Tying cyber attacks to business processes, for faster mitigation
-
Upload
maytal-levi -
Category
Technology
-
view
92 -
download
0
Transcript of Tying cyber attacks to business processes, for faster mitigation
![Page 1: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/1.jpg)
TYING CYBER ATTACKS TO BUSINESS PROCESSES, FOR FASTER MITIGATION
Prof. Avishai Wool, CTO, AlgoSec
![Page 2: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/2.jpg)
AGENDA• Introduction• Business Driven Incident Response• Technical Considerations in Remediation• SIEM integration with AlgoSec
2
![Page 3: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/3.jpg)
INTRODUCTION
![Page 4: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/4.jpg)
BACKGROUNDThe attackers are already inside the corporate network:• Advanced Persistent Threat (APT)• Compromised servers and desktops• Malicious insiders
What can happen during an attack: • Data is being exfiltrated (theft, espionage)• A compromised server attacks other systems• A compromised desktop is part of a DDoS attack network• …
4
![Page 5: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/5.jpg)
ADAPTIVE SECURITY• “… preventive, detective and response capabilities.” • “… context-aware network, endpoint and application
security protection platforms”• Neil MacDonald, Peter Firstbrook, Gartner 2016
• “Leverage the Security Ecosystem from within the SIEM – Avoid Context Switching”
• “Maintain context during investigations”• Splunk Partner Information, 2016
![Page 6: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/6.jpg)
AN INCIDENT STARTS WITH DETECTION• Technological detectors, with different methodologies:
• Signature-based, anomaly-detection, behavioral• Network-based, host-based• Dedicated sensors, alerts from standard systems• Internal or from threat-intelligence• Etc.…
• Human analysts in the “Cyber Operation Center” (CoC)• Free-search through real-time + offline log data
Evidence of malicious activity can be observed in logs
6
![Page 7: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/7.jpg)
THE FUNNEL: LOGS > CASES > INCIDENTS • Many systems produce logs • Firewalls, anti-virus, computer OS, authentication systems, ….
• Logs sent to a SIEM (Security Information and Event Management)• Huge volume, nearly all benign
• SIEM “business logic” / “event correlation”: open Cases• SOC (Security Operations Center) staff handles the
cases• Many false alarms
• Real cases become incidents• COC (Cyber-Operation Center) staff handles the
incidents7
![Page 8: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/8.jpg)
Their job is to detect real breaches (avoid false alarms), report the incident, analyze their impact, and stop/contain the attack.
SECURITY INCIDENT RESPONSESecurity Analysts in the COC analyze cases and incidents.
8
![Page 9: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/9.jpg)
BUSINESS DRIVEN INCIDENT RESPONSE
![Page 10: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/10.jpg)
INCIDENT DETECTED – NOW WHAT• Common: (unstructured)
• “30 people on a bridge call”• “24 hours just to decide whether to isolate, and when”• “one person walking around and documenting”
• Better: use a “case management system” • within SIEM or add-on• Collect and document evidence
• Best: • Business-driven, Context-aware• Actionable
10
![Page 11: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/11.jpg)
BUSINESS-DRIVEN TRIAGE• Identify impacted business processes
• Which business applications rely on impacted systems?• How business-critical are these applications?• Who are the business owners?
• Identify data sensitivity• Do impacted applications handle sensitive data?• Is impacted system a “stepping stone” to sensitive data?• Can impacted system exfiltrate data?
• Triage outcomes:• Urgency of mitigation (now/tonight/change-control-window)• Aggressiveness of mitigation (filter/disconnect/shutdown/patch)
11
![Page 12: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/12.jpg)
BUSINESS-DRIVEN CONSIDERATIONS• Weigh 2 types of risk:• Security risk: damage of attack until it is mitigated• Operational risk: downtime during mitigation + unintended
side effects
• Business criticality primarily affects the Operational Risk
• Data sensitivity primarily affects the Security Risk• … also regulatory compliance and reporting requirements
![Page 13: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/13.jpg)
REACHABILITY CONSIDERATIONS• Assume that impacted system is “0wned”• All sensitive data on that system is exposed• … but network defenses are still in place:
• East-West traffic filters (in a segmented datacenter)• North-South traffic filters (perimeter firewalls)
• Can impacted system connect to Internet?• exfiltrate local data
• Can impacted system connect to more sensitive systems?• Lateral movement• Stepping stone
![Page 14: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/14.jpg)
• Contain:• Remediate through automatic isolation of compromised servers from network
• Report:• Report incident to relevant teams•Maintain audit trail of actions taken
RESPONSE: TAKING ACTION
14
![Page 15: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/15.jpg)
BUSINESS-DRIVEN REMEDIATION: WHEN TO ISOLATE?• Timing of isolation may be important
• How urgent and how severe is the issue?• In which time-zones are the affected application’s users
in?• Possible outcomes:• Do it now!• Use an unscheduled change-control window (tonight)• Wait for a normal change-control window? (next week)
15
![Page 16: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/16.jpg)
BUSINESS-DRIVEN REMEDIATION: HOW TO ISOLATE?• Method of isolation may be important
• Possibilities:• Power down• Disconnect from local network
• Physically pull the cable• Logically disconnect from L2 switch
• Block all traffic at network segment boundaries • Restrict traffic at network segment boundaries (allow only
restricted flows)
![Page 17: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/17.jpg)
POLL
![Page 18: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/18.jpg)
POLL• How many people do you have in
your Cyber-Operation Center?
