The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense. Tony Sager The Center for Internet Security



Similar documents
Defending Against Data Beaches: Internal Controls for Cybersecurity

Looking at the SANS 20 Critical Security Controls

5 Steps to Advanced Threat Protection

THE TOP 4 CONTROLS.

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Critical Controls for Cyber Security.

Top 20 Critical Security Controls

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

SANS Top 20 Critical Controls for Effective Cyber Defense

NERC CIP VERSION 5 COMPLIANCE

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

Critical Security Controls

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

The Protection Mission a constant endeavor

Cybersecurity Framework Security Policy Mapping Table

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

Assessing the Effectiveness of a Cybersecurity Program

Defending against Advanced Threats: Addressing the Cyber Kill Chain

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

Cybersecurity: What CFO s Need to Know

SPEAR PHISHING UNDERSTANDING THE THREAT

White Paper: Consensus Audit Guidelines and Symantec RAS

Agenda , Palo Alto Networks. Confidential and Proprietary.

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Defending against modern threats Kruger National Park ICCWS 2015

All Information is derived from Mandiant consulting in a non-classified environment.

High End Information Security Services

Concierge SIEM Reporting Overview

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

The Future Is SECURITY THAT MAKES A DIFFERENCE. Overview of the 20 Critical Controls. Dr. Eric Cole

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense

Orchestrating Software Defined Networks (SDN) to Disrupt the APT Kill Chain

Leveraging SANS and NIST to Evaluate New Security Tools

Evolution Of Cyber Threats & Defense Approaches

One-Man Shop. How to build a functional security program with limited resources DEF CON 22

External Supplier Control Requirements

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

AppGuard. Defeats Malware

Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute

Security Information & Event Management (SIEM)

Advanced Threats: The New World Order

Security Management. Keeping the IT Security Administrator Busy

PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

BlackRidge Technology Transport Access Control: Overview

Protecting Your Organisation from Targeted Cyber Intrusion

Cyber Security for NERC CIP Version 5 Compliance

Intelligence Driven Security

Risk-based security buyer s guide:

The Role of Security Monitoring & SIEM in Risk Management

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel

CRR-NIST CSF Crosswalk 1

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

External Supplier Control Requirements

Altius IT Policy Collection Compliance and Standards Matrix

Building a More Secure and Prosperous Texas through Expanded Cybersecurity

Network Security Administrator

idata Improving Defences Against Targeted Attack

Enterprise Cybersecurity: Building an Effective Defense

What is Management Responsible For?

RSA Security Anatomy of an Attack Lessons learned

Facilitated Self-Evaluation v1.0

10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011

Castles in the Air: Data Protection in the Consumer Age

Cybersecurity and internal audit. August 15, 2014

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

Enterprise Security Platform for Government

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

Digital Evidence and Threat Intelligence

Cyber Security Metrics Dashboards & Analytics

Attachment A. Identification of Risks/Cybersecurity Governance

How To Manage Security On A Networked Computer System

Great Now We Have to Secure an Internet of Things. John Pescatore SANS Director, Emerging Security

PCI Compliance for Cloud Applications

Continuous Network Monitoring

GE Measurement & Control. Cyber Security for NERC CIP Compliance

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

The Critical Security Controls: What s NAC Got to Do with IT?

Speaker Info Tal Be ery

Defence Cyber Protection Partnership Cyber Risks Profile Requirements

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Enterprise Cybersecurity: Building an Effective Defense

GE Measurement & Control. Cyber Security for NEI 08-09

SECURITY PLATFORM FOR HEALTHCARE PROVIDERS

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Jumpstarting Your Security Awareness Program

Transcription:

The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense Tony Sager The Center for Internet Security

Classic Risk Equation Risk = { Vulnerability, Threat, Consequence } countermeasures

anti-malware baseline configuration standards SDL audit logs encryption need-to-know governance continuous monitoring threat intelligence user awareness training two-factor authentication security controls DLP supply-chain security certification penetration testing threat feed best practice virtualization risk management framework compliance security bulletins incident response browser isolation maturity model whitelisting The assessment SIEM sandbox

An OODA Loop - Patching OBSERVE Track security bulletins, advisories ACT Rollout, Monitor, Manage breakage ORIENT Assess applicability, operational issues, risk DECIDE Prioritize remediation strategy

Dueling OODAs OBSERVE Track security bulletins, advisories ACT Rollout, Monitor, Manage breakage OBSERVE Bulletins DECIDE ACT Deploy Prioritize remediation strategy DECIDE Weaponized ORIENT Vulnerability ORIENT Assess applicability, operational issues, risk

Threat Intelligence There are many loops Tactical AND Strategic Often connected farther in space, earlier in time The Bad Guy s loop is also an opportunity OBSERVE A O O ACT OBSERVE ACT OBSERVE ORIENT D ACT ORIENT ORIENT DECIDE O DECIDE DECIDE A O D

Attack & Defend Reconnaissance & Build What is critical? How is it protected? Who has access? Delivery Detect Action & Objectives Exploit Deceive Deny C2 Installation Degrade Disrupt

Samples of Attack Models What do Attackers do, When? Where are the opportunities to see, stop, etc.? What things should I put in place, Where, to help me the most effectively?

