Post on 05-Jul-2020
Managing the Space-
Time
Continuum of
CyberdefenseTony Sager
Center for Internet Security (CIS)
Cyber Next Summit/Borderless Cyber/IACD – October 2019
A few lessons
• Knowing about flaws doesn’t get them fixed
• In Cyberspace, we all have more in common than different
• The Bad Guy doesn’t perform magic
• and most attacks are repeats of a pattern
• There’s a large but limited number of defensive choices
• and the 80/20 rule applies (The Pareto Principle)
• Cyber Defense is really Information Management
• and when you see “share”, replace with “translate” and “execute”
• Cybersecurity is not an event, a tool, or training – it’s a machine
“Every computer in the DoD
is configured as securely as possible,
all of the time,
and the right people know that this is so
(or not so).”
Lt Gen Harry Raduege (retired)
former Director Defense Information Systems Agency
An IT Operator’s View
Cybersecurity Plumbing
Vulnerability “Plumbing”
“PLUMBING”
CVE
OVAL
CCE
CPE
CVSS
XCCDF
------
“FIXTURES”
Net management tools
Integrated reports
Integrated tools
Policy compliance
Rapid sharing, assessment, remediation
“CONTENT”
New IT vulns
Security Guides & benchmarks
Red and Blue Team Reports
Product tests
Security events
Incident reports
Security Automation (2002; 2010-2011)
A Cyberdefense OODA Loop (“Patch Tuesday”)
OBSERVE Track security bulletins,
advisories
ORIENTAssess applicability, operational
issues, risk
DECIDEPrioritize remediation
ACTRollout, Monitor, Manage
“breakage”
“Dueling OODAs” (and the role of Threat Intelligence), Analytics)
• There are many loops, often connected
• “farther in space, earlier in time”
• The Bad Guy’s loop is also an opportunity
OBSERVE
ORIENT
DECIDE
ACT
OBSERVE
ORIENT
DECIDE
ACT
OBSERVE
ORIENT
DECIDE
ACT
O
O
D
A
Lockheed-Martin Kill Chain “Courses of Action”
Enterprise 1: Model based on LM Kill ChainAnotionaluseoftheLockheedKillChain:mappingControlstotheKillChain;thenmappingspecifictoolchoicestotheKillChain
Recon&Prep Delivery Exploitation C2 internalRecon LateralMovement Persistence Stage&Action
IDS/IPS
Firewall Firewall
Proxy Proxy
AV
MailGateway
Patching Patching
CONTROLS DEP
StandardConfig StandardConfig
EMET
Sinkhole
AD
WrongPath
DLP
OCC
Exchange
Akamai
Logs
PRODUCTS FireEye
Netwitness Netwitness
Splunk
MIR MIR
Vontu
Enterprise 2: Kill Chain, Mandiant APT1 and JP 3-13
AnotionaluseoftheMandiantAPT1model;mappingControlstotheAdversarymodel;thenmappingspecifictoolchoices
SOURCE:http://www.appliednsm.com/making-mandiant-apt1-report-actionable/
fromJP3-13 Recon Delivery Exploitation Installation C2
Actionsor
Objectives
DETECT NIDS NIDS NIDS HIDS HIDS
RouterLogs HIDS HIDS ApplicationLogs NIDS
WebLogs VigilantUser AV AV AV
AV
DENY FirewallACL MailFilter HIPS AppWhitelisting EgressFilter EgressFilter
WebFilter AV BlockExecution FirewallACL FirewallACL
fromJointPubJP3-13,2006 HardenedSystems Sinkhole NWSegmentation
DISRUPT ActiveDefenses WebFilter HIPS AV DEP NWSegmentation
MailFilter AV HIPS Sinkhole DEP
HardenedSystems HIPS
DEGRADE Honeypot Sinkhole RestrictUserAccountsComboofDeny/DisruptSinkhole NWSegmentation
RedirectLoops ComboofDeny/Disrupt
ActiveDefenses
DECEIVE Honeypot Honeypot Honeypot Honeypot Honeypot Honeypot
RedirectLoops ` Sinkhole
ActiveDefenses
(DESTROY) N/A N/A N/A N/A N/A N/A
CIS Community Attack Model – choosing controls
The “Multi-Framework Era”
• Enterprises need to “report to” more than one, and often MANY parties
o Regulators, the legal system, auditors, partners, formal requirements
o Supply chain is now a driver
• Best Case = ” Do Once, Report to Many”
• Cross-Mappings become a necessity
• Framework creators need to cooperate
Cross-mapping to the NIST CSFhttps://www.nist.gov/cyberframework/informative-references/informative-reference-catalog
ATTA
CK
ER
TACTICAL STRATEGIC
DEF
END
ER
INTENTIONSCAPABILITIES
SECURITY ENGINEERING
MANAGE PRIVILEGESSCAN FOR MALWARE
WEAPONIZE VULNERABILITIES
RECON OF TARGETSDEVELOP EXPLOIT
CONTINUOUS MEASUREMENT
MANAGE DEVICES
MANAGE SOFTWARE
USE SECURE CONFIGSTRAIN PEOPLE
INTELLIGENCE GATHERING
CREATE “TOOLBOXES”
ATTACK SUPPLY CHAIN
THREAT INTELLIGENCE
ANALYTICS, CORRELATION
CONTROL PORTS, SERVICES, PROTOCOLS
COMMAND & CONTROL
ESTABLISH “BEACHHEAD”
SOFTWARE ENGINEERING
CONTROL EXECUTION
CLEAN UP TRACES
A Two-Level Game
BUILD ATTACK INFRASTRUCTURE
• Website: www.cisecurity.org
• Email: Controlsinfo@cisecurity.org
• Twitter: @CISecurity
• Facebook: Center for Internet Security
• LinkedIn Groups:• Center for Internet Security
• 20 Critical Security Controls