•We don’t have one•1-5•6-15•More than 15
18
![Page 19: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/19.jpg)
TECHNICAL CONSIDERATIONS IN REMEDIATION
![Page 20: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/20.jpg)
WHERE TO ISOLATE (NETWORK SEGMENT)?• Find the filtering devices closest to the impacted
system
20
Impacted system
Isolation points
![Page 21: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/21.jpg)
L2 / HOST-BASED ISOLATION• NAC to disconnect the Ethernet port • Wireless hotspot to disconnect the mobile host
• Advantage: isolate the host from all others
• Challenges: • Going from IP address to L2 port number• May require additional equipment
21
![Page 22: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/22.jpg)
TRADITIONAL FIREWALL-BASED ISOLATION• Use firewall(s) and filtering routers to block/restrict
traffic to/from device
• Advantages: • At arms-length from infected host, retains forensic evidence• Filtering is what firewalls do• No additional equipment required
• Limitation: isolation is as good as network segmentation
22
![Page 23: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/23.jpg)
RESTRICT RATHER THAN ISOLATE?• Put “other side” of connection in a black-list
• Web proxy (e.g. BlueCoat, zScaler, WAF)
• Restrict infected machine to only specific services• Restrict to only internal addresses
• DLP• Disconnect from botnet C&C• Prevent participation in outbound DDoS
• Restrict to only external addresses (e.g., for web-facing servers)• Block access to sensitive internal data• Prevent attacks on internal servers
23
![Page 24: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/24.jpg)
SIEM INTEGRATION WITH ALGOSEC
![Page 25: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/25.jpg)
ALGOSEC SPLUNK APP FOR INCIDENT RESPONSE
• Splunk App for Incident Response based on AlgoSec capabilities
• To be used as-is or incorporated into other Splunk Apps
25
![Page 26: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/26.jpg)
26
![Page 27: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/27.jpg)
27
![Page 28: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/28.jpg)
AlgoSec App adds an action menu to all IP address fields
28
![Page 29: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/29.jpg)
- Critical business process? (identify business impact, set priority)- Who to report to?
29
![Page 30: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/30.jpg)
30
![Page 31: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/31.jpg)
- Custom business logic- Machine-readable data to allow further
integration
31
![Page 32: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/32.jpg)
Can reach Internet? Data exfiltration possible
• From impacted system• To Internet
32
![Page 33: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/33.jpg)
Can reach sensitive zone? Stepping stone Regulatory impact Reporting
requirements
• From impacted system• To sensitive zone
10.3.3.3
33
![Page 34: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/34.jpg)
34
![Page 35: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/35.jpg)
35
![Page 36: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/36.jpg)
36
![Page 37: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/37.jpg)
DISTRIBUTION AND LICENSING• Delivered via Splunkbase (Splunk’s App Store)• Download directly from Splunk administration UI, or via Splunk
website• App is free, open source • requires a licensed AlgoSec deployment
• Customers/partners are welcome to extend the App or extract parts of it and use in other Splunk Apps
• More to come – stay tuned!
37
![Page 38: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/38.jpg)
SUMMARY
• Overview of Incident Response processes• Business Driven Incident Response• Technical Considerations in Remediation• SIEM integration with AlgoSec
38
![Page 39: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/39.jpg)
EXIT POLLWould you like to evaluate the AlgoSec/Splunk integration?
•Yes, please contact me this month•Yes, in 3-6 months• I don’t have Splunk•No
![Page 40: Tying cyber attacks to business processes, for faster mitigation](https://reader035.fdocuments.net/reader035/viewer/2022062820/58a3cab61a28ab98588b5535/html5/thumbnails/40.jpg)
MORE RESOURCES
40