Siemens AG 2017
siemens.com
You don’t need a better car, you need to learn
how to drive
On the Importance of Cyber-Defense Line Automation
Enrico Lovat, Florian Hartmann, Philipp Lowack
Siemens AG 2017
Page 3
Who are we?
<picture for Siemens CERT>
Siemens AG 2017
Page 4
You don’t need a better car, you need to learn how to drive
What this talk is about
• What we did
• What we learn in the process
What this talk is NOT about
• Cars
• Step-by-step tutorial on how to fix things
• Code
• Vendor bashing
A tool can make you faster. But you need many tools
The “glue” in-between tools is as important as the tools themselves.
Siemens AG 2017 siemens.com
Example
Siemens AG 2017
Page 6
Example use case: Malware via email
• How can the user report a suspicious email?
• How do you analyze it?
• Is it a targeted attack or mass malware?
• Did the user click on the attachment?
• Who is the Infosec responsible for the user?
• How do you prevent the attached malware from
exfiltrating data from infected machines?
• How can you make sure similar infections are
detected?
• How can you prevent other clients from being
infected by the same malware?
• …
Siemens AG 2017
Page 7
The old way
Inbox
Reports
mails
Sandbox
Analyze
attachments
SIEM (ProxyLogs)
Search for
Indicators/URLs
Ticket
Tracker
Issue Tickets
Proxy
Solution 1
Active
Directory Corporate
Employee
Directory
Virus
Total
Analyze
Results
Investigation
Vetting Extract potential
C&C URLs
Siemens AG 2017 siemens.com
Evolution 1 - Scripts
Siemens AG 2017
Page 9
Evolution 1 - Scripts
Reputation
Services
Virus
Total
Sinkhole
(C)ISO
List
Proxy
Solution 1
Proxy
Solution 2
Active
Directory Corporate
Employee
Directory
Manual step
Automated step
Mail DB
Reports
mails
Sandbox
Analyze
attachments
Vetting Extract potential
C&C URLs SIEM
(ProxyLogs)
Search for
Indicators/URLs
Investigation
Analyze
Results
Ticket
Tracker
Issue Tickets
TI
Platform
Store and cross-ref.
Indicators/URLs
Siemens AG 2017
Page 10
Scripts: pros and cons
• Scripts allow analysts to perform their tasks faster
• Script written by an analyst can be reused by the
other analysts
• Scripting requires good understanding of the
tools/service used only few can edit the scripts
• Each analyst has a different favorite scripting
language hard to script against others’ scripts
Siemens AG 2017 siemens.com
Evolution 2 - API
Siemens AG 2017
Page 12
Evolution 2 - API
Mail DB
Sandbox Vetting
Tool SIEM
(ProxyLogs)
Ticket
Tracker
Remediation
Ticket Tool
TI
Platform
Virus
Total
Reputation
Services
Active
Directory Corporate
Employee
Directory
(C)ISO
List
Proxy
Solution 2
Proxy
Solution 1
Central
blacklist Sinkhole
Anti
Virus
Manual step
Automated step
Reports mails
Analyze attachments
Extract potential
C&C URLs
Search for
Indicators/URLs
Analyze
Results
Issue Tickets
Store and cross-ref.
Indicators/URLs
Siemens AG 2017
Page 13
API: documentation
Siemens AG 2017
Page 14
API: pros
• Simplicity: while not everybody can script against
an LDAP server, any developer knows how to
query a REST API.
• Flexibility: once one REST API for a tool has been
developed by an analyst, everybody can script
against it using his/her language of preference
• Abstraction: Coding against a REST API allows to
easily exchange the “backend”, e.g. replacing a
commercial tool with an open source one, as long
as it implements the same interface
• Authentication: wrapping the original interface
into a custom API allows for better identity
management (e.g. handle different authentications)
Siemens AG 2017
Page 15
API: Extra pros
Global Search
Siemens AG 2017
Page 16
API: Extra pros - Maltego integration
Siemens AG 2017
Page 17
API: Extra pros - Vetting interface
Siemens AG 2017 siemens.com
Example - revisited
Siemens AG 2017
Page 19
Example: How do we handle it today
Analysis of the email
Analysis of email attachment
Manual vetting of analysis results
Threat intelligence processing
Historic search in proxy logs
Issuing of remediation tickets
Tracking of remediation status
Report as SPAM/Malware
In-house developed Outlook plugin.
