ADVANCED KILL CHAIN DISRUPTION. Enabling deception networks

Transcription

1 ADVANCED KILL CHAIN DISRUPTION Enabling deception networks

2 Enabling Deception Networks Agenda Introduction Overview of Active Defense Process Orchestration in Active Defense Introducing Deception Networks Software-defined Networking as an enabler Taking Action on Insights Getting Started 2

3 Active Defense Taking action quickly Orchestrating infrastructure changes to automate well-defined and understood processes to mitigate Applying capabilities to contain and understand threats Applying analytics to identify key insights from threat activity In cyber we think of [The OODA loop] as Sensing, Sense-making, Decision-making (with a dial-able level of automated decisionmaking), and Acting To do that you've got to automate manual processes. It's a policy-friendly approach that can, through automation and machine learning, give enterprises a way of staying inside an adversary's OODA loop. Source: CyberWire Interview Philip Quade, COO of Information Assurance National Security Agency 3

4 Attaining an Agile Security Posture Resilient Turtle: Strong security hygiene, and able to absorb attacks often, but with no ability to keep from getting hit they ll eventually be breached Cuttlefish: Strong security hygiene, with capabilities to have a more agile/adaptive attack surface internally, does not counter-attack threats but will actively disrupt threats inside the organization Leopard: Strong security hygiene, able to dodge or absorb attacks as needed, willing to counter-attack threats if enabled to under policy or law Rhino: Strong security hygiene and able to absorb attacks, willing to counterattack threats aggressively regardless of the legality of the actions Submissive External Orientation Goldfish: Minimal or no security hygiene, often abused by attackers as a proxy host in attacking stronger targets as to avoid attribution Internal Orientation Chihuahua: Minimal security hygiene, often will counterattack threats aggressively regardless of legality or ability to withstand retribution Aggressive Fragile 4

5 Evolving Active Defense Building blocks towards agility in security Orchestrating Incident Response and Threat Management Incorporating Advanced Active Defense capabilities like Deception Networks Integrating security into an Intelligent Infrastructure and leveraging Software-defined Networking Intelligent Security Leveraging an agile and adaptive infrastructure to change the game in security. Evolving the Core Tackling challenges in Incident Response and Threat Management with new and evolving capabilities Getting Started Improving Incident Response and Threat Management by automating high value processes and workflows Beyond Security Software Defined Infrastructure Enterprise Resiliency Engaging the Adversary Deceptive Networks Decoy Resources Anti-Reconnaissance Resource Shifting Strengthen the Core Response Orchestration Course of Action Automation Asset Identification 5

6 Orchestrating an Agile Organization Automating Processes Identifying processes that benefit from automation Instrumenting human incident response and threat management workflows Defining courses of action to automate in the infrastructure Coordinating between automated actions and human workflows for approval Reference Architecture for Infrastructure Orchestration 6

7 Orchestration Use Case Phishing Attacks Technology Overlay monitoring tool picks up a URL in an Threat Protection Malicious URL Web Proxy Orchestration receives the URL and sends it to a Threat Protection service to verify if it s malicious or benign Threat Protection service reports back it is malicious Orchestration updates web proxy to block the domain/ip used by the Orchestration generates a workflow request to remove the malicious from the recipients mailbox Detection of potential threat activity 1) monitoring tool detects a URL in an Threat Protection 2) Orchestration receives URL and forwards to Threat Protection Security Orchestration Infrastructure Orchestration Incident Response Runbook Infrastructure Orchestration 3) Threat Protection reports back whether URL is malicious or benign Benign URL End of Process Malicious URL 4) Orchestrator updates Proxy to block domain/ip Runbook 5) Orchestrator generates workflow request to remove malicious from inbox 7

