Ausgewildert: vom Rookie zum CyberSecurity Analyst

Cyber Simulation Range

Andreas Günther // Managing Analyst & CDC Team Lead // SecureLink Germany

THE ISH PROJECT

TRAINING SPACEThere are 4 fully equipped training roomsthat provide the opportunity to developand test skills in a range of IT Security and aviation-specific topics.

LAB AREAAn essential part of the ISH is toprovide a great lab environment totrain the security experts oftomorrow. The lab enables us toprovide not only theoreticaltraining classes, but also incorporate a great deal of hands-on experience into the learningprocess.

EVENT HALL, FOUR TRAINING ROOMS AND AN EXTENDED LAB ENVIRONMENT FOR HANDS-ON TRAINING SESSIONS.

EVENT HALLThe brand new auditorium seats 120 people with the goal of sharingknowledge and hands-on learning.

In addition to high-level presentations, tinkering with typical airportinfrastructure in IT, OT andcommunication.

„Our vision is to provide the next generation and immersive training facility for the education of first class IT security experts.”

Boring Powerpointpresentations for endless hours

Outdated frontal teachinginstead of hands-on training

Restricted to products/vendors

Often no realistic but outdatedattack scenarios

Trainers are not experiencedanalysts

No metric to measureinvidivudal/team progress

26.04.2018 4

Where do traditional training methods fail?What has to be avoided to accomplish a successful training?

26.04.2018 5

…by joining forces to gather bundled security expertise!

How can we do better?

FMG (Flughafen Munchen GmbH), incorporated in 1949, operates Munich Airport, which opened at its present site on May 17, 1992. It is jointly owned by the Free State of Bavaria (51 percent), the Federal Republic of Germany (26 percent) and the city of Munich (23 percent). The FMG corporate group, with its 15 subsidiaries, employs more than 9,000 people. With a total workforce of about 35,000, employed by about 550 companies, Munich Airport is one of Bavaria’s largest workplaces. Within just a few years of opening, Munich Airport developed into a major air transportation hub and was firmly established as one of Europe's 10 busiest airports. Munich Airport now offers connections to more than 250 destinations all over the world. In 2016 Bavaria’s gateway to the world has handled approximately 400,000 flights with over 42 million passengers. Bavaria's gateway to the world became the first – and is so far the only – airport in Europe to be honored with the prestigious title of “5-Star Airport” by the London-based Skytrax Institute.

26.04.2018 6

Who are the players within ISH?

iT-CUBE SYSTEMS is a full-service provider for IT-security. Our Team consists of highly qualified, experienced and committed strategic consultants, technology experts and security analysts. All have one thing in common: an exceptional sense for futureproof technology trends. We focus our work on the German-speaking countries. Since January 2017 iT-CUBE is a member of SecureLink Group, belonging to Europe’s leading IT-security-providers. SecureLink operates in 9 European countries with 16 headquarters. The group owns 5 local Cyber Defence Centers (DCD) and 4 Network Operation Centers (NOC) with 24x7x365 support. We offer a comprehensive service and solution portfolio with knowledge from more than 625 security, IT- and network specialists based on leading security solutions from top producers.

26.04.2018 7

Who are the players within ISH?

ERNW Insight GmbH is the daughter company of Heidelberg based ERNW GmbH which specializes in different areas of IT Security. We work alongside the ERNW family (ERNW GmbH, ERNW Research, and ERNW Security Tools) which focus on penetration testing, security assessments as well as cutting edge research and software development, to bring knowledge of IT-Security topics to the world. Through trainings, events, conferences (such as TROOPERS), and e-learning in a wide-range of IT-Security topic Insight reaches its main goal of providing first class IT- Security know-how.

26.04.2018 8

Who are the players within ISH?

HvS-Consulting is a Munich based Cyber Security specialist. Our core competencies include consulting for Information Security Management / ISO 270xx / critical infrastructures, simulated industrial espionage attacks with social engineering, as well as Incident Response & IT-Forensics in case of an attack. Furthermore, we impart Security know-how: Coaching for Security Experts, Training of IT-staff and creating security awareness for information and data protection among managers & employees. For additional information please visit www.hvs-consulting.de.

26.04.2018 9

Who are the players within ISH?

BUSINESS CONTINUITY MANAGEMENT FOR CRITICAL INFRASTRUCTURE

EMERGENCY MANAGEMENT DRILLS FOR CRITICAL INFRASTRUCTURES

…

CSR101 – ISH Certificate “Security Incident Analyst - Level 1”

CSR102 – ISH Certificate “Security Incident Analyst - Level 2”

CSR103 – Cyber War Gaming

…

HACKING 101

IOT- SECURE DESIGN AND OPERATION

26.04.2018 10

What does ISH offer?https://infosec-hub.de/en/events/

Efficiently detect, assess and respondto cyber threats in a real-world IT & OT environment

Utilize the high-end CSR SOC technology stack and field-testedplaybooks from experienced SOC analysts

Enrich security event informationusing threat intelligence andautomate/orchestrate IR measures

Become acquainted with the latestthreats and understand the attacker‘smotivation

Slip into the roles of securityanalysts, incident responders, engineers – teamwork!

26.04.2018 11

Students defend against complex attacks in a hyper-realistic training environment.

