Sunday, September 17, 2017

File under #failure

Equifax announced a massive breach of tax payer information.

TL;DR : Lock your credit accounts:

https://www.experian.com/freeze/center.html#content-01
https://www.innovis.com/securityFreeze/index
https://www.transunion.com/credit-freeze/place-credit-freeze2
https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp


Basic recommendation, freeze your credit report. This does two things. First, it protects you. Second, if most US taxpayers freeze their credit it will change the way these companies do business. They're collecting information about you and reselling it to third parties. They'll charge you a fee (credit monitoring) to protect that information. In my opinion it is perverse that they'll only protect your information for a fee. It will be interesting to see how the class action law suits which follow will shape the credit monitoring services.

I'm also interested in how the Internal Revenue Service (IRS) of the United States addresses this. They've been pretending for two decades too long that the social security number is somehow a shared secret. It is not. Time to re-key, IRS. You have suffered a data breach through an irresponsible vendor partner. You've allowed these vendors to leverage your information for far too long. Fix this broken system.

Tuesday, June 6, 2017

SANS SOC Summit 2017

A quick listing from each talk on TODO items that I extracted from the presentation.

The presentations are available here:
https://cyber-defense.sans.org/resources/summit-archives

Day 1

Keynote Good vs Evil: Winning the Age Old Battle
Doug Burks (@dougburks), CEO, Security Onion Solutions LLC
TODO: Practice Japanese. More work on motivating people to perform optimally.


Stuck in the Box: A SIEM's Tale
Justin Henderson (@SecurityMapper), Systems and Security Architect, GSE # 108, Cyber Guardian Red/Blue
TODO: Develop a list of "go to" Event IDs

How to Measure Anything in the SOC
Rich Seiersen, Former General Manager - Cyber Security & Privacy, GE Healthcare
TODO: Develop predictive analytical model for SOC (and read Rich's book)

Metrics for Justifying SOC Investment to the CEO and Board
John Pescatore, Director of Emerging Security Trends, SANS Institute
TODO: Decide on key performance indicators and develop report / dashboard to depict them.

Debunked: Traditional IR Calls
Gregory Braunton, National Director, Threat Management, Incident Response and Forensics, Catholic Health Initiatives
TODO: Visual collaboration tool. (Reminds me also to develop the ACH rubrics for common incident scenarios.)

Siri for SOC: How an Intelligent Assistant can Augment the SOC Team
Bobby Filar (@filar), Sr. Data Scientist, Endgame
Rich Seymour, Sr. Data Scientist, Endgame
TODO: Develop question based playbook for analysts.

The Need for Investigation Playbooks at the SOC
Matias Cuenca-Acuna, Principal Engineer, Intel Security

Ismael Valenzuela, SANS Certified Instructor, GSE #132; Global Director of Foundstone Consulting Services
TODO: Differentiate response playbook and investigative playbook, refine current playbook.


Day 2


Keynote: Survey Says: Actionable Insights from the SANS SOC Survey
Chris Crowley (@CCrowMontance), SANS Institute
TODO: Build a survey that captures a representative sample of SOCs globally.


SIEMple Simon Met a WMIman
Craig L. Bowser, Sr. Security Engineer, Dept. of Energy
TODO: Adapt this for SOC Analysts, and have a punch list of checks to be sure they're accomplishing these checks.

Inattentional Blindness (IB) & Security Monitoring
Ismail Cattaneo, Sr. Manager of Security Operations & Engineering, Verizon Enterprise Solutions
TODO: Pay attention, and keep working on a converged analytical methodology between "Organizational Dimensions, Analysis of Competing Hypotheses, Kill Chain, and Diamond Model"

Hunting Adversaries with "rastrea2r" and Machine Learning
Gabriel Infante-Lopez, Software Architect & Data Science, Intel Security
Ismael Valenzuela, SANS Certified Instructor, GSE #132; Global Director of Foundstone Consulting Services
TODO: Look at the open source project for collecting information between disparate tools.

Color My Logs: Understanding the Internet Storm Center
Johannes Ullrich, PhD, Dean of Research, SANS Technology Institute
TODO: Look for ways to enrich information in SOC data with restful information from within SANS ISC. Install a Raspberry Pi.

