D O K U M E N T U M A Z O N O S Í T Ó F á j l n é v : acs_gyorgy_automatizalas.jpg B é l y e g k é p : https://dka.oszk.hu/124900/124967/acs_gyorgy_automatizalas_kiskep.jpg F ő c í m : Automatizálás a fenyegetések vadászatában B e s o r o l á s i c í m : Automatizálás a fenyegetések vadászatában S z e r e p : létrehozó B e s o r o l á s i n é v : Ács U t ó n é v : György I n v e r t á l a n d ó n é v : N E s e m é n y : felvéve I d ő p o n t : 2021-11-09 E s e m é n y : elérhető I d ő p o n t : 2021-04-08 D á t u m r a v o n a t k o z ó m e g j e g y z é s : Az előadás időpontja. A t í p u s n e v e : prezentáció A t í p u s n e v e : előadás M e g n e v e z é s : Prezentáció M e g n e v e z é s : Könyvtártudomány - prezentáció M e g n e v e z é s : Networkshop 2021 M e g n e v e z é s : Videotorium A j o g t u l a j d o n o s n e v e : Ács György S z e r z ő i j o g i m e g j e g y z é s e k : Jogvédett T é m a k ö r : Számítástechnika, hálózatok A l t é m a k ö r : Biztonság T é m a k ö r : Gépészet, automatizálás A l t é m a k ö r : Automatizálás, robotok T á r g y s z ó : automatizálás M i n ő s í t ő : tárgyszó/kulcsszó T á r g y s z ó : informatika M i n ő s í t ő : tárgyszó/kulcsszó T á r g y s z ó : adatbiztonság M i n ő s í t ő : tárgyszó/kulcsszó T á r g y s z ó : fenyegetés M i n ő s í t ő : tárgyszó/kulcsszó T á r g y s z ó : információ M i n ő s í t ő : tárgyszó/kulcsszó T á r g y s z ó : 2021 M i n ő s í t ő : időszak K é p a l á í r á s : Automatizálás a fenyegetések vadászatában N y e r s v a g y O C R - e s s z ö v e g : Automatizálás a fenyegetések vadászatában
Ács György
Technical Solution Architect
2021. április 8.
Topics
Threat Hunting
Introduction
Cisco SecureX
Threat Hunting Orchestration and Automation
Threat Hunting Introduction
Pyramid of Pain
TTP: tactics, techniques and procedures
True
cross-domain security
Cisco Alignment to Pyramid of Pain
Cisco Alignment to Pyramid of Pain - TTPs
Detection (TTPs)
Prevention (TTPs)
Threat Complexity
Compensating Capabilities Will Depend on the Exploit, the Attack Surface, Where, When and How the attack is generated and possible observables.
Mitigation Complexity
M1035
Prevent access to file shares, remote access to system, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.
Cisco ATT&CK Whitepaper
Firewall ISE VPN Tetration
Techniques Mitigated
T1546.008 Event Triggered Execution: Accessibility Features
T1133 External Remote Services
T1200 Hardware Additions
T1557 Man-in-the-Middle
T1563.002 Remote Service Session Hijacking: RDP Hijacking
T1021.001 Use remote desktop gateways
T1021.002 Remote Services: SMB/Windows Admin Shares
ATT&CK Mitigations
M1042 Disable or Remove Feature or Program
M1037 Filter Network Traffic
M1035 Limit Access to Resources Over Network
M1031 Network Intrusion Prevention
M1030 Network Segmentation
Additional Capabilities
May be Needed!!!
Product Mapping To Mitigations - Just a start
https://www.cisco.com/c/dam/en/us/products/collateral/security/mitre-att-ck-wp.pdf
Cisco
SecureX
Introducing SecureX
A cloud-native, built-in platform experience within our portfolio
Cisco Secure
Cloud Applications
Network Endpoint
Your Infrastructure
Identity SIEM/SOAR
How true simplicity is experienced
1. IOC / alert
2. Investigate incidents in multiple consoles
3. Remediate by coordinating multiple teams
AFTER:
SecureX threat response is integrated across your security infrastructure
In one view:
Query intel and telemetry from multiple integrated products
Quickly visualize the threat impact in your environment
Remediate directly from one UI
SecureX Components
Single Sign on for unified experience and simplified authentication
Threat response for fast investigation and remediation
Customizable dashboard to track detailed and important metrics
Ribbon feature to share context between all teams and work across Cisco Security Solutions
Orchestration to reduce manual tasks
Secops Tools
SOAR (Security Orchestration Automation and Response)
Playbooks
SecureX
SaaS
Included
SIEM
Security event management
XDR
Network/Endpoint Detection Response
Threat Hunting Orchestration and Automation
Intro to SecureX Orchestration
Process automation made simple with a no/low-code drag-drop interface
Investigate
Reduce research and response times with workflows and playbooks that execute at machine speed
Automate
Eliminate repetitive tasks and reduce MTTR to increase productivity and focus on mission-critical projects
Integrate
Unique turnkey approach to quickly integrate with other systems and solutions to expand your toolbox
Scale
Automation that scales infinitely and never takes a day off, delivering the same SLA around the clock
Change how teams interact with products to solve problems
BEFORE:
No use cases beyond SecOps, and little collaboration with ITOps and NetOps
AFTER:
UNLOCK NEW USE CASES
Threat hunting
Phishing investigation
Vulnerability management
Offload Office 365 traffic
Optimize VPN capacity
Build your own workflow
SecOps ITOps NetOps
See alerts
Observe infrastructure
Learn risks/lessons
Respond at scale
Optimize performance
Improve processes
Threat hunting before SecureX
Customers receive an email notification of blog updates.