Highlight of ISH: Cyber Simulation Range

blue team red team

networktraffic

generator

attack trafficgenerator

trainer

CSR: Structural model

• Implement malware

• Infect systems and accounts

• Exploit vulnerabilities

• Setup CnC botnets

• Exfiltrate or destroy data

• Sabotate productionenvironments

• Detect and assess attack activity alongthe cyber kill chain

• Analyse and eradicate malware

• Detect and quarantine compromisedaccounts, systems and backdoors

• Implement active defense measures

• Restore compromised systems and getback to usual business

• React, communicate and coordinate in different SOC roles

• Lead through all use-cases

• Evaluate attack and defenseactivities

26.04.2018 12

enterprise IT/OT environment

Brute force attempt

DNS Reconnaissance

DOS/DDOS: DoS/DDoS attacks 10,000 in 15 minutes

Anti-virus failed to clean or quarantine.

Email with Malicious attachment

Database connections: unsuccessful connection attempts.

Excessive SMTP traffic outbound.

Excessive traffic inbound (streaming, web, etc.).

Excessive port blocking attempts from endpoint protection

Known Exploit Payload detected

Logs deleted from source

Suspicious traffic to known vulnerable host

Unauthorized subnet access to confidential data

Ransomware Infection

Sinkhole Attack

System Compromise : CnC communication

System Compromise: Suspicious Behavior

Waterhole attack

• IRC Connections proceeded by Server Initiated Connection to Dynamic Hosts

• Login to sleeping account: Login attempt to account that was unused for last

• Admin Login Fail: Admin 3 Failed logins to any system within 24 hours

• Freq. Account Locked: Frequent account locked 3 in 7 days [3/7d]

• Login 1 to many: Login attempt from 1 station to more than 2 accounts

• Login at off hours Night: Admin login in non-working hours 22:00-06:00

• Login at off hours Weekend: Admin login in non-working weekend hours Friday-Sunday

• Login Root: Login Directly to Root and not via “SU”

• Multiple Account Locking: Multiple locked accounts from same source IP

• Multiple changes from administrative accounts

• Multiple infected hosts detected on a subnet "from your end-user protection solution“

• Same account different countries within 5 days (user traveled abroad)

• SMTP traffic from an unauthorized host.

• Privilege Elevation: Permissions were changes from user to Admin

• Threat Intel Feed: IOCs detection

• Trojan Infection

• Virus Found

• Vulnerable Software Version Detected

26.04.2018 13

IR playbooks for a variety of security incidents: Brute force attempt

DNS Reconnaissance

DOS/DDOS: DoS/DDoS attacks 10,000 in 15 minutes

Anti-virus failed to clean or quarantine.

Email with Malicious attachment

Database connections: unsuccessful connection attempts.

Excessive SMTP traffic outbound.

Excessive traffic inbound (streaming, web, etc.).

Excessive port blocking attempts from endpoint protection

Known Exploit Payload detected

Logs deleted from source

Suspicious traffic to known vulnerable host

Unauthorized subnet access to confidential data

Ransomware Infection

Sinkhole Attack

System Compromise : CnC communication

System Compromise: Suspicious Behavior

Waterhole attack

• IRC Connections proceeded by Server Initiated Connection to Dynamic Hosts

• Login to sleeping account: Login attempt to account that was unused for last

• Admin Login Fail: Admin 3 Failed logins to any system within 24 hours

• Freq. Account Locked: Frequent account locked 3 in 7 days [3/7d]

• Login 1 to many: Login attempt from 1 station to more than 2 accounts

• Login at off hours Night: Admin login in non-working hours 22:00-06:00

• Login at off hours Weekend: Admin login in non-working weekend hours Friday-Sunday

• Login Root: Login Directly to Root and not via “SU”

• Multiple Account Locking: Multiple locked accounts from same source IP

• Multiple changes from administrative accounts

• Multiple infected hosts detected on a subnet "from your end-user protection solution“

• Same account different countries within 5 days (user traveled abroad)

• SMTP traffic from an unauthorized host.

• Privilege Elevation: Permissions were changes from user to Admin

• Threat Intel Feed: IOCs detection

• Trojan Infection

• Virus Found

• Vulnerable Software Version Detected

26.04.2018 14

Learn how to optimize IR processes with automation and orchestration.

SOC technology stack & workflow

Ticketing / IRSIEM

NAC

Endpoint Response

Cyber Simulation Range – blue team‘s „toolbox“Security solutions & SOC technology stack for high speed and efficiency in incident response

NG Firewall

SecurityOrchestration

Endpoint Protection Security Orchestration &

Automation (SOA)

Vulnerability

Visibility

External TI

Flow Analysis

Deception

Asset DataSandbox / Proxy

UEBA

Detection – Investigation – Response

SOC Playbook Example

Find Malware Extract Process

2

Detonate File/ Analyze

4

kill processes, perform memory dump, quarantine infected

endpoints

6

update URL / IP block list

7

Query for endpoints infected with the known malware/hash

5

Envoke Cross-Check against Threat Intel

Feed

3

CnCDetected &

Alerted

CnC

@

1 Query for time-related IoCs

... don‘t forget: it‘s a battle.

Vielen Dank für Ihre Aufmerksamkeit!

iT-CUBE SYSTEMS AGPaul-Gerhardt-Allee 2481245 MünchenTel: +49 (0) 89 2000 148 00Mail: info@it-cube.net

We keep IT secure.