fireeye korea sefireeyeday.com/event/pdf/t1_3.cyberdefenselive2018.pdf · 통합적,...

통합적, 효율적보안운영을위한플랫폼구축방안Jinsuk OhFireEye Korea SE

©2018 FireEye | Private & Confidential

A F S C N

2

��

C

C L

C A

C E

R?D

C MC P

IT

DA/


��

3

��

Teamwork


��

4

��

내외부의위협으로부터자산을보호하여

기업의비즈니스가영향받지않도록하는것

“어떠한 공격이 어떠한 방식으로 유입되더라도무조건 막아야 하며 절대적으로 현업의불편함이 없이 지속적으로 회사가 활동할 수 있도록책임지는 것 / 그래야만 하는 것”


��

5

/

실제로모든기업이기술적인이슈이외의조직적/금전적/정책적

지원의어려움을느끼고있음


��

�

��

Security Orchestration, Automation and Response

7


8/

, -/


5 B M� G : B E � : B E�:E �5 IG EI

)

mD I IC p o US M

R :: ::• o l U o ad• o r ti T• ad R

A : :• uy h sn• Sp Vgi h• Vgi Sp• l U vb

e

• eu sn i N• i• O cf

� � : E �0EE : B E� A�0EIB A � � B M� G : B EI � E:CM B I�:E �5 G BE 2 � (

gc• o N c• O P N• o P N• m P N

� � a9 CE : BCB M� II II E

� � pB M�0E : B E�:E � E �1:E: E

/ � � P gcI � E B M�:E �, A: B � E:CM B I��

s aA : �:E �9 CE : BCB M�1:E: E

i0E CCB E B E� B M� G : B EI�- E

A nEB M�0E B E �5 IG EI � C:

s i TA : �0E CCB E � C:

OT0 � B � GG �1:E: E

MV p BtB M� A I : B E� : B E� C:


, 0 A� � � 1�,A

,0 A� 0 �

� 1�,

0 A� �1�

( )0 A�( �

1� �)

(�( 0 �

(,0 A�( 0 1 �

, �

SOAR이란 ?수집된모든로그및이벤트를바탕으로위협인텔리전스와능동적탐지를통해

침해정보와영향도를도출하고이를개선하기위한시스템변경을자동화

할수있게하는플랫폼


��

11

어떤기능이 SOAR에서필요하고검토시고려되어야할것인가?§ SOAR의정의

: SOAR은기업의모든보안관련데이터및이벤트를수집하여위협에대한빠른대응을가능하도록하며이를위해반복적업무를자동화하고,위협에대한대응우선순위를선별하고침해분석및 관련증적수집등의일련의과정을가능하도록하는기술

§ SOAR기술적요건ü 위협및침해에대한대응,격리,조치에대한소요시간단축

Reducing mean time to respond, contain, remediate

ü 분석가및운영자의불필요하고일상적인작업시간단축Reducing unnecessary, routine and burdensome work for the analysts

ü 위협탐지능력향상Improving detection capabilities

ü 보안운영프로세스문서화및증적관리개선Improving control assurance, security operations process documentation and evidence management

ü 새로운분석가의교육시간단축Reducing time to train new SOC analysts

ü 보안대응및관리능력향상Improving the ability measure and manage security operations

FireEye Helix

12


� � ��

13

�( - � ) � � ) � - / � � - -

• 로그수집을위한장비및스토리지운영의어려움 /사이징이슈발생• 장비설치이후정상적로그수집을위해서파서의개발이필수

(많은시간과노력이필요)• 정상동작여부및현재의현황파악이어려우며,가시성확보가늦어짐


� � ��

14

�( - � ) � � ) � - / � � - -

• 클라우드기반으로장비에대한관리및스토리지등의관리불필요• 내부사용제품의파서개발이전에도트래픽미러링만으로네트워크사용현황및분석대응시작• 표준화된방식의로그/이벤트전송에대한지원및 Open API사용

FireEye Helix


��

15

� - � � --

• 증가하는위협및새로운공격,새로운취약점NIST기준 1999년부터지금까지발표된취약점 97,990건

• 매년신규악성코드 1억2천건발견• 단순악성여부만으로는해당이벤트에대한대응만가능공격의영향도여부및예측적인대응불가능

• 소모적인보안업무에중요한위협대응불가능


��

16

� - � � --

•338 Team (338, Team 338)•APT1 (Comment Team)•APT2 (TEMP.MSUpdate)•APT3 (UPS)•APT4 (Wisp)•APT5•APT6•APT7•APT8•APT9•APT10 (Menupass)T12 (Calc)•APT14 (Temp.Qaz)•APT15 (Social Network Team)•APT16 (TEMP.Bottle)•APT17 (Tailgater)•APT18 (Wekby)•APT19 (Codoso)•APT20 (Twivy Team)•APT21 (TEMP.Zhenbao)•APT22 (Barista)•APT23•APT24•APT25 (TEMP.Uncool)•APT26•APT27•APT28 (Tsar, Tsar Team)•APT29 (TEMP.Monkey)•APT30 (Flying Eagle)•APT31•APT32 (Oceanlotus, Temp.Junk)

