You don’t need a better car, you need to learn - FIRST ?· You don’t need a better car, you need…

Download You don’t need a better car, you need to learn - FIRST ?· You don’t need a better car, you need…

Post on 12-Sep-2018

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Siemens AG 2017

    siemens.com

    You dont need a better car, you need to learn

    how to drive

    On the Importance of Cyber-Defense Line Automation

    Enrico Lovat, Florian Hartmann, Philipp Lowack

  • Siemens AG 2017

    Page 3

    Who are we?

  • Siemens AG 2017

    Page 4

    You dont need a better car, you need to learn how to drive

    What this talk is about

    What we did

    What we learn in the process

    What this talk is NOT about

    Cars

    Step-by-step tutorial on how to fix things

    Code

    Vendor bashing

    A tool can make you faster. But you need many tools

    The glue in-between tools is as important as the tools themselves.

  • Siemens AG 2017 siemens.com

    Example

  • Siemens AG 2017

    Page 6

    Example use case: Malware via email

    How can the user report a suspicious email?

    How do you analyze it?

    Is it a targeted attack or mass malware?

    Did the user click on the attachment?

    Who is the Infosec responsible for the user?

    How do you prevent the attached malware from

    exfiltrating data from infected machines?

    How can you make sure similar infections are

    detected?

    How can you prevent other clients from being

    infected by the same malware?

  • Siemens AG 2017

    Page 7

    The old way

    Inbox

    Reports

    mails

    Sandbox

    Analyze

    attachments

    SIEM (ProxyLogs)

    Search for

    Indicators/URLs

    Ticket

    Tracker

    Issue Tickets

    Proxy

    Solution 1

    Active

    Directory Corporate

    Employee

    Directory

    Virus

    Total

    Analyze

    Results

    Investigation

    Vetting Extract potential

    C&C URLs

  • Siemens AG 2017 siemens.com

    Evolution 1 - Scripts

  • Siemens AG 2017

    Page 9

    Evolution 1 - Scripts

    Reputation

    Services

    Virus

    Total

    Sinkhole

    (C)ISO

    List

    Proxy

    Solution 1

    Proxy

    Solution 2

    Active

    Directory Corporate

    Employee

    Directory

    Manual step

    Automated step

    Mail DB

    Reports

    mails

    Sandbox

    Analyze

    attachments

    Vetting Extract potential

    C&C URLs SIEM

    (ProxyLogs)

    Search for

    Indicators/URLs

    Investigation

    Analyze

    Results

    Ticket

    Tracker

    Issue Tickets

    TI

    Platform

    Store and cross-ref.

    Indicators/URLs

  • Siemens AG 2017

    Page 10

    Scripts: pros and cons

    Scripts allow analysts to perform their tasks faster

    Script written by an analyst can be reused by the

    other analysts

    Scripting requires good understanding of the

    tools/service used only few can edit the scripts

    Each analyst has a different favorite scripting

    language hard to script against others scripts

  • Siemens AG 2017 siemens.com

    Evolution 2 - API

  • Siemens AG 2017

    Page 12

    Evolution 2 - API

    Mail DB

    Sandbox Vetting

    Tool SIEM

    (ProxyLogs)

    Ticket

    Tracker

    Remediation

    Ticket Tool

    TI

    Platform

    Virus

    Total

    Reputation

    Services

    Active

    Directory Corporate

    Employee

    Directory

    (C)ISO

    List

    Proxy

    Solution 2

    Proxy

    Solution 1

    Central

    blacklist Sinkhole

    Anti

    Virus

    Manual step

    Automated step

    Reports mails

    Analyze attachments

    Extract potential

    C&C URLs

    Search for

    Indicators/URLs

    Analyze

    Results

    Issue Tickets

    Store and cross-ref.

    Indicators/URLs

  • Siemens AG 2017

    Page 13

    API: documentation

  • Siemens AG 2017

    Page 14

    API: pros

    Simplicity: while not everybody can script against

    an LDAP server, any developer knows how to

    query a REST API.

    Flexibility: once one REST API for a tool has been

    developed by an analyst, everybody can script

    against it using his/her language of preference

    Abstraction: Coding against a REST API allows to

    easily exchange the backend, e.g. replacing a

    commercial tool with an open source one, as long

    as it implements the same interface

    Authentication: wrapping the original interface

    into a custom API allows for better identity

    management (e.g. handle different authentications)

  • Siemens AG 2017

    Page 15

    API: Extra pros

    Global Search

  • Siemens AG 2017

    Page 16

    API: Extra pros - Maltego integration

  • Siemens AG 2017

    Page 17

    API: Extra pros - Vetting interface

  • Siemens AG 2017 siemens.com

    Example - revisited

  • Siemens AG 2017

    Page 19

    Example: How do we handle it today

    Analysis of the email

    Analysis of email attachment

    Manual vetting of analysis results

    Threat intelligence processing

    Historic search in proxy logs

    Issuing of remediation tickets

    Tracking of remediation status

    Report as SPAM/Malware

    In-house developed Outlook plugin.

