ge incident response
play

GE Incident Response Insight Awareness Advantage Sean Mason - PowerPoint PPT Presentation

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response Investing in new talent & capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management


  1. GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

  2. Investing in new talent & capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management Compliance, controllership, IT management GE.com/InfoSec

  3. Fundamentals

  4. Evolution 2 IR 4 1 3 5

  5. Threats Threat type What Examples Highly visible attacks targeting • Anonymous Hack cktivism large corporations and government agencies Advance ced Organized and state funded groups • APT1 Persistent methodically infiltrating the enterprise Threat Organized crime rings targeting • RBN Cybercr crime individuals and corporations for financial gain

  6. Kill Chain (KC) KC1- Reco connaissance ce: Collecting information Reco connaissance ce and learning about the internal structure of the host organization KC2- Weaponization: How the attacker packages Weaponization the threat for delivery KC3- Delivery: The actual delivery of the threat (via Delivery email, web, USB, etc.) KC4- Exploitation: Once the host is compromised, the Exploit attacker can take advantage and conduct further attacks Installation KC5- Installation: Installing the actual malware, for example Command & & KC6- Command & & Control: Setting up controls so the attacker can have future access to the host’s network Control (C2) KC7- Act ctions on I Intent: The attacker meets his/her goal (e.g. Act ctions on Intent stealing information, gaining elevated privileges or damaging the host completely)

  7. Incident Response process (DCAR+I) Identify Scope Ticket management Tool Alerts • NSM • Contain Host • SIEM • Acquire Forensic Evidence • AV/HIPS Prioritize Risks Live Response status Network log data Detect Contain & Collect Intel Reporting Remediate Analyze Impact (data movement) • Actors • Rebuild host Indicators for new • Methods • Reset passwords signatures • Movement • Task Force • Accounts countermeasures

  8. IR measured cycle times • Event (Event Time) Event How fast did • Triage (Detect Time) Dwell Time Event we find it? Analysis (DWT) • Report (Report Time) Report How fast did • IR Actions (Contain Time) we respond Contain Time Contain (CNT) to it? • Remediation/Task Force Business Impact Time (Remediation Time) How fast did (BIT) Remediate we fix it? Strategic Remediate Time (SRT) DWT + CNT = Time of unauthorized access to asset

  9. Workflow & knowledge management

  10. Communication  Tailored audience based on KC  Standard communications rhythm (~1hr after declaration; COB daily)   More detailed PowerPoint RESTRICTED INFORMATION – LIMITED DISTRIBUTION; ENCRYPTED TRANSMISSION ONLY Note: Updated information is shaded in Green and completed  End of week actions are struck through. Kill Chain Phase:  Inclusive & transparent! Businesses & Locations Impacted: Summary: Impact: Incident Status: MM-DD-YYYY HHMM Host Status: Intelligence Summary: · Attribution Action Items: Next Update:

  11. Intel

  12. Intel Chemical Financial Services Commercial Open Source Associations Government Food & Agriculture Facilities Industry & Government Communications Facilities Trade Critical Healthcare & Manufacturing Public Health Information Dams Technology Nuclear Reactors, Defense Industrial Base Materials & Waste Transportation Emergency Services Systems Water & Wastewater Energy Systems Strong relationship with key stakeholders across all sectors

  13. Intel storage & analysis CRITs is a a MITRE applica cation provided to i industry peers (120+ members) for: – Indicator management – Malware triage – Advanced Intel analysis – Managing the “Sharing Problem” – Implementing threat sharing standards OSINT Sharing partners Antivirus vendors

  14. Structured indicator storage Summary details provide the default required values about an indicator

  15. Structured indicator storage Actions can be used to show tracking of an indicator to a detection deployment. Tickets can be used to relate indicators back to our tickets.