SOCs for the Rest of Us
Dave Herrald (@daveherrald), GSE #79, Senior Security Architect, Splunk
Ryan Kovar (@meansec), Staff Security Strategist, Splunk
TODO: Take the questions Dave and Ryan used and turn it into an assessment capability.

Building the Cybersecurity Workforce We Need: Creating Pipelines and Pathways Without Poaching
Arlin Halstead, Strategic HR Business Partner, NTT Security
Maxwell Shuftan (@SANSCyberTalent), Director of CyberTalent Solutions, SANS Institute
TODO: Refine hiring standard questions and look at retention methodology.

DDoS Attacks in Action
Ben Herzberg, Security Research Group Manager, Imperva Incapsula
TODO: Practice Python. Inventory DDoS vulnerability assessment and remediation tools.

Tuesday, April 25, 2017

Threat Hunting Summit 2017 and MGT517.2017.2

I had the opportunity to see many great talks, but missed just as many due to obligations and getting other work done. If you didn't get to attend the THIR summit, the high quality videos should be online soon here:

https://www.sans.org/event/threat-hunting-and-incident-response-summit-2017/summit-videos/

If you are interested in my talk, you can see the powerpoint here:

https://bit.ly/crow-th

More elaboration on the security operations functional areas here:

http://www.montance.com/mgt517

Thank you to the people who took the time to chat with me about their opinions or experience on the topics I covered. It's tough to present a complete system in 30 minutes. I hope your organization has a strategic vision for what your security operations is going to be. If you don't, steal my diagram from the bit.ly link above and start to plan for how your functions can work together to optimize your scarce resources.

Also, much appreciation to the folks who attended MGT517. I was impressed by the discussions we had. I feel like I learn a massive amount each time I teach. Some of it is validation of the opinions I hold, some of it is a challenge to my approach. Criticism and permutations help to refine the system. I'm excited about a few things that I'm going to incorporate. First is the notion of a more data-centric depiction of the metrics I advocate for the SOC. Another enhancement planned for the next revision is a deeper dive into threat hunting scenarios. Finally, ACH brainstorm templates for incident types to encourage analysts to employ ACH, Kill Chain, and Diamond Model as analytical tools.

Wednesday, April 19, 2017

Positive feedback

...never has a SANS track been more relevant, timely, thorough, and pragmatic as I found the MGT517 course to be. In my opinion, Chis (and I am quite sure an entire team of reviewers) has thought of, considered, and addressed every issue that I have encountered in my journey to standing up an internal SOC at my company.
Positive thoughts. There are many things I'd like to refine within the class, but I appreciate the acknowledgement.

Friday, April 14, 2017

MGT517 Hot Wash - Orlando - 2017-04-14

MGT517 Hot Wash - Orlando - 2017-04-14

The first official run of MGT517 just wrapped up in Orlando, FL.

Primary take away messages from the attendees.
1. There are a number of companies trying to build a SOC, but they're not exactly sure what a SOC is.
2. Political issues are more difficult to overcome than technical problems.
3. I'm roughly 12-18 months late on this class. A common comment from people, "I wish I had taken this class 12 months ago when I started building the SOC for ____ company."

Some improvements I plan to make:
1. In the Design discussion, depict the ways we're going to cover the material in the build, operate, and mature sections. (TODO - near term)
2. Set up a website with resources for reference (TODO - near term).
3. Adjust the metrics to present the balanced scorecard approach, and include some of the examples that John Pescatore gave in his lunch time talk to the class. (TODO - near term)
4. Enhance the swimlane diagram depicts the functional area process relationships with updated inputs, people, artifacts, and technology. (TODO - ongoing)

I was pleased by the excellent attendees. Lots of great discussion and insight shared by people. A benefit of the class is making the connections with the small number of other professionals in the space.

Finally, I'm thrilled at the overwhelming response of people to attend the course. I know that it is full for the next couple of runs. Anyone who is unable to get into the class, please be patient, we're running the course many times this year. Take a look at the events later this year. If the demand is persistent, I'll work with SANS to add additional runs this year.
 