    Selected email is sent (as attachment) to a particular mailbox.

    Mail reported as spam

  • Siemens AG 2017

    Page 20

    Example: How do we handle it today

    MALST (MALware mailingliST)

    In-house developed tool to monitor inbox and analyze received emails

    Set of scripts + WebGUI

    Mail reported as spam

    Analysis of email attachment

    Manual vetting of analysis results

    Threat intelligence processing

    Historic search in proxy logs

    Issuing of remediation tickets

    Tracking of remediation status

    Analysis of the email

  • Siemens AG 2017

    Page 21

    Example: How do we handle it today

    MALST (MALware mailingliST)

    In-house developed tool to monitor inbox and analyze received emails

    Set of scripts + WebGUI

    Mail reported as spam

    Analysis of email attachment

    Manual vetting of analysis results

    Threat intelligence processing

    Historic search in proxy logs

    Issuing of remediation tickets

    Tracking of remediation status

    Analysis of the email

  • Siemens AG 2017

    Page 22

    Example: How do we handle it today

    CMAP Mail reported as spam

    Analysis of the email

    Manual vetting of analysis results

    Threat intelligence processing

    Historic search in proxy logs

    Issuing of remediation tickets

    Tracking of remediation status

    Analysis of email attachment

  • Siemens AG 2017

    Page 23

    Example: How do we handle it today

    CMAP

    Cuckoo sandbox + In-house developed GUI and additional analyses

    Mail reported as spam

    Analysis of the email

    Manual vetting of analysis results

    Threat intelligence processing

    Historic search in proxy logs

    Issuing of remediation tickets

    Tracking of remediation status

    Analysis of email attachment

  • Siemens AG 2017

    Page 24

    Example: How do we handle it today

    Threat Intelligence Vetting Interface

    Custom WebGUI for vetting.

    It retrieves indicators from sandbox analysis, filters and enriches them,

    applies tags and push back the changes to TI database.

    Mail reported as spam

    Analysis of the email

    Analysis of email attachment

    Threat intelligence processing

    Historic search in proxy logs

    Issuing of remediation tickets

    Tracking of remediation status

    Manual vetting of analysis results

  • Siemens AG 2017

    Page 25

    Example: How do we handle it today

    Threat Intelligence Vetting Interface

    Custom WebGUI for vetting.

    It retrieves indicators from sandbox analysis, filters and enriches them,

    applies tags and push back the changes to TI database.

    Mail reported as spam

    Analysis of the email

    Analysis of email attachment

    Threat intelligence processing

    Historic search in proxy logs

    Issuing of remediation tickets

    Tracking of remediation status

    Manual vetting of analysis results

  • Siemens AG 2017

    Page 26

    Example: How do we handle it today

    MANTIS MISP

    In-house developed tool, supporting STIX/TAXII

    New MISP-centric architecture

    Sandbox

    (CMAP)

    Vetting

    (TI VI)

    TI DB

    (MISP)

    Mail reported as spam

    Analysis of the email

    Analysis of email attachment

    Manual vetting of analysis results

    Historic search in proxy logs

    Issuing of remediation tickets

    Tracking of remediation status

    Threat intelligence processing

  • Siemens AG 2017

    Page 27

    Example: How do we handle it today

    MANTIS MISP

    In-house developed tool, supporting STIX/TAXII

    New MISP-centric architecture

    Sandbox

    (CMAP)

    Vetting

    (TI VI)

    TI DB

    (MISP)

    Mail reported as spam

    Analysis of the email

    Analysis of email attachment

    Manual vetting of analysis results

    Historic search in proxy logs

    Issuing of remediation tickets

    Tracking of remediation status

    Threat intelligence processing

  • Siemens AG 2017

    Page 28

    Example: How do we handle it today

    Historic log search Mail reported as spam

    Analysis of the email

    Analysis of email attachment

    Manual vetting of analysis results

    Threat intelligence processing

    Issuing of remediation tickets

    Tracking of remediation status

    Historic search in proxy logs

  • Siemens AG 2017

    Page 29

    Example: How do we handle it today

    Remediation tickets In-house developed tool to easily handle creation of remediation tickets

