Post on 24-Sep-2020
KIRAN S NARAYANSOC Manager – Cisco Asia PacificJuly 2018
Equipping Cisco to protect from Cyber Attacks- By Cisco CSIRT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The state of the threat
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
M OTIVATIONS
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Zero-day exploitHeartbleed Remote Code Execution
Malicious InsiderShellshock
GandCrabAndroid malwareData breach
WannaCry DDoS
APT
MalspamDealply
VPNFilter
PDOSGAMARUE
Cryptominer
ADWARE
RansomwareHadsruda!Doublepulsar
CCleaner
IoT Threat
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SOC FUNDAMENTALS
EXEC SUPPORT + TECHNOLOGY + PEOPLE + PROCESSES = SOC
ENABLING INCIDENT RESPONSE CAPABILITIES.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
EXEC SUPPORT + TECHNOLOGY + PEOPLE + PROCESSES = SOC
- Understand Impact of a breach.- Willing to investment.- Willing to drive org change.- Implement policies
SOC FUNDAMENTALSENABLING INCIDENT RESPONSE CAPABILITIES.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
EXEC SUPPORT + TECHNOLOGY + PEOPLE + PROCESSES = SOC
- Have a layered defense model.- Perimeter|network|infra|endpoint |Application.- Signature + Private/Shared Intel + Machine Learning
SOC FUNDAMENTALSENABLING INCIDENT RESPONSE CAPABILITIES.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
EXEC SUPPORT + TECHNOLOGY + PEOPLE + PROCESSES = SOC
- Specialized technology backgrounds.- Understand the environment.- Recognize tech|business|people|process gaps.- Able to drive & influence change.- Develop partnerships.
SOC FUNDAMENTALSENABLING INCIDENT RESPONSE CAPABILITIES.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
EXEC SUPPORT + TECHNOLOGY + PEOPLE + PROCESSES = SOC
- Have a well documented IR plan- Repeatable processes.- Identify & automate recurring problems.- Ability to measure & report on impact.
SOC FUNDAMENTALSENABLING INCIDENT RESPONSE CAPABILITIES.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CSIRT SOCReduces the risk of loss as a result ofsecurity incidents for Cisco-owned business.CSIRT regularly engages in proactive threatassessment, mitigation planning, incidenttrending with analysis, security architecture,and incident detection and response.
INVESTIGATEMONITORING PREVENT
• Device Deployment & Operations• Solution Design & Development• Acquisition integration• Consulting• Vulnerability Scanning• Data Management• Data Leakage Monitoring• Legal/HR Support• Operations Support• Malware Reverse Engineering• Product Testing• Sales Support• Support Business Development
CSIRT SOCWORK CONSISTS OF…
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How are we structured?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
RESEARCH
ENGINEERING OPERATIONS & DEVELOPMENT
ANALYSIS INVESTIGATIONS THREAT INTEL
ENDPOINT LOGS
NETWORK LOGS
INFRASTRUCTURELOGS
APPLICATION LOGS
USER ATTRIBUTION
DEVICE OPERATIONS
CASE TOOLS
COLLABORATIONTOOLS
INTELFEEDS
3 27
25 26 15 5
CSIRT SOCTEAM STRUCTURE
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What are we protecting?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
UNDERSTANDING YOUR ENVIRONMENT
01100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 0011101001100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 0011101001100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 0011101001100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 0011101001100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 0011101001100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 0011101001100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 0011101001100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 0011101001100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 0011101001100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 0011101001100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 0011101001100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 0011101001100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 0011101001100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 00111010
USERS138,771
VENDOR ORGS2690
ADMIN ACCOUNTS4474
SERVICE ACCOUNTS13,096
DATA CENTERS13
OFFICES600
COUNTRIES102
CITIES343
EXTRANET PARTNERS318
CSP296
ACQUISITIONS8 (AVG YR)
ENDPOINTS127,454
MOBILES73,162
INFRA DEVICES194,875
BUSINESS GROUPS13,899
LABS2370
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
NOISE MANAGEMENT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CLIENTS
INTERN
AL C
ISCO
INTERN
AL IN
FOSEC
EXTERNA
L
CASE RESOLVE
CASE SOURCE
KRIEGER
INTERNALUSERS
EXTERNAL USERS
IT CASEMGMT
CSIRT CASE
MGMT
TUNINGBUGZILA
MESSAGING
CSIRT SOCWORKFLOW SUMMARY
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CSIRT SOCTHREAT BASED LOG MONITORING
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
PROTECTING CISCOPREVENTATIVE SOLUTIONS vs MANAGED INCIDENTS
THE INTERNET CISCO ASSETS
THREATS PER QUARTER THREAT DEFENCE
1,558,649,099
39,778,560
19,862,979
770,399,96325,802,4983,364,087
20,529
2778 INCIDENTS MANAGED (QTR)
DNS-RPZ/ UMBRELLA
BGP Blackhole
WSA
ESAANTIVIRUSHIPSENDPOINT AMP
CSIRT
Prevention
2,417,877,715 = TOTAL THREATS PREVENTED(QTR)
Detection
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialWe have the data, now what?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
MORE DETAILS ON COLLECTING THE DATA
Identify IR Gap
Determine Data
Availability
Collect The Data
Enable DataControls
Work With Partner IT
Team
IR Play Creation
ProductionMonitoring
STEP 1.
