"> <parameter name="cases.header.case" type="header"/> <parameter name="name" type="resourceName"/> <parameter name="displayId" type="int" readOnly="true"/> <parameter name="common" type="commonResourceAttrs"/> </component> <tab name="cases.tab.followup" type="base"> <component name="incidentInformationTable" type="table"> <parameter name="incidentSource1" type="string"/> <parameter name="attackMechanism" type="stringList"/> <component name="estimatedImpact" type="textarea"/> </editor>

15 Classify ArcSight ESM Cases

16 Classify ArcSight ESM Cases

17 Categorize CTOC Use Cases in Wiki

18 Categorize CTOC Use Cases in Wiki

19 Categorize CTOC Use Cases in Wiki

20 How will this be briefed?

21 Integrate into the Weekly Standup Briefing
The CTOC gives a Weekly Briefing to USAA’s CSO and of his direct reports and other parts of the business. 3 new slides were incorporated into the Weekly Standup Briefing slide deck to communicate the Cyber Kill Chain metrics.

22 Weekly Cyber Kill Chain Metrics
Reconnaissance Weaponization Delivery Exploitation Installation Establish C2 Actions on Objectives

23 This Week’s Cyber Kill Chain

24 This Week’s Cyber Kill Chain Highlights
Reconnaissance Multiple Failed Logins - Non-Privileged This spike was caused by USAA employees attempting (and failing) to VPN into USAA during the icy weather on Friday 1/24/14. Actions on Objectives Non-Active USAA User Name - Destination This was caused by Peoplesoft listing contactors as being terminated when, in fact, their contract was extended. More timely updates to Peoplesoft would correct this.

25 Why do we need the Cyber Kill Chain?
“Measurement is the first step that leads to control and eventually to improvement. If you can’t measure something, you can’t understand it. If you can’t understand it, you can’t control it. If you can’t control it, you can’t improve it.” - H. James Harrington

26 Q&A Questions?

Download ppt "be the strong link in your"

Similar presentations

Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP.

Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Cyber Attack Scenario Overview Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.

Cyber Attack Scenario Overview Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
Ken Paiboon 214.274.3436 ken@exabeam.com User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon 214.274.3436 ken@exabeam.com.

Ken Paiboon User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon
Network security policy: best practices

Network security policy: best practices
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.

LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.

0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.

Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.

Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
Role Of Network IDS in Network Perimeter Defense.

Role Of Network IDS in Network Perimeter Defense.
Counterplanning Deceptions To Foil Cyber-Attack Plans Paper by: Neil C. Rowe Presentation by: Michael E. Aiello.

Counterplanning Deceptions To Foil Cyber-Attack Plans Paper by: Neil C. Rowe Presentation by: Michael E. Aiello.
Unit 2 Personal Cyber Security and Social Engineering Part 2.

Unit 2 Personal Cyber Security and Social Engineering Part 2.
An Introduction to Deception Based Technology Asif Yaqub Nick Palmer February 5, 2016.

An Introduction to Deception Based Technology Asif Yaqub Nick Palmer February 5, 2016.

Similar presentations

Ads by Google