Selected email is sent (as attachment) to a particular mailbox.
Mail reported as spam
Siemens AG 2017
Page 20
Example: How do we handle it today
MALST (MALware mailingliST)
In-house developed tool to monitor inbox and analyze received emails
Set of scripts + WebGUI
Mail reported as spam
Analysis of email attachment
Manual vetting of analysis results
Threat intelligence processing
Historic search in proxy logs
Issuing of remediation tickets
Tracking of remediation status
Analysis of the email
Siemens AG 2017
Page 21
Example: How do we handle it today
MALST (MALware mailingliST)
In-house developed tool to monitor inbox and analyze received emails
Set of scripts + WebGUI
Mail reported as spam
Analysis of email attachment
Manual vetting of analysis results
Threat intelligence processing
Historic search in proxy logs
Issuing of remediation tickets
Tracking of remediation status
Analysis of the email
Siemens AG 2017
Page 22
Example: How do we handle it today
CMAP Mail reported as spam
Analysis of the email
Manual vetting of analysis results
Threat intelligence processing
Historic search in proxy logs
Issuing of remediation tickets
Tracking of remediation status
Analysis of email attachment
Siemens AG 2017
Page 23
Example: How do we handle it today
CMAP
Cuckoo sandbox + In-house developed GUI and additional analyses
Mail reported as spam
Analysis of the email
Manual vetting of analysis results
Threat intelligence processing
Historic search in proxy logs
Issuing of remediation tickets
Tracking of remediation status
Analysis of email attachment
Siemens AG 2017
Page 24
Example: How do we handle it today
Threat Intelligence Vetting Interface
Custom WebGUI for vetting.
It retrieves indicators from sandbox analysis, filters and enriches them,
applies tags and push back the changes to TI database.
Mail reported as spam
Analysis of the email
Analysis of email attachment
Threat intelligence processing
Historic search in proxy logs
Issuing of remediation tickets
Tracking of remediation status
Manual vetting of analysis results
Siemens AG 2017
Page 25
Example: How do we handle it today
Threat Intelligence Vetting Interface
Custom WebGUI for vetting.
It retrieves indicators from sandbox analysis, filters and enriches them,
applies tags and push back the changes to TI database.
Mail reported as spam
Analysis of the email
Analysis of email attachment
Threat intelligence processing
Historic search in proxy logs
Issuing of remediation tickets
Tracking of remediation status
Manual vetting of analysis results
Siemens AG 2017
Page 26
Example: How do we handle it today
MANTIS MISP
In-house developed tool, supporting STIX/TAXII
New MISP-centric architecture
Sandbox
(CMAP)
Vetting
(TI VI)
TI DB
(MISP)
Mail reported as spam
Analysis of the email
Analysis of email attachment
Manual vetting of analysis results
Historic search in proxy logs
Issuing of remediation tickets
Tracking of remediation status
Threat intelligence processing
Siemens AG 2017
Page 27
Example: How do we handle it today
MANTIS MISP
In-house developed tool, supporting STIX/TAXII
New MISP-centric architecture
Sandbox
(CMAP)
Vetting
(TI VI)
TI DB
(MISP)
Mail reported as spam
Analysis of the email
Analysis of email attachment
Manual vetting of analysis results
Historic search in proxy logs
Issuing of remediation tickets
Tracking of remediation status
Threat intelligence processing
Siemens AG 2017
Page 28
Example: How do we handle it today
Historic log search Mail reported as spam
Analysis of the email
Analysis of email attachment
Manual vetting of analysis results
Threat intelligence processing
Issuing of remediation tickets
Tracking of remediation status
Historic search in proxy logs
Siemens AG 2017
Page 29
Example: How do we handle it today
Remediation tickets In-house developed tool to easily handle creation of remediation tickets
Mail reported as spam
Analysis of the email
Analysis of email attachment
Manual vetting of analysis results
Threat intelligence processing
Historic search in proxy logs
Tracking of remediation status
Issuing of remediation tickets
Siemens AG 2017
Page 30
Example: How do we handle it today
Request Tracker Opens source ticketing system + many customizations
Mail reported as spam
Analysis of the email
Analysis of email attachment
Manual vetting of analysis results
Threat intelligence processing
Historic search in proxy logs
Issuing of remediation tickets
Tracking of remediation status
Siemens AG 2017 siemens.com
Evolution 3 – What’s next?
Siemens AG 2017
Page 33
What’s next?