•APT33•APT34•APT35 (Newscaster) (Newscaster, Newscaster Team)•APT36 (Lapis)•APT37 (Reaper, Temp.Reaper)•Conference Crew•Conimes Team (Conimes)•CyberBerkut (Cyberberkut)•CyberCaliphate (Cybercaliphate)•FIN1•FIN2•FIN3•FIN4•FIN5•FIN6•FIN7•FIN8•FIN9 (FIN9)•FIN10•Fallout Team (Fallout)•Fancy Bears' Hack Team (FBHT) (Fancy Bears' Hack Team)•Hangover Team (Hangover)•Havildar Team•Islamic State Hacking Division (ISHD) (Islamic State Hacking Division)•Koala Team (Koala)•Mana Team•Naikon Team (Naikon)•Roaming Tiger•Sandworm Team (Sandworm)•Syrian Electronic Army

•Syrian Malware Team•TEMP.Ace•TEMP.Barhopper (Barhopper)•TEMP.Beanie•TEMP.Beebus (Beebus)•TEMP.Bengal (Bengal)•TEMP.DragonOK•TEMP.Hermit•TEMP.Hex (TEMP.Hex Team)•TEMP.Hyen•TEMP.Jafar•TEMP.Katar•TEMP.Lice•TEMP.MetaStrike (Temp.Metastrike)•TEMP.Omega•TEMP.Overboard•TEMP.Peekaboo (TEMP.Peekaboo Team)•TEMP.Periscope (Temp.Periscope)•TEMP.Scimitar•TEMP.Tick•TEMP.Toucan•TEMP.Traveler (Temp.Traveler)•TEMP.Zagros (Zagros)•TEMP.Zombie•Termite Team•Tonto Team (Tonto)•Turla Team (Turla)•United Cyber Caliphate (UCC) (Caliphate Cyber Army, Islamic Cyber Army, United Cyber Caliphate)•thedarkoverlord (Thedarkoverlord)

FireEye Helix는자동으로 Threat Intelligence가연동• FireEye Threat Intelligence기준

공개된공격그룹 91개• 추적중인공격그룹 17,000여개


/

17

� - � � - � � � � �

§ 취약점/위협정보발표:각기관및보안,솔루션,시스템벤더및보안포럼에서취약점정보가발표

:이에대한내용을파악하고대응필요

§ 보안시스템이벤트발생:알려지지않은 APT공격및악성코드변종탐지

:이벤트의내용을파악하고관련정보를수집하여,기보안솔루션에서미탐이발생하지않도록탐지정책업데이트필요

§ 어떻게이해하고탐지정책을만들까?§ 관련위협정보는어떻게수집할까?§ 만든정책은정상적으로동작하는걸까?§ 제대로만든것일까?§ 그래서안전할까?


/

18

� - � � - � � � � �

Mandiant Services Managed Defense(FaaS)

Intelligence

§ FireEye Threat Intelligenceü FireEye DTI인텔리전스

(전세계 NX/EX APT장비수집정보)

ü FireEye Threat Intelligence(iSight partners)

ü FireEye Manage Defense관제운영을통해수집된정보

§ 3rd party 위협정보ü 타벤더의발표된정보ü 분석을위한연계정보ü 내부분석을통한검증ü 관련참조 Blacklist 생성ü 단순네트워크지표부터호스트침해지표(IOC)생성

§ Helix Analyticsü 행위에대한상관분석엔진위협행위의특성기반탐지엔진

ü DNS Entropy Detectionü DNS Fast-Flux Detectionü Geo-Infeasibilityü High Trafficü HTTP Beaconing Detectionü Server Outbound Connectionsü Unacknowledged Connectionsü VPN Compromised Accounts

ü Domain Misuseü User Session Detectionü User Port Profilingü User Time Profilingü Port Scanning Detectionü Pass-the-Ticket Detection

§ 모든위협정보는확인및검증되고기존정보와의연관성을유지한상태로 Helix에서자동적용됨


? c F h I i mh

19

� � / � /- / � �

§ r nl xU l Ee

§ W yy

§ FF E

§ � � xI r nl

§ H ly t y / � B


h !

20

� � � -

§ la � o k r 5 3 - r V T B

§ 5 3 - r D V - 5 -5/ B

§ H i T H c > s M

§ E

§ A H R

§ F

방화벽이벤트발생

목적지IP 조회

내부PC통신확인

내부확산여부확인

침해사고분석

위협대응조치


!

21

� � � -


��

22

기운영인프라를활용한개선방안

§ 기운영보안솔루션통합:가시성확보및이기종장비의이벤트등을통합하여운영의효율성을높이는방안

��

§ 보안운영업무의프로세스정의:현재보안운영업무를함에있어서하고있는업무활동을프로세스화시키고관련기준을수립하는일

보안이벤트

Patch

Rule update

§ 위협정보의수집및적용:각보안솔루션의업데이트되는정책이외의외부기관및커뮤니티에서발표되는위협정보에대한수집경로정의및적용

Security VendorReport

Threat Intelligence Community Security NEWS

§ 단순업무에대한자동화적용:자동화와관련되어솔루션이아니더라도간단한스크립트또는장비간 API연동활용등을통한단위별자동화적용

:오픈소스로사용가능한자동화툴을일부업무에적용

OPENAPI


23

.

Thank You

fireeye korea sefireeyeday.com/event/pdf/t1_3.cyberdefenselive2018.pdf · 통합적,...

Documents