Sunday, March 26, 2017

Three Characters (Caricatures) of Incident Response

I've been using this set of three types of IR characters to describe my opinion on the capabilities. I thought I would share it. I'll try to "polish the turd" at some time in the future.

We need all of these capabilities in IR/SecOps. Having each in the right measure is the trick. A few Eagles and no Janitors isn't going to work.

Janitor

Not glorious or proactive, the Janitor is tasked with clean up. This occurs after the incident has transpired. This is a necessary capability, is usually the first capability to be developed, and should be operational to the degree that the janitorial services is low cost, effective, and capable of dealing with the sorts of messes the organization produces.

The janitor sometimes finds things left behind that are interesting, and should know to bring this to the attention of the appropriate component of security operations. Janitorial services are frequently outsourced, should be relatively low cost, measurable, and repeatable. These tasks can be level 4 (measured) or 5 (optimized) on the CMMI scale.

Janitors infrequently have the agency within the organization to affect change. Albert Einstein famously discussed his most difficult problems with the janitor. Maybe it was because the janitor was the only one around at his odd work hours. Maybe the conversation proceeded because the janitor could see all the details of tings left undone by people that made his job unnecessarily difficult.

Firefighter

A proactive capability, with the opportunity to minimize damage. Firefighters are trained to address the most critical aspects first: save the people and the animal’s lives first. In information security terms, this includes tasks of preventing exfiltration or more generally actions on objectives, to use the Cyber Kill Chain® terminology.

The next order of business for firefighters is to simultaneously prevent the spread of the current blaze to nearby fire sources. This might be buildings, or it might be portions of the landscape when dealing with wildfires. When conditions are optimal, stopping the spread of the fire is relatively easy. If the nearby buildings are made of concrete with metal roofs, the required temperature to catch on fire is likely too high. But, if there are high winds, the nearby pine forest is parched due to drought, and the current fire is burning hot enough to send embers flying, the likelihood of the fire spreading out of control of the current fire-fighting team increases.

Firefighters are often volunteer teams that have funding from the community to protect any resource that might encounter a problem. Resource rich areas with high rise buildings, dense populations, and greater environmental risk often have more restrictive controls in place. Specialized equipment like ladder trucks for tall buildings are deployed as needed. Community requirements like smoke detectors, fire suppression systems, automatically closing and fire rated doors are common in public spaces.

The information security analogy is obvious. Preventive and detective measures built in to systems is the result of diligent, persistent community awareness around risks of information systems. The systems with the most information density typically have formal requirements associated with risk management. The less important, resource constrained areas are often left to cobble together the response capability for the response team. The skillset of a volunteer, self-trained force is often less than a professional response capability. However, the ownership and agency that volunteers might have frequently creates circumstances where they outperform their fully funded counterparts on a dollar-wise comparison basis. That sense of ownership and heroism usually cannot be sustained perpetually. Ad hoc response teams try to demonstrate the need for additional funding by citing current successes and the substantial and growing demand for the service.

Eagle

Most eagle species are apex predators. With impressive optic acuity, they catch prey unaware. The eagle can strike and kill prey substantially larger than itself, sometimes killing prey 6 times its own weight.

The threat hunting responder who knows the narrow passes in the network, and can use the likely places an attacker must traverse to perform actions on objectives is an IR eagle. The eagle can scan massive areas, locate minutiae that everyone else would miss, and take out an intruder with speed and precision.


Once the IR eagle chooses to focus in on one specific prey, it loses sight of the other, potentially more important attackers. It’s expensive to maintain a lot of top performers within an IR group, and like the actual eagle, these hunters are often solitary and territorial.

Thursday, February 2, 2017

FOR578 and Cyber Threat Intel Summit 2017

I attended FOR578 – Cyber Threat Intelligence ( https://www.sans.org/course/cyber-threat-intelligence ) at the Cyber Threat Intel Summit this past week. Two of the course authors, Robert M Lee (@RobertMLee) and Rebekah Brown (@PDXBek) co-taught the class. The third course author is Jake Williams (@MalwareJake).