Sample 1: based on LM Kill Chain A notional use of the Lockheed Kill Chain: mapping Controls to the Kill Chain; then mapping specific tool choices to the Kill Chain Recon & Prep Delivery Exploitation C2 internal Recon Lateral Movement Persistence Stage & Action CONTROLS IDS/IPS Firewall Akamai Logs Proxy AV Mail Gateway Patching DEP Standard Config EMET Sinkhole Firewall Standard Config AD Wrong Path Patching Proxy DLP OCC Exchange PRODUCTS Netwitness Splunk FireEye MIR MIR Netwitness Vontu

Sample 2: based on Mandiant APT1 and JP 3-13 A notional use of the Mandiant APT1 model; mapping Controls to the Adversary model; then mapping specific tool choices SOURCE: http://www.appliednsm.com/making-mandiant-apt1-report-actionable/ from JP 3-13 Recon Delivery Exploitation Installation C2 Actions or Objectives DETECT NIDS NIDS NIDS HIDS HIDS Router Logs HIDS HIDS Application Logs NIDS Web Logs Vigilant User AV AV AV AV DENY Firewall ACL Mail Filter HIPS App Whitelisting Egress Filter Egress Filter Web Filter AV Block Execution Firewall ACL Firewall ACL from Joint Pub JP 3-13, 2006 Hardened Systems Sinkhole NW Segmentation DISRUPT Active Defenses Web Filter HIPS AV DEP NW Segmentation Mail Filter AV HIPS Sinkhole DEP Hardened Systems HIPS DEGRADE Honeypot Sinkhole Restrict User Accounts Combo of Deny/Disrupt Sinkhole Redirect Loops Combo of Deny/Disrupt Active Defenses NW Segmentation DECEIVE Honeypot Honeypot Honeypot Honeypot Honeypot Honeypot Redirect Loops ` Sinkhole Active Defenses (DESTROY) N/A N/A N/A N/A N/A N/A

Sample 3: MITRE ATT&CK Model (no controls) ATT&CK Matrix The MITRE ATT&CK Matrix is a overview of the tactics and techniques described in the ATT&CK model. It visually aligns individual techniques under the tactics in which they can be applied. Some techniques span across more than one tactic because they can be used for different purposes. SOURCE: https://attack.mitre.org/wiki/main_page TACTICS -> TECHNIQUES V

Sample 4: NIST CSF, LM Kill Chain, CSCs SOURCE: Center for Internet Security; mapping the Critical Security Controls (V5.1) to/from the NIST Cybersecurity Framework (V1.0) against an Attack Profile NIST Cybersecurity Framework (V1.0) CSC Recon & Prep Delivery Exploitation C2 internal Recon Lateral Movement Persistence Stage & Action Functions Categories Control # 20 Critical Security Controls (V5.1) Asset Management (AM) 1,2 X X X CSC 1: Inventory of Authorized and Unauthorized Devices Business Environment (BE) CSC 2: Inventory of Authorized and Unauthorized Software Identify Governance (GV) Risk Assessment (RA) Risk Management Strategy (RM) 4 X X X X X X X CSC 3: Secure Configuration of End user devices CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Malware Defense Access Control (AC) Awareness and Training (AT) 7, 12, 15, 16 Protect Data Security (DS) Information Protection Processes and 17 Procedures (IP) 3, 6, 10, 11, 19 Detect Maintenance (MA) Protective Technology (PT) Anomalies and Events (AE) Security Continuous Monitoring (CM) Detection Processes (DP) Response Planning (RP) Communications (CO) 9 5 14, 18 4, 5, 16 13 18 X X X CSC 6: Application Software Security X X CSC 7: Wireless Access Control X X X X CSC 8: Data Recovery Capability X X X X X X X X X X X X X X X X CSC 9: Security Skills Assessment and Appropriate Training CSC 10: Secure Configuration of Network Devices CSC 11: Limitation and Control of Network Ports, Protocols, and Service CSC 12: Controlled Use of Administrative Privileges X X X X X X X X CSC 13: Boundary Defense X X X CSC 14: Maintenance, Monitoring, and Analysis of Audit Logs X X X CSC 15: Controlled Access Based on Need to Know CSC 16: Account Monitoring and Control Respond Analysis (AN) Mitigation (MI) Improvements (IM) Recovery Planning (RP) Recover Improvements (IM) Communications (CO) 14 4 20 8 20 X X CSC 17: Data Protection X X X X CSC 18: Incident Response and Management X X X CSC 19: Secure Network Engineering X X X X CSC 20: Penetration Tests and Red Team Exercises X X X X X X X X

Cybersecurity Plumbing 13

Critical Security Controls

Contact Website: www.cisecurity.org Email: contact@cisecurity.org Twitter: @CISecurity Facebook: Center for Internet Security LinkedIn: The Center for Internet Security ; Critical Security Controls Addresses: Mid-Atlantic Headquarters 1700 N. Moore Street, Suite 2100 Arlington, VA 22209 Northeast Headquarters 31 Tech Valley Drive, Suite 2 East Greenbush, NY 12061

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information