Manual step
Automated step
Mail DB
Sandbox Vetting
Tool SIEM
(ProxyLogs)
Ticket
Tracker
Remediation
Ticket Tool
TI
Platform
Virus
Total
Reputation
Services
Active
Directory Corporate
Employee
Directory
(C)ISO
List
Proxy
Solution 2
Proxy
Solution 1
Central
blacklist Sinkhole
Anti
Virus
Reports mails
Analyze attachments
Extract potential
C&C URLs
Search for
Indicators/URLs
Analyze
Results
Issue Tickets
Store and cross-ref.
Indicators/URLs
Siemens AG 2017
Page 34
What’s next?
Manual step
Automated step
Ma
il
D
B
San
dbo
x
Vetting
Tool SIEM (ProxyLogs)
Tick
et
Tra
cker
Remediation
Ticket Tool
TI
Plat
for
m
V
i
r
u
s
T
o
t
a
l
R
e
p
u
t
a
t
i
o
n
S
e
r
v
i
c
e
s
A
c
t
i
v
e
D
i
r
e
c
t
o
r
y
C
o
r
p
o
r
a
t
e
E
m
p
l
o
y
e
e
D
i
r
e
c
t
o
r
y
(
C
)
I
S
O
L
i
s
t
P
r
o
x
y
S
o
l
u
t
i
o
n
2
P
r
o
x
y
S
o
l
u
t
i
o
n
1
C
e
n
t
r
a
l
b
l
a
c
k
l
i
s
t
S
i
n
k
h
o
l
e
A
n
t
i
V
i
r
u
s
Reports mails
Analyze attachments
Extract potential
C&C URLs
Search for
Indicators/URLs
Analyze Results
Issue Tickets
Store and cross-ref.
Indicators/URLs
Ma
il
D
B
San
dbo
x
Vetting
Tool
SIEM (ProxyLogs)
Tick
et
Tra
cker
Remediation
Ticket Tool
TI
Plat
for
m
V
i
r
u
s
T
o
t
a
l
R
e
p
u
t
a
t
i
o
n
S
e
r
v
i
c
e
s
A
c
t
i
v
e
D
i
r
e
c
t
o
r
y
C
o
r
p
o
r
a
t
e
E
m
p
l
o
y
e
e
D
i
r
e
c
t
o
r
y
(
C
)
I
S
O
L
i
s
t
P
r
o
x
y
S
o
l
u
t
i
o
n
2
P
r
o
x
y
S
o
l
u
t
i
o
n
1
C
e
n
t
r
a
l
b
l
a
c
k
l
i
s
t
S
i
n
k
h
o
l
e
A
n
t
i
V
i
r
u
s
Reports mails
Analyze attachments
Extract potential
C&C URLs
Search for
Indicators/URLs
Analyze Results
Issue Tickets
Remediation
Ticket Tool
Ma
il
D
B
San
dbo
x
Vetting
Tool SIEM (ProxyLogs)
Tick
et
Tra
cker
Remediation
Ticket Tool
TI
Plat
for
m
V
i
r
u
s
T
o
t
a
l
R
e
p
u
t
a
t
i
o
n
S
e
r
v
i
c
e
s
A
c
t
i
v
e
D
i
r
e
c
t
o
r
y
C
o
r
p
o
r
a
t
e
E
m
p
l
o
y
e
e
D
i
r
e
c
t
o
r
y
(
C
)
I
S
O
L
i
s
t
P
r
o
x
y
S
o
l
u
t
i
o
n
2
P
r
o
x
y
S
o
l
u
t
i
o
n
1
C
e
n
t
r
a
l
b
l
a
c
k
l
i
s
t
S
i
n
k
h
o
l
e
A
n
t
i
V
i
r
u
s
Reports mails
Analyze attachments
Extract potential
C&C URLs
Search for
Indicators/URLs
Analyze Results
Issue Tickets
Store and cross-ref.