    Mail reported as spam

    Analysis of the email

    Analysis of email attachment

    Manual vetting of analysis results

    Threat intelligence processing

    Historic search in proxy logs

    Tracking of remediation status

    Issuing of remediation tickets

  • Siemens AG 2017

    Page 30

    Example: How do we handle it today

    Request Tracker Opens source ticketing system + many customizations

    Mail reported as spam

    Analysis of the email

    Analysis of email attachment

    Manual vetting of analysis results

    Threat intelligence processing

    Historic search in proxy logs

    Issuing of remediation tickets

    Tracking of remediation status

  • Siemens AG 2017 siemens.com

    Evolution 3 Whats next?

  • Siemens AG 2017

    Page 33

    Whats next?

    Manual step

    Automated step

    Mail DB

    Sandbox Vetting

    Tool SIEM

    (ProxyLogs)

    Ticket

    Tracker

    Remediation

    Ticket Tool

    TI

    Platform

    Virus

    Total

    Reputation

    Services

    Active

    Directory Corporate

    Employee

    Directory

    (C)ISO

    List

    Proxy

    Solution 2

    Proxy

    Solution 1

    Central

    blacklist Sinkhole

    Anti

    Virus

    Reports mails

    Analyze attachments

    Extract potential

    C&C URLs

    Search for

    Indicators/URLs

    Analyze

    Results

    Issue Tickets

    Store and cross-ref.

    Indicators/URLs

  • Siemens AG 2017

    Page 34

    Whats next?

    Manual step

    Automated step

    Ma

    il

    D

    B

    San

    dbo

    x

    Vetting

    Tool SIEM (ProxyLogs)

    Tick

    et

    Tra

    cker

    Remediation

    Ticket Tool

    TI

    Plat

    for

    m

    V

    i

    r

    u

    s

    T

    o

    t

    a

    l

    R

    e

    p

    u

    t

    a

    t

    i

    o

    n

    S

    e

    r

    v

    i

    c

    e

    s

    A

    c

    t

    i

    v

    e

    D

    i

    r

    e

    c

    t

    o

    r

    y

    C

    o

    r

    p

    o

    r

    a

    t

    e

    E

    m

    p

    l

    o

    y

    e

    e

    D

    i

    r

    e

    c

    t

    o

    r

    y

    (

    C

    )

    I

    S

    O

    L

    i

    s

    t

    P

    r

    o

    x

    y

    S

    o

    l

    u

    t

    i

    o

    n

    2

    P

    r

    o

    x

    y

    S

    o

    l

    u

    t

    i

    o

    n

    1

    C

    e

    n

    t

    r

    a

    l

    b

    l

    a

    c

    k

    l

    i

    s

    t

    S

    i

    n

    k

    h

    o

    l

    e

    A

    n

    t

    i

    V

    i

    r

    u

    s

    Reports mails

    Analyze attachments

    Extract potential

    C&C URLs

    Search for

    Indicators/URLs

    Analyze Results

    Issue Tickets

    Store and cross-ref.

    Indicators/URLs

    Ma

    il

    D

    B

    San

    dbo

    x

    Vetting

    Tool

    SIEM (ProxyLogs)

    Tick

    et

    Tra

    cker

    Remediation

    Ticket Tool

    TI

    Plat

    for

    m

    V

    i

    r

    u

    s

    T

    o

    t

    a

    l

    R

    e

    p

    u

    t

    a

    t

    i

    o

    n

    S

    e

    r

    v

    i

    c

    e

    s

    A

    c

    t

    i

    v

    e

    D

    i

    r

    e

    c

    t

    o

    r

    y

    C

    o

    r

    p

    o

    r

    a

    t

    e

    E

    m

    p

    l

    o

    y

    e

    e

    D

    i

    r

    e

    c

    t

    o

    r

    y

    (

    C

    )

    I

    S

    O

    L

    i

    s

    t

    P

    r

    o

    x

    y

    S

    o

    l

    u

    t

    i

    o

    n

    2

    P

    r

    o

    x

    y

    S

    o

    l

    u

    t

    i

    o

    n

    1

    C

    e

    n

    t

    r

    a

    l

    b

    l

    a

    c

    k

    l

    i

    s

    t

    S

    i

    n

    k

    h

    o

    l

    e

    A

    n

    t

    i

    V

    i

    r

    u

    s

    Reports mails

    Analyze attachments

    Extract potential

    C&C URLs

    Search for

    Indicators/URLs

    Analyze Results

    Issue Tickets

    Remediation

    Ticket Tool

    Ma

    il

    D

    B

    San

    dbo

    x

    Vetting

    Tool SIEM (ProxyLogs)