Using the threat response browser extension, SOC personnel are conducting investigations to extract observables associated with Talos intelligence blogs.
With SecureX
A playbook runs periodically to query the RSS feed for Talos intelligence blogs. Threat
response casebooks are created with any observables. If a target is found based on a blog entry, the SOC is notified in a Webex Teams room.
Built in workflows
Move Computer to AMP Triage Group
Submit URL to Threat Grid
Take Orbital Forensic Snapshot
Take Forensic Snapshot and Isolate
AMP Host Isolation with Tier 2 Approval
Phishing Investigation Workflow
Receive Email
Process Attachment(s)
Inspect headers and body for Observables (email addresses, domains, files, etc)
Check Observables Dispositions (malicious, suspicious, unknown, clean)
Analyze unknown Observables (if supported, e.g. files / URLs)
Make verdict based on all dispositions
- If Malicious, alert user and SOC and create SecureX Incident
- If Suspicious or Unknown alert SOC to continue investigation
SolarWinds Investigation Workflow
Fetch Talos SolarWinds blog and inspect for Observables
Check Observables Dispositions (malicious, suspicious, unknown, clean)
Look for Local Sightings of Observables (skip "Clean")
If found:
- create a Threat Response incident and casebook
- create a ServiceNow incident
- send messages via Webex Teams, Slack, and email
- Block files and domains (via AMP and/or Umbrella, with user approval via Duo)
- Take Orbital forensic snapshot and isolate host (Via AMP aka Cisco Secure Endpoint)
Save time by automating threat hunting and investigation with Orbital Advanced Search
Advanced search; pre-defined, customizable queries; forensics snapshot
Threat hunting; IT operations enablement, and vulnerability and compliance tracking
Faster investigation leads to quicker response, and ultimately lower cost of the breach
Orbital - Predefined Catalog
New Local Admin User Notification
https://github.com/Gyuri1/NewLocalUser-Orbital
Key Takeaways
Orchestration is no-to-low code
Extensive resources are available
Initial investment of time required
SecureX is an open platform
References
Documentation
- https://cs.co/SXO_docs
Video Playlist
- https://cs.co/SXO_videos
GitHub Repository
- https://cs.co/SXO_repo
DevNet
- https://developer.cisco.com/securex
www.cisco.com/go/securex D o k u m e n t u m n y e l v e : angol K a p c s o l ó d ó d o k u m e n t u m n e v e : Temesi Tibor: Az adatok optimális helye HPC környezetben A f o r m á t u m n e v e : PowerPoint prezentáció O l d a l a k s z á m a : 39 T e c h n i k a i m e g j e g y z é s : Microsoft Office PowerPoint 2016 M e t a a d a t a d o k u m e n t u m b a n : N A f o r m á t u m n e v e : PDF dokumentum O l d a l a k s z á m a : 39 M e t a a d a t a d o k u m e n t u m b a n : N A f o r m á t u m n e v e : HTML dokumentum T e c h n i k a i m e g j e g y z é s : HTML 5 verzió M e t a a d a t a d o k u m e n t u m b a n : N L e g j o b b f o r m á t u m : JPEG képállomány L e g n a g y o b b k é p m é r e t : 770x433 pixel L e g j o b b f e l b o n t á s : 72 DPI S z í n : színes T ö m ö r í t é s m i n ő s é g e : közepesen tömörített Á l t a l á n o s m e g j e g y z é s : Networkshop 2021 konferencia A z a d a t r e k o r d s t á t u s z a : KÉSZ S z e r e p / m i n ő s é g : katalogizálás A f e l d o l g o z ó n e v e : Nagy Zsuzsanna |