Indicators/URLs
Ma
il
D
B
San
dbo
x
Vetting
Tool SIEM (ProxyLogs)
Tick
et
Tra
cker
Remediation
Ticket Tool
TI
Plat
for
m
V
i
r
u
s
T
o
t
a
l
R
e
p
u
t
a
t
i
o
n
S
e
r
v
i
c
e
s
A
c
t
i
v
e
D
i
r
e
c
t
o
r
y
C
o
r
p
o
r
a
t
e
E
m
p
l
o
y
e
e
D
i
r
e
c
t
o
r
y
(
C
)
I
S
O
L
i
s
t
P
r
o
x
y
S
o
l
u
t
i
o
n
2
P
r
o
x
y
S
o
l
u
t
i
o
n
1
C
e
n
t
r
a
l
b
l
a
c
k
l
i
s
t
S
i
n
k
h
o
l
e
A
n
t
i
V
i
r
u
s
Reports mails
Analyze attachments
Extract potential
C&C URLs
Search for
Indicators/URLs
Analyze Results
Issue Tickets
Store and cross-ref.
Indicators/URLs
Vetting
Tool
TI
Plat
for
m
V
i
r
u
s
T
o
t
a
l
R
e
p
u
t
a
t
i
o
n
S
e
r
v
i
c
e
s
P
r
o
x
y
S
o
l
u
t
i
o
n
2
P
r
o
x
y
S
o
l
u
t
i
o
n
1
C
e
n
t
r
a
l
b
l
a
c
k
l
i
s
t
S
i
n
k
h
o
l
e
Reports mails
San
dbo
x
Vetting
Tool SIEM (ProxyLogs)
Tick
et
Tra
cker
Remediation
t Tool
TI
Plat
for
m
C
e
n
t
r
a
l
b
l
a
c
k
l
i
s
t
Extract potential
C&C URLs
Search for
Indicators/URLs
Store and cross-ref.
Indicators/URLs
SIEM (ProxyLogs)
Tick
et
Tra
cker
Remediation
t Tool
Siemens AG 2017
Page 35
What’s next?
Mail DB
Sandbox
Vetting
Tool
SIEM (ProxyLogs)
Ticket
Tracker Remediation
Ticket Tool
TI
Platform
Virus
Total
Reputation
Services
Active
Directory Corporate
Employee
Directory (C)ISO
List
Proxy
Solution 1
Central
blacklist
Sinkhole
Anti
Virus
Central
Workflow Engine
Employees
Analysts
Proxy
Solution 2
InfoSec
Officers
Siemens AG 2017
Page 36
What’s next?
INCIDENT HANDLING PLAYBOOK
In case of “Suspicious email reported”
Step 1: Analyze email and extract URLs
Step 2: Analyze sample in Sandbox
Step 3: If Threat Index > 10 then …
…
…
Central
Workflow Engine
Siemens AG 2017 siemens.com
Lessons Learned
Siemens AG 2017
Page 38
Lessons learned
Make it easy! Use the same interface to access your internal and external services/data sources.
Siemens AG 2017
Page 39
Lessons learned
Works for us ≠ Works for you Every company/institution is different
Siemens AG 2017
Page 40
Lessons learned
More than twice? Script it! Optimization accumulates over time!
Siemens AG 2017
Page 41
Lessons learned
Containerize your tools! Lowers setup overhead in the long run and provides
well-documented setup instructions for free.
Siemens AG 2017
Page 42
Lessons learned
Standardize your infrastructure! Try to stick to the same tool stack (programming language, frameworks, libraries).
Siemens AG 2017
Page 43
Lessons learned
Manage your user centrally! Easily offer other stakeholders in your company access to (some of) your tools.
Siemens AG 2017
Page 44
Lessons learned
Compromise (sometimes)! Find a tradeoff between adapting your tools to your processes and vice versa.
Siemens AG 2017
Page 45
Lessons learned
DIY but don’t DIY! Don't (always) implement your own tools, but rather use fitting open-source tools.
Siemens AG 2017
Page 46
Lessons learned
Make it easy! Use the same interface to access your internal and external services/data sources.
Works for us ≠ Works for you! Every company/institution is different.
If you have to do it more than twice, script it! Optimization accumulates over time!
Containerize your tools! Lowers setup overhead in the long run and provides well-documented setup instructions for free.
Standardize your infrastructure! Try to stick to the same tool stack (programming language, frameworks, libraries).
Manage your user centrally! Easily offer other stakeholders in your company access to (some of) your tools.
Compromise (sometimes)! Find a tradeoff between adapting your tools to your processes and vice versa.
Do it yourself but don’t do it yourself!: Don't (always) implement your own tools, but rather use open-source tools.
Siemens AG 2017
Page 47
Enrico Lovat
Florian Hartmann
Philipp Lowack
Siemens CERT
CT RDA ITS CER-DE
Otto-Hahn-Ring 6
81739 München
https://www.cert.siemens.com
Questions?