2. About Me...
– Cisco Computer Security Incident Response Team (CSIRT)
– CSIRT = Security Monitoring and Incident Response
– Architecture, Engineering, Research, and Investigations
– Enterprise global threat and 24x7 incident response
3. The Numb3rs
Cisco Systems Inc.:
–100 countries
–130,000 employees (with laptops and phones)
–150,000 servers of all types
–40,000 routers
–1,500 labs
–1 CSIRT analyst for every 7,000 employees
7. Out With The Old
• You don’t know what you don’t
know
• Buy and trust a SIEM to run canned
reports
• Wait for updates from the vendor
• Try to edit/create custom reports
• Build your own collection infrastructure
• Data-centric approach
• Build your own reports
• Research your own intelligence
• Operationalize and optimize!
The Old Way The New Way
8. playbook | plā bŏk|ˈ ˌ
(noun)
A prescriptive collection of repeatable
queries (reports) against security event data
sources that lead to incident detection and
response.
Analyze: SIEM
10. Hunting: Build a Query – Find Bad Stuff
• Start with the obvious and simple:
index=wsa earliest=-24h x_wbrs_score=ns
English translation: Splunk, look at our web proxy
logs over the past 24 hours, and give me all the
web sites (objects) that had no known reputation
score.
11. Hunting: Build a Query – Find Bad Stuff
index=wsa earliest=-24h x_wbrs_score=ns
Let me stop you right there…
12. Hunting: Build a Query – Find Bad Stuff
• Filter based on unique attributes:
index=wsa earliest=-24h x_wbrs_score=ns |where isnull(cs_referer)
English translation: Splunk, look at our web proxy
logs over the past 24 hours, and give me all the
web sites (objects) that had no known reputation
score, and there was no HTTP referrer.
13. Hunting: Build a Query – Find Bad Stuff
index=wsa earliest=-24h x_wbrs_score=ns | where isnull(cs_referer)
Ok getting better, sort of…
14. Hunting: Build a Query – Find Bad Stuff
• Filter, refine, filter, refine:
index=wsa earliest=-24h application/x-dosexec ns GET 200
x_wbrs_score=ns cs_method=GET sc_http_status=200
cs_mime_type=application/x-dosexec (java OR MSIE) NOT (mirror OR
cdn) | where isnull(cs_referer)
English translation: Splunk, query our web proxy logs over the past
24 hours, and give me all the web sites (objects) that had no known
reputation score, and there was no HTTP referrer, where either
Java or Internet Explorer successfully downloaded an executable
file from a site that didn’t have ‘mirror’ or ‘CDN’ in the URL.
15. Hunting: Build a Query – Find Bad Stuff
Here we go!
index=wsa earliest=-24h application/x-dosexec ns GET 200
x_wbrs_score=ns cs_method=GET sc_http_status=200
cs_mime_type=application/x-dosexec (java OR MSIE) NOT (mirror OR
cdn) | where isnull(cs_referer)
16. Gathering: Build a Query – Find Bad Stuff
If you can find or create a re-usable pattern, you
can save a search, make a report, and
automate!
16
17. Gathering: Build a Query – Find Bad Stuff
For example: this query will detect the Tracur clickfraud trojan:
index=wsa earliest=-6h@h m cs_url="*/m/*” MSIE (NOT (cs_referer="*"))
| regex cs_url="^http://(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).
(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-
9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/m/[A-Za-z0-9/+]
{50,1000}$"
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fTracur
18. Do It Yourself
Once you have:
• Solid, repeatable, saved searches
• Research and intelligence gathering
• Consistent handling procedures
• Documentation and tuning
You have your own SIEM, running in Splunk, and completely custom to
your organization.
Trying to protect?
infrastructure
intellectual property
customer and employee data
brand reputation
What are the threats?
Malware gone wild
Targeted attacks
Rogue insiders
Mismanagement
How do I discover them?
Security monitoring
Logging and event retrieval
Operational intelligence
How do we respond?
IR process
Identification
Isolation
Remediation
Lots of sensors
Defense in depth
Log collection
Log analysis
Old Way: (SIEM approach, and our early v1 approach with Splunk)
Dependent upon vendors to write queries for you or to have a magic box or algorithm that will find it all
Tuning can be an issue within a SIEM if you can’t do it from the event source itself (i.e. wheat from chaff problem)
New Way: data-centric playbook approach using log data and Splunk (v2)
Flexible & easily adaptable for updates, and tactical changes
Totally custom upfront, but work savings after plays are operationalized
Topical, relevant, and current research can be deployed quickly, even as a simple test for a larger operations
In terms of Incident Response a playbook is….
Cisco indexes between 150 and 300 Gb of WSA data per day