8 Threat Management with Active Defense Threat Intelligence Service Internal Intelligence Global Insights SIEM & Advanced Analytics Responses Targets to Monitor Active Defense Commercial Feeds Information Technology Operational Technology Physical Controls Security Orchestration Peer Exchange Government Feeds Threat Indicators Actionable Insights Infrastructure Orchestration Threat Intelligence Service SIEM & Advanced Analytics Active Defense This service ingests from as well as shares with external and internal threat intelligence. It identifies the key indicators and observables within those intelligence feeds. It helps users contextualize and better understand events in their environment. It pushes awareness out to monitoring and response capabilities. Supported by SIEM, Analytics, and Visualization capabilities, the solution ingests IT, OT, and Physical data sources, and provides monitoring of patterns and anomalies indicative of threat activity within an organization, as informed by Threat Intelligence Supported by Security and Infrastructure Orchestration capabilities, the solution takes insights and findings from Threat Intelligence, SIEM, and Analytics, and provides automated or semiautomated infrastructure changes and service management ticketing to mitigate the impact of identified threats. 8

9 Introducing Deception Networks Enable an organization to protect against threats by automating and orchestrating the process of understanding and mitigating threat activity Understanding Threats Mitigating Threats Use Honeypots, decoys, and deep packet inspection to target investigation of threat activity Operationalize the understanding gained to proactively mitigate threats elsewhere in the organization 9

10 Deception Networks Apply network agility, deep packet inspection, and honeypots to track threat activity Apply analytics to identify high value indicators of compromise Normalize and Contextualize internal threat intelligence, with external feeds Apply mitigations automatically using infrastructure orchestration, and existing monitoring and preventive security capabilities 10

11 Software-defined Networking in Deception Networks Software-defined Networking provides an opportunity for security to engage the adversary Passive Engagement Active Engagement Enable efficient re-use of Honeypots Deploy targeted Deep Packet Inspection Spoof network topology Generate White Noise Manipulate Data Prevent Network Intrusion Deploy IP Blackholes Contain Breaches 11

12 Threat Indicator Analytics Understanding the noise Drivers Need to generate threat intelligence Harvest indicators of compromise generated internally Understand high value indicators to address Apply indicators to the infrastructure for mitigation Threat Indicator Analytics Solution Benefits A data analytics application to address identifying key insights in threat activity Aggregates threat activity generated internally Applies analytics to understand high value insights to operationalize Leverages big data analytics platform and data visualization tools Continuous Improvement in Threat Management Operationalize indicators of compromise to prevent spread of the threat internally Improve profiling of threat actors and motivations against the organization Enable an organization to participate in threat exchanges amongst peers 12

13 Operationalizing the Insights Taking action Apply Infrastructure Orchestration to push indicators of compromise To endpoint systems for increased inspection and blocking To SIEM and Network Analytics for increased monitoring Use Software-defined Networking capabilities to block or re-direct network based observables Share insights with peer organizations through Threat exchanges Integrate insights into Security Orchestration workflows 13

14 Getting Started The Building Blocks Get a handle on your Threat Intelligence Utilize Analytics to get actionable intelligence Understand how to generate internal threat intelligence Orchestrate incident response and threat management run-books Establish well defined processes Instrument the run-books for consistent human workflows Automate processes to address security challenges Explore Network Virtualization Test environments for Softwaredefined Networking Options to virtualize at a datacenter level Re-introduce honeypots to security Not just external facing systems How to mimic production environments likely to be targeted 14

15 THANK YOU

16 Detailed View Internet Redirecting malicious traffic or known hostile IP SDN Switch SDN Switch SDN Switch SDN Controller Threat Intelligence Sharing (TIS) Threat Data Honeypot Sandboxed Threat Indicator Analytics New Observables Agent Sandboxed In-Production Format Threat Intelligence Infrastructure Orchestrator Policy Enforcement SIEM IDS/IPS Endpoint Protection 16

17 Technology Overlay Internet Redirecting malicious traffic or known hostile IP SDN Switch SDN Switch SDN NFV VMware NSX SDN Switch Threat Intelligence Sharing (TIS) Sandboxed Sentinel Production Threat Data New Observables Threat Indicator Analytics Haven App Agent Sentinel Threat Intelligence Security Orchestrator Copyright 2013 Accenture All rights reserved. SIEM RSA Archer Policy Enforcement TippingPoint Sentinel 17