STEP 2.
STEP 3.
STEP 4.
STEP 5.
STEP 6.
STEP 7.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
playbook ˈplāˌbŏkA prescriptive collection of repeatable queries (reports) against security event data sources that lead to incident detection and response.
CSIRT ID&RPROCESSING THE DATA
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• What am I trying to protect?
• What are the threats?
• How do I detect them?
• How do we respond?
Playbook Inception
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
…inside the CSIRT Playbook
Detection Strategy
Mitigation plan
Threat Analysis
Incident Verdict
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
AUTOMATION for Operations
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
index=wsa earliest=-24h dst_name=“*.piriform.com" | rex field=cs_url "&v=(?<version1>[^&]+)" | rex field=cs_url "&cv=(?<version2>[^&]+)" | search (version1=5.33* OR version2=5.33*)| dedup src_ip, _time| dce ip=src_ip ts=_time
PLAYNAME: 300100-INV-WSA-SPYWAREPLAY DESCRIPTION: Malicious CCleaner Version 5.33
CSIRT Playbook examplePROCESSING THE DATA
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Threat Specific
Following Intel
User Behaviour
Environment Specific
Hot Threat
Policy Driven Monitoring
Anomaly Detection
High Fidelity
Investigative
Monitoring Play Types & Varieties
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Mitre Att&ck Matrix
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialYou need to report on findings.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Incident Detection Time
Remediation Time
Time To Detect / Time To Contain
Event Time
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
PARTNERGROUPS
CSIRT
VULNERABILITY MANAGEMENT
INFOSEC ARCHITECTURE (IT)
DATA PROTECTION & PRIVACY
SECURITY & TRUST ORG. ENGINEERING
INCIDENTS BYCATEGORIES(PLAYBOOK
ASSOCIATION)
VULNERABILITYMAPPING
POLICY COMPLIANCE
DATA INCIDENT TAXONOMY &
CLASSIFICATION
CSDL
ENVIRONMENT THEATER & REGION OWNER MANAGER &
EXECUTIVE CHAIN TECHNOLOGY SERVICE COSTASSET DETAILS
EXCEPTION TRACKING
LAB | DMZ | PARTNER | CSP | CRDC | DBU | DATA CENTER | DESKTOP | CL OUD
GEO | COUNTRY | CITY | OFFICE | FLOOR
HOSTNAME | IP | OS | VERSION | ASSET | SW | HW | BIOS | MAC |
UNAME | TYPE | GROUP | HR | DEPTID | HIRE & TERMINATE
DATE | REMOTE | CVO | MOBILE
CROBBINS...
FIRST LINE MGR
WSA | ESA | IPS | QUALYS | MCAFEE | etc...
EMAN | AM | SERVICENOW |DIRECTORY | CCO
EACH TEAM TO DETERMINE COST OF INCIDENT LOGIC
EXCEPTION TRACKING BY CRM ATTRIBUTE
REPORTINGATTRIBUTES
CSIRT ID&REXECUTIVE REPORTING