MRO Security Advisory Council (SAC) Webinar One Companys Path to - PowerPoint PPT Presentation

MRO Security Advisory Council (SAC) Webinar “One Company’s Path to Establishing Threat Intelligence and Hunting” Jamie Buening, Manager, Threat Intelligence and Hunting, MISO August 21, 2019

MRO SAC Update Technical Training and Social Networking Event – September 24, 2019 Security Conference – September 25, 2019 Regional Security Risk Assessment (In place of the SAC Qtr 3 meeting) – September 26, 2019 MRO SAC Qtr 4 Meeting – November 6, 2019

MISO’s Path to Threat Intelligence and Hunting August 21,2019 1

Topics Evolution of the Threat Landscape • Recognition of need • Organizational Changes • Threat Hunting • Tools and Processes • Alternative Paths • Resources We Used • 2

Quick Intro

About Me Jamie Buening Purdue University • Telecommunications & Networking • ExxonMobil – 7 years • UNIX Admin / Network Security • MISO – 12 years • Network Analyst / Compliance / InformationSecurity • 4

Midcontinent Independent System Operator • Membership • 51 Transmission Owners • 135 Non-transmission Owners • Network Model • 293,832 SCADA data points • 6,624 generating units • Manages one of theworld’s largest energy markets • $29.9 billion (2018) 5

Evaluation of the Threat Landscape

MISO’s Cyber RelatedRisks ThreatActors NationState CyberCriminal Insiders Activists / Enterprise Extremists 7

What are we up against? Business & technology outpace security • New malware found every day • Passive defenses will fail against • determined adversaries Breaches continue to occur • 8

Result Advanced attackers hide their tracks • Signature based technologylimited • FALSE POSITIVE Must hunt for anomalies andIOCs • Using external and internal threat intelligence • 9

Organizational Changes

Original Cyber Security Organization CISO Cyber Security 11

New Cyber Security Organization CISO Cyber Threat Information Physical Security Intelligence SecurityRisk Security Operations andHunting 12

Continued Evolution Changing culture to consider more teams aspart of security AccessManagement IT Operations • • Assurance & Process Device Management • • Security Controls& Change & • • Engagement Configuration 13

Threat Intelligence andHunting Candidates Hiring to fill positions Particle Physics PhD Manager • • Others 1 st full timeanalyst • • 2 analysts transitioned • 4 th full timeanalyst • 14

Threat Intelligence andHunting Generallyfocus Team Capabilities • • time in 1/3’s Threat Hunting • Intelligence Learning • • Hunting IR (CIP-008) • • Forensics Projects • • 15

Threat Hunting

But what is ThreatHunting Needed to define • Ambiguous • Big Data? • Lots of documentation • Hard to find examples of application • 17

Sliding Scale of CyberSecurity RobertM. Lee, “The Sliding Scale of CyberSecurity,” SANS InstituteInformationSecurity ReadingRoom, Aug. 2015, 18 https://www.sans.org/reading-room/whitepapers/ActiveDefense/sliding-scale-cyber-security-36240

Hunting MaturityModel HMM0 HMM1 HMM2 HMM3 HMM4 Initial Minimal Procedural Innovative Leading • Automated • IOC • Follow • Create • Automate searches procedures procedures procedures alerting • Moderateor • High orvery • High orvery • High orvery • Little or no high data high data high data high data data David Bianco, “A Simple Hunting Maturity Model,”EnterpriseDetection & Responseblog,Oct. 15, 2015, 19 http://detect-respond.blogspot.com/2015/10/a-simple-hunting-maturity-model.html

Threat Hunting In General Human drivenactivity • Part of detection • Hypothesis based and otherstyles • Statistical methods • Consequence driven • Intelligence driven • 20

How MISO Defines Threat Hunting Today

Traditional Information Security Network segmentation Firewalls • • Patching Anti-malware • • Reducing attack surface IPS/IDS • • 22

Threat Hunting Analyst driven • Applying knowledge • Proactive • Iterative • “Assume you are already compromised.” 23

Comparison TraditionalSecurity House Security Technology Fence, windows, doors Firewalls, IAM Motion detectors IDS Threat Hunting House Method Routine searches Statistical Analysis Safe pried open? Consequence driven hunt 24

Threat Hunting Know MISO Know Adversaries Hunt 25

Threat Hunting – KnowMISO Understand and know our environment in the same wayour adversaries will attempt todo. Operatingenvironment • Business • 26

Threat Hunting – KnowAdversaries ALLANITE What: Informationgathering to prepare disruptive capabilities How:Phishingand wateringholes Who:DHSassociateswithRussia COVELLITE What: Gathers intellectualproperty and industrial operations intelligence How: Targeted phishing Who:DHSassociateswithNorthKorea ELECTRUM What: Disruptoperations How:Commonexploitationbehaviors(no 0-days) Who:DHSassociateswithRussia RASPITE What: Information gatheringand remote access How: Strategic websitecompromise Who:Symantec associateswithIran Adversary Reports,https://dragos.com/adversaries/ 27

Threat Hunting – ProactivelySearch Threat huntingmethodology Hypothesis: Proactive anditerative • ALLANITE has gained access to MISO’s Hypothesisbased network and is gathering informationon • Control Roomoperations. Human analystusing Automation • Tests: Machineassistance • Can we find evidence of aphishing • campaign to stealcredentials? Have there been anomalous VPN • connections into MISO’snetwork? Is there activity showing collectionof • Control Room consolescreenshots? 28

Tools and Processes

Threat Intelligence Platform Evaluated vendors • Implemented and integrated • Ingestion of data feeds • Manual indicator submission • Research • TTPs / Threat Actors / Campaigns • 30

SSL Inspection Solution to improve visibility • Enables root cause identification • Previously unavailable data • Prevented a conclusive hunt outcome • Allows other tools to inspectpreviously • unavailable data 31

Other Tools SIEM • Kansa Framework • DFIR Tools • R and Python Pandas • 32

Team Interactions New processes needed betweenteams • Event escalation • Risk tracking • Shared processes • 33

Alternative Paths

Other Options Different team capabilities • Red Team and Hunting • No dedicated team • Set asidetime • Perform team hunts • Vendor engagement • Encourage other teams to hunt • Don’t limit hunting to specificpeople • 35

Resources We Used *Not an endorsement!

Papers/Models HMM • Active Defense • SANS ReadingRoom • MITRE ATT&CK • https://www.sans.org/reading-room/whitepapers/threathunting 37

Books Data-Driven Security • R for Data Science • Network Security Through Data Analysis • Industrial Network Security • Applied Cyber Security and the SmartGrid • 38

Conferences and Activities SANS ICS Summit and others • CS3STHLM ICS SecuritySummit • Black Hat USA • Working Groups • MRO SAC Weekly Threat Calls • *S4xEvents ICS Security Event • 39

Training SANS Courses, ICS / DFIR /CTI • Black Hat Courses • ICS SCADA Honeypot TechnicalTraining • Applied NetworkDefense • Determine acommon Investigation Theory • base set oftraining. Get people onthe Practical Threat Hunting • samepage. ELK for Security Analysis • 40

Conclusion

Threat Intelligence andHunting A lot about Threat Hunting • Intelligence is integral • Know MISO • Know Adversaries • Explore to determine yourpath • Find value through identifying risksand • optimizations for systems 42

Thank You MISO Threat Hunting Training at the MRO Security Conference