My background is network and security operations, incident response, and pen testing. I haven’t ever functioned as an intel analyst specifically. But, I’ve been both a consumer of Intel and a producer of Intel in past roles. There were three primary items that I want to share from this class.

  1. The importance of clear articulation of the use of consumption of Intel versus production of Intel in the mission objectives of the team.
  2. The potential for enrichment of raw data with Intel
  3. An effective expression of the kill chain via the concept of race to the finish.


Before I go into the details of these items, I want to express why they are important to me, so you understand the reason why these are primary take away lessons. The course that I wrote (MGT517 – Managing Security Operations: Detection, Response, and Intelligence) discusses integration of intel into security operations. I wanted to glean as much as possible from Rob, Rebekah, and Jake’s experience working in the Intel community to assure that the system I’m presenting is aligned with their experience, and what Intel Analysts attending SANS training will be bringing back to their organizations.

I determined that most of the other students were there to sharpen (or to establish) the intelligence function within their organizations. In speaking with the other attendees, and in listening to their questions, there were many tactical (how to do the intel actions) questions. There were also some strategic (what should we be doing) questions but most were on the tactical side.

The importance of clear articulation of the use of consumption of Intel versus production of Intel in the mission objectives of the team.


There are two major things to do with threat intelligence: produce it or consume it. A funded and mature team of threat intelligence analysts will likely do both. For less mature or less funded functions, the consumption of intelligence is a more realistic goal. This consumption only strategy (summarized) means the purchase of threat intelligence feeds and the aggregation of open source intelligence information. This information is culled for the data relevant to the organization the threat intel analysts work for. At some point in time, these analysts may determine that they have collected data internal to their organization which is worthwhile to share with other parties outside of the organization. This is the production of intelligence.

The potential for tight integration of enrichment of raw data with Intel.

Let’s discuss the objective of consumption of intelligence. The term applied during FOR578 was enrichment. There was discussion of what this looks like and how to do it. I’m going to skip those details because it is more granular than the space I intend to devote to this post. But the key take away is the process of combining external intelligence with internal data is enrichment. Let’s use the pyramid of pain ( https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html ) to describe the ingestion of threat intelligence. This is remaining abstract, so we’ll refer to the categories of intelligence: hashes; IP addresses; Domain Names; Host artifacts; Tools; and Tactics, Techniques, and Procedures (TTPs).

Enrichment of your internal data with the lower levels (hashes, IP addresses, Domain Names, and Host Artifacts) takes some work, but is relatively straight forward. Use of this data includes analysis of the data elements to validate they are applicable, and correlation to your stored data to assess the presence of these data elements. An example might be the addition of the updated file hash values to sysmon (https://technet.microsoft.com/en-us/sysinternals/sysmon) tracking. It might include researching your DNS query logs for requests to DNS entries identified via the threat intelligence. 

Most important to this effort is using that initial item of identification to start the effort of collection of additional intelligence about what adversaries are doing within your environment. This can be neatly encapsulated in Bejtlich’s Intruder’s Dilemna: the defender needs only one initial indicator to begin response. (https://taosecurity.blogspot.com/2009/05/defenders-dilemma-and-intruders-dilemma.html).

An effective expression of the kill chain via the concept of race to the finish.

I discuss the cyber threat kill chain in MGT517 (as well as ACH, Diamond Model, and Hofstede’s Cultural and Organizational dimensions) to address a terrible shortage of encouraging objective analysis within security operations.

Rob had a specific item of guidance regarding practical application of the Cyber Kill Chain®. Among other practical guidance was included the notion of “race to the finish.” That is, where ever you find a data element in the kill chain, go down the chain until the finish rather than back up the chain to the beginning. The rationale is that is where the important information is that allows you to understand, then express the impact to the business regarding the intrusion you’re investigating.

I gathered many other nuggets of wisdom from Rob and Rebekah. These three items warrant repeating: start with consumption of intelligence and with maturing move into production of intelligence; enrich your internal data with intelligence you consume; start by racing to the finish in the kill chain, or whatever framework you use to understand adversary actions.