jeff schilling/chief security officer · threat types, focus on the scale in numbers of actors ......
TRANSCRIPT
Out Sourc ing Secur i ty Capabi l i t ies
Businesses Worth Building Are Businesses Worth Protecting
Jeff Schilling/Chief Security Officer
TARGETEDTHREAT
COMMODITY THREAT
ADVANCED TARGETED THREAT
THREAT TYPES , FOCUS ON THE SCALE IN NUMBERS OF ACTORS
100,000’s of Actors Less than 8,000 Actors Less than 200 Actors
Drive skill level this way
Infected Word Doc or PDF is opened
Java script exploited in browser
Command line SQL inject
EXPLOITATION RECONNAISSANCE
Open source research Social network research
Port scan, IP sweep Google research
WEAPONIZATION
Combine the exploit tool with
the method
DISTRIBUTION & STRATEGY
Phishing email Website drive by SQL inject script
ACTION ON TARGET
Search the target Destroy or disrupt
Package and prepare for and exfil data
Registry Key changed Privilege Escalation
Look for open connections
PERSIST/LATERAL MOVEMENT
1 2 3 4
5 6 7 COMMAND & CONTROL
Malware or compromised system
reaches out for instructions
THE KILL CHAIN
THREAT VULERABILITY SECURITY OPS MITIGATION
P/D/R/R RISK + _ =
THREAT INTELLIGENCE
PROTECT
DETECT
RESPOND
RECOVER
THREAT INTELLIGENCE
CYBER/
PHYSICAL
SECURITY
THREAT INTELLIGENCE
THREAT INTELLIGENCE
SECUR ITY OPERAT IONS
• Threat Intelligence • Alerts and Warnings • Incident Management • Problem Management • Incident Response/Forensics • Security Device Management • Vulnerability Management • Internal Penetration testing/Advanced
Threat detection • External Penetration testing/red team
SECURITY OPERATIONS FUNCTIONS
• Fill gaps in security team? • People • Processes • Technology
• Save money? • Be compliant? • Provide better security operations?
WHAT DO YOU WANT TO ACCOMPLISH?
Infected Word Doc or PDF is opened
Java script exploited in browser
Command line SQL inject
EXPLOITATION RECONNAISSANCE
Open source research Social network research
Port scan, IP sweep Google research
WEAPONIZATION
Combine the exploit tool with
the method
DISTRIBUTION & STRATEGY
Phishing email Website drive by SQL inject script
ACTION ON TARGET
Search the target Destroy or disrupt
Package and prepare for and exfil data
Registry Key changed Privilege Escalation
Look for open connections
PERSIST/LATERAL MOVEMENT
1 2 3 4
5 6 7 COMMAND & CONTROL
Malware or compromised system
reaches out for instructions
THE KILL CHAIN
TARGETING METHODOLOGY – OODA LOOP
THE OODA LOOP CLOUD SECURITY FRAMEWORK
Military defense created by U.S. Air Force in Korean War
ORIENT
OBSERVE
DECIDE
ACT
Threat Research
Vulnerability Threat Management
FNF Observations
Problem Management
Security Control availability
CISO Assessment Findings
OBSERVE DECIDE
Additions to Risk Register
FNF targeting
Changes to Security controls
Conduct Technology gap analysis
ACT
Apply Threat Intel to Security controls
Develop & Deploy Counter-measures,
Tune SIEM
VTM Scan tuning
Open FNF actions in JIRA
Incident Response Contain/Eradicate
Work projects in Risk Register
Inject new security tech requirements
TARGETING METHODOLOGY OODA LOOP
ORIENT
Analysis & Prioritization
Risk Assessment
Counter-measure & Control
Effectiveness
TARGETING METHODOLOGY – OODA LOOP
SIEM Alerts
• Threat Intelligence • Alerts and Warnings • Incident Management • Problem Management • Incident Response/Forensics • Security Device Management • Vulnerability Management • Internal Penetration testing/Advance
threat detection • ****External Penetration testing/red
team*****
SECURITY OPERATIONS FUNCTIONS