  16. Structured indicator storage Campaigns show the threat actor attribution from the Cyber Intelligence teams

  17. Structured indicator storage Relationships build out the larger picture of how various pieces of intelligence are linked

  18. Structured indicator storage Objects allow us to tag intelligence with context such as the Kill Chain or what role the intelligence plays

  19. Detect

  20. Intel driven, threat centric detection Intelligence ce Respond Detect ct Collect Analyze Disseminate Transform Develop Deploy Triage Respond Remediate Establish Extract ction Store Product ct Consume Development Product ction Event Formal IR Remediation on Requirements Deployment Analysis Enrich chment / / Distribute Quality Build Host Isolation Service ce Gather Analysis Check Signature Investigation Restoration Intelligence ce - Prioritization Pre- Monitoring Containment - Validation Detect ction deployment Feedback ck Root Cause - Categorization Manage Alignment Test Collect ct/ Live Collect ction Analysis (god/bad/infor Collect ction - Platform Aggregate Reporting mational) - Location Docu cument Forensics cs Arch chitect cture - Quality Check Store Raw Intel - Capacity Notify / - Frequency Reviews Present Communica cations Analysis Proce cess Alert Reporting Monitoring Improvement SIEM WAF HTTPRY IPS IDS Proxy AV NSM DLP

  21. Detection scenarios Weapon- Act ct on Reco con Delivery Exploitation Installation C2 C2 ization Object ctives Behavior File - Name File Code - Binary_Code Behavior Behavior Behavior File - Full Path File File - Path Win Process Signature Win Registry Key Win Registry Key File - Name URI - URL URI - URL Win Registry Key Win Process Win Service File - Name File HTTP - GET File - Full Path Win Registry Key File - Full Path File URI - URL HTTP - User Agent File - Name File File - Name URI – URL HTTP - POST String File URI - URL File URI - Domain Name Email Header - Subject URI - Domain Name File - Path HTTP - GET File - Path Hash - MD5 Email Header - X-Mailer Address - e-mail URI - URL HTTP - POST URI – URL Hash - SHA1 URI - Domain Name Address - ipv4-addr HTTP - GET HTTP - User Agent String URI - Domain Name Address - cidr Hash - MD5 HTTP - User Agent String URI - Domain Name Hash - MD5 Address - ipv4-addr Hash - SHA1 URI - Domain Name Hash - MD5 Hash - SHA1 Address - e-mail Hash - MD5 Address - e-mail Address - ipv4-addr Address - ipv4-addr Hash - SHA1 Address - ipv4-addr Hash - SSDEEP Address - e-mail Address - ipv4-addr

  22. Platform strengths (IPS+) Weapon- Act ct on Reco con Delivery Exploitation Installation C2 C2 ization Object ctives Behavior File - Name File Code - Binary_Code Behavior Behavior Behavior File - Full Path File File - Path Win Process Signature Win Registry Key Win Registry Key File - Name URI - URL URI - URL Win Registry Key Win Process Win Service File - Name File HTTP - GET File - Full Path Win Registry Key File - Full Path File URI - URL HTTP - User Agent File - Name File File - Name URI – URL HTTP - POST String File URI - URL File URI - Domain Name Email Header - Subject URI - Domain Name File - Path HTTP - GET File - Path Hash - MD5 Email Header - X-Mailer Address - e-mail URI - URL HTTP - POST URI - URL Hash - SHA1 URI - Domain Name Address - ipv4-addr HTTP - GET HTTP - User Agent String URI - Domain Name Address - cidr Hash - MD5 HTTP - User Agent String URI - Domain Name Hash - MD5 Address - ipv4-addr Hash - SHA1 URI - Domain Name Hash - MD5 Hash - SHA1 Address - e-mail Hash - MD5 Address - e-mail Address - ipv4-addr Address - ipv4-addr Hash - SHA1 Address - ipv4-addr Hash - SSDEEP Address - e-mail Address - ipv4-addr

  23. Detection visibility gaps Weapon- Act ct on Reco con Delivery Exploitation Installation C2 C2 ization Object ctives HTTP - User Agent File Email Header - Subject HTTP - User Agent String Address - ipv4-addr String File - Path Email Header - X-Mailer Address - ipv4-addr URI - URL Example data

  24. Detection gaps per actor Weapon- Act ct on Reco con Delivery Exploitation Installation C2 C2 ization Object ctives File File File Email Header - Subject Hash - MD5 URI - Domain Name Hash - MD5 Hash - MD5 Address - e-mail Address - ipv4-addr Example data

  25. Contain & Collect

  26. Outpost locations Outpost server Centralized Storage/Analysis Example locations

  27. Automated & centralized C&C Outpost(s) Manual Automated 1 Centralized Storage & Analysis 4 2 External SSH Suspect 3 Internal SSH

  28. Containment selection  Find host and system type  Identify operating system  Determine if the host is online or offline  Identify if the system is on VPN Example data

Recommend


More recommend