    Tick

    et

    Tra

    cker

    Remediation

    Ticket Tool

    TI

    Plat

    for

    m

    V

    i

    r

    u

    s

    T

    o

    t

    a

    l

    R

    e

    p

    u

    t

    a

    t

    i

    o

    n

    S

    e

    r

    v

    i

    c

    e

    s

    A

    c

    t

    i

    v

    e

    D

    i

    r

    e

    c

    t

    o

    r

    y

    C

    o

    r

    p

    o

    r

    a

    t

    e

    E

    m

    p

    l

    o

    y

    e

    e

    D

    i

    r

    e

    c

    t

    o

    r

    y

    (

    C

    )

    I

    S

    O

    L

    i

    s

    t

    P

    r

    o

    x

    y

    S

    o

    l

    u

    t

    i

    o

    n

    2

    P

    r

    o

    x

    y

    S

    o

    l

    u

    t

    i

    o

    n

    1

    C

    e

    n

    t

    r

    a

    l

    b

    l

    a

    c

    k

    l

    i

    s

    t

    S

    i

    n

    k

    h

    o

    l

    e

    A

    n

    t

    i

    V

    i

    r

    u

    s

    Reports mails

    Analyze attachments

    Extract potential

    C&C URLs

    Search for

    Indicators/URLs

    Analyze Results

    Issue Tickets

    Store and cross-ref.

    Indicators/URLs

    Ma

    il

    D

    B

    San

    dbo

    x

    Vetting

    Tool SIEM (ProxyLogs)

    Tick

    et

    Tra

    cker

    Remediation

    Ticket Tool

    TI

    Plat

    for

    m

    V

    i

    r

    u

    s

    T

    o

    t

    a

    l

    R

    e

    p

    u

    t

    a

    t

    i

    o

    n

    S

    e

    r

    v

    i

    c

    e

    s

    A

    c

    t

    i

    v

    e

    D

    i

    r

    e

    c

    t

    o

    r

    y

    C

    o

    r

    p

    o

    r

    a

    t

    e

    E

    m

    p

    l

    o

    y

    e

    e

    D

    i

    r

    e

    c

    t

    o

    r

    y

    (

    C

    )

    I

    S

    O

    L

    i

    s

    t

    P

    r

    o

    x

    y

    S

    o

    l

    u

    t

    i

    o

    n

    2

    P

    r

    o

    x

    y

    S

    o

    l

    u

    t

    i

    o

    n

    1

    C

    e

    n

    t

    r

    a

    l

    b

    l

    a

    c

    k

    l

    i

    s

    t

    S

    i

    n

    k

    h

    o

    l

    e

    A

    n

    t

    i

    V

    i

    r

    u

    s

    Reports mails

    Analyze attachments

    Extract potential

    C&C URLs

    Search for

    Indicators/URLs

    Analyze Results

    Issue Tickets

    Store and cross-ref.

    Indicators/URLs

    Vetting

    Tool

    TI

    Plat

    for

    m

    V

    i

    r

    u

    s

    T

    o

    t

    a

    l

    R

    e

    p

    u

    t

    a

    t

    i

    o

    n

    S

    e

    r

    v

    i

    c

    e

    s

    P

    r

    o

    x

    y

    S

    o

    l

    u

    t

    i

    o

    n

    2

    P

    r

    o

    x

    y

    S

    o

    l

    u

    t

    i

    o

    n

    1

    C

    e

    n

    t

    r

    a

    l

    b

    l

    a

    c

    k

    l

    i

    s

    t

    S

    i

    n

    k

    h

    o

    l

    e

    Reports mails

    San

    dbo

    x

    Vetting

    Tool SIEM (ProxyLogs)

    Tick

    et

    Tra

    cker

    Remediation

    t Tool

    TI

    Plat

    for

    m

    C

    e

    n

    t

    r

    a

    l

    b

    l

    a

    c

    k

    l

    i

    s

    t

    Extract potential

    C&C URLs

    Search for

    Indicators/URLs

    Store and cross-ref.

    Indicators/URLs

    SIEM (ProxyLogs)

    Tick

    et

    Tra

    cker

    Remediation

    t Tool

  • Siemens AG 2017

    Page 35

    Whats next?

    Mail DB

    Sandbox

    Vetting

Recommended

View more >