SOC: Use cases and are we asking the right questions?
Download as PPTX, PDF1 like690 views
The document discusses the use of use cases to define the goals and metrics for a security operations center (SOC) program. It suggests developing use cases around monitoring specific threat vectors like the perimeter, infrastructure, and privileged accounts. Use cases should also align the SOC's capabilities with the threats the organization cares most about, such as script kiddies, insider threats, or nation-state actors. Properly defining use cases allows an organization to justify SOC expenditures and determine if it is achieving success.
![Create a regedit key: (Persistence)
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
Run]](https://image.slidesharecdn.com/soc-areweaskingtherightquestions-171214070831/85/SOC-Use-cases-and-are-we-asking-the-right-questions-41-320.jpg)
SOC: Use cases and are we asking the right questions?
- 1. SOC: Use cases and are we asking the right questions? By Jonathan Sinclair
- 3. History lesson • A sunny day in Luzern, presenting on virtual machines at Hashdays (now Area41)
- 4. Reconnected with Arron ‘Finux’ Finnon talking about IDS/IPS testing, 2012
- 5. A few questions raised • Why do we test IDS/IPS • What’s a good and bad test • What’s easy to test and what isn’t
- 6. In the Beginning there were security conferences • Here’s why everything you thought worked, doesn’t and here’s how to hack it ….. Job done, another conference in the bag. Goodbye!
- 7. Scenario: Returning to the office
- 8. C-level: “So how did the conference go”
- 9. Me: “Very well thank you, it was a lot of fun, I met a lot of interesting people and really managed to connect with the leading IT security professionals”
- 10. C-level: “Excellent, so what did you learn”
- 11. Me: “Everything we have is broken: - Windows security is a mess, - Shim’s expose everything, - Linux is unmanageable in the Enterprise, - Apple devices actually have vulnerabilities, - NSA already owns us, - Data exfiltration is impossible to protect against, - Anti-virus can be circumvented with a 2 byte modification, - IoT is the new DDoS vector, which we couldn’t protect against anyway and now the problem has been exponentially compounded and our new strategic office in country XX is already infiltrated by under-cover government moles who are stealing our secrets over our flat network”
- 13. C-level: “So it seems I should pull your funding as nothing we seem to be doing is actually making us anymore secure?”
- 14. Me: “Well, maybe, but before you do, I did hear about this SOC thing, so instead of us being about protection, we should focus on detection. Let’s us go from proactive to reactive. We’re going to be breached anyway, the perimeter no longer exists, so let’s work on detecting the breach”
- 15. C-level: “Hmm… not sure if makes sense”
- 16. Me: “Do you want to explain to the share holders and the media why we didn’t have a response prepared for when the next leaked breach hits the headlines? Haven’t you seen how Deloitte, Uber, Talk Talk have been effected?”
- 17. C-level: “Interesting. What financial costs are we looking at here?”
- 18. Me: “Oh, say around $10 million for a 24/7, follow the sun operation, spanning multiple locations, rotating teams and 6 month log retention repository”
- 19. C-level: “Seems a lot”
- 20. Me: “Compared to what? The project will safeguard the companies reputation, monitor critical assets, track malicious actor lateral movement, secure your job and ensure world peace”
- 21. C-level: “And this SOC thing will do all these things?”
- 22. Me: “Of course, all the IT security people are raving about it. Not only this, it puts us at the forefront of cool cutting edge technology: machine learning, data lakes, big data analytics, threat hunting, etc.”
- 24. C-level: “Sounds great, I’ll email the CFO tomorrow and get the programme initiated with top level sponsorship.”
- 25. SOC Program: Plan, Build, Implement • Buy more monitors, get more people, consume all logs, exponentially expand network and storage pipe (or build out cloud instances), become NASA.
- 27. So what does success look like? Really!
- 28. Oh wait… no.. sorry… where is my bag of Use cases?
- 29. The principle • Define Use Cases as a mechanism to justify expenditure, success and scope. • “Focus on aligning SOC deliverables with business objectives by developing tightly defined goals and metrics that the SOC needs to deliver against.” -- Gartner • References: Gartner • https://www.gartner.com/newsroom/id/3815169 • https://www.gartner.com/webinar/3435517
- 30. The principle • Supplementary: • Events that can be processed • Trained Staff, SOC management, adequate budget, good processes, integration into incident response: • “If your organization can’t commit to these five factors, do not build an internal SOC – it will fail, will waste money and time and create false sense of security” • https://www.rsaconference.com/writable/presentations/file_upload/tech-203.pdf • SANS overview: • https://www.sans.org/reading-room/whitepapers/analyst/building-world- class-security-operations-center-roadmap-35907
- 31. Google search: “SOC success criteria”
- 32. Use Cases • Monitor the following: • Perimeter: • Web proxies, Malicious, C2 communication, unauthorised access, suspicious activity, lateral movement • Infrastructure • Privilege Account’s • DNS • Malware outbreak • Circumvention of AD
- 33. Data retention
- 34. Detection period • Ponemon research: 2015 – 256 days (~8 months) 2016 – 201 days (~6.5 months) 2017 – 191 days (~6.2 months) References: • https://nhlearningsolutions.com/Portals/0/Documents/2015-Cost-of-Data-Breach-Study.PDF • http://info.resilientsystems.com/hubfs/IBM_Resilient_Branded_Content/White_Papers/2017_Global_CODB_Report_Final.pdf
- 35. Asking the right questions: Map threats to capabilities • What threats is the SOC capable of identifying • Firewall logs = DDoS attacks, Firewalking, etc. • Windows logs = lateral movement, privilege escalation, in-memory malware injection, etc. • Email server logs = Phishing, spam etc.
- 36. Asking the right questions: Who do you really care about? • Which threat actors are we concerned about identifying?
- 37. Asking the right questions: Approach • Time to detection: technological capability vs. threat actor • Script kiddie, Insider threat, Hacktivist, Nation State, Cyber (obtuse) • Reconnaissance, Persistence, Exploitation, Action, Retreat (tool/method applicability)
- 38. SOC, so what? • Security monitoring of course matters! • But cost/benefit analysis shouldn’t be ignored. We’re in business after all.
- 39. Go back to your office and test your SOC
- 40. Install Nmap and start the sweep: (Reconnaissance)
- 41. Create a regedit key: (Persistence) • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion Run]
- 42. Install Mimikatz and run: (Exploitation) Hint: - https://github.com/danielbohannon/Invoke-Obfuscation - https://github.com/peewpw/Invoke-WCMDump/blob/master/Invoke-WCMDump.ps1
- 43. Install VM -> Linux -> Metasploit -> Run: (Exploitation)
- 44. Install VM -> Windows -> Wannacry (Action):
- 45. Data exfiltration (oopps!): (Retreat) • “Exfiltration's using polymorphic blending techniques: Analysis and countermeasures” -- Matteo Casenove. Undetectable data extraction!
- 46. Ok then, seriously: Copy confidential data to cloud: (Retreat) • IoC’s, C&C signatures etc…..