LK Inhouse SOC — команда, задачи, грабли

•

1 j'aime•182 vues

Positive Hack Days

В рамках секции: Эволюция SOC — 2017: план развития

Technologie

INSIDE KL SOC
POSITIVE HACK DAYS, MAY 2017
Sergey Soldatov, Head of SOC

SCOPE
• Monitoring (Alerting)
• Vulnerability
assessment
• Incident management
• …
Infosecrisks
Automotive
toolsService
Residualrisk
Prevention
Alerting
(SOC)
Threat
hunting
Threat hunting
KLscope
KMPservuce
Customer
operation security

Detect
scenarios
Evidence
collection
INCIDENT LIFECYCLE
Goals
Priorities
Scenarios
deployment
Detection
Data
analysis
Validation
Categorization
Prioritization
Live response
Memory
dump
Disk dump
Malware analysis
Live response
analysis
Forensic
examination
Network
forensics
Host forensics
Incident Response
Digital forensics,
Malware analysis
(respond)
Threat intelligence
TI, Security assessment
(prepare)
Threat Hunting
SOC process
(unknown & non-
malware attacks)
Prevent & Monitoring
Tools, SOC
(known attacks)

DF LAB
Search for sample
Play sample
Ask AMR for analysis

Duqu
miniFlame
Gauss
Icefog
NetTraveler
Miniduke
RedOctober
2010
Sofacy
Carbanak
Desert
Falcons
Equation
Naikon
Hellsing
TeamSpy
Duqu 2.0
Animal Farm
Kimsuky
Stuxnet Flame2011 2012 2013 2014
GREAT APT INTELLIGENCE
8
APT campaign early warning
3-5 reports/month
Targeted attacks TTP
Insight into non-public APTs
Retrospective analysis
Continuous APT campaign monitoring
MRTI
IoC (Open IOC/yara)
Campaign artifacts
Darkhotel
– part 2.
MsnMM
Compaigns
Satellite
Turla
Wild Neutron
Blue Termite
Spring Dragon

INTERNAL REDTEAMING
Test modern TTP detection and investigation
‘Lessons learned’ after each pentest

LEVELS OF DETECTION
Data
 All AM Detects
 Process
behavior
 OS events
Micro correlation on EP level:
 All EP detection technologies
 Reputation
Macro correlation, hypotheses:
 All TTP knowledge:
 Internal research GReAT, TARG, SOC, SSR
 Security assessment (red team)
 Incident response (DF, MA, IR)
 Monitoring practice
Additionalnotificationsifrequired

INTERNAL SERVICE LINES
Project 1 Project 2 Project i
1st tier: 24x7 shift
RP1 RP2 RPi
2nd tier: Responsible for project
3rd tier: SOC research All SOC detects: Alerts &
Hunts
SOC detects customization
Hunts processing
Customer detects creation
Threat hunting
Alerts, hunts processing
Infrastructure
maintenance
Infrastructure
development
Reporting &
Client
management
KL internal research &
Infrastructure

QUESTIONS?
Sergey Soldatov, CISA, CISSP
Head of Security Operations Center

Recommandé

Machine Learning in Cyber Security Domain BGA Cyber Security

Challenges in Applying AI to Enterprise CybersecurityTahseen Shabab

How is ai important to the future of cyber security Robert Smith

One Year After WannaCry - Has Anything Changed? A Root Cause Analysis of Data...Forcepoint LLC

User Behavior Analytics And The Benefits To CompaniesSpectorsoft

Application of Machine Learning in Cyber SecurityDr. Umesh Rao.Hodeghatta

Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...centralohioissa

IIC IoT Security Maturity Model: Description and Intended UseKaspersky

Recommandé

Machine Learning in Cyber Security Domain BGA Cyber Security

Challenges in Applying AI to Enterprise CybersecurityTahseen Shabab

How is ai important to the future of cyber security Robert Smith

One Year After WannaCry - Has Anything Changed? A Root Cause Analysis of Data...Forcepoint LLC

User Behavior Analytics And The Benefits To CompaniesSpectorsoft

Application of Machine Learning in Cyber SecurityDr. Umesh Rao.Hodeghatta

Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...centralohioissa

IIC IoT Security Maturity Model: Description and Intended UseKaspersky

AI cybersecurityShauryaGupta38

[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...CODE BLUE

Cyber Defense Matrix: ReloadedSounil Yu

Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu

Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and IdeasTripwire

Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu

AI for security or security for AI - Sergey GordeychikSergey Gordeychik

IBM Cyber Threat AnalysisIBM Government

Understanding the "Intelligence" in AIForcepoint LLC

Lessons Learned in Automated Decision Making / How to Delay Building SkynetSounil Yu

Operational Security IntelligenceSplunk

The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...IBM Security

SC Magazine eSymposium: SIEMEmulex Corporation

The Incident Response Playbook for Android and iOSPriyanka Aash

Two-factor authentication- A sample writing _ZamanAsad Zaman

The Security Challenge: What's Next?Cognizant

[CB16] Keynote: How much security is too much? by Karsten NohlCODE BLUE

What i learned at issa international summit 2019Ulf Mattsson

Soc and siem and threat huntingVikas Jain

Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...EC-Council

ESET on cybersecurity.SOCIALware Benelux

Reducing cyber risks in the era of digital transformationSergey Soldatov

Contenu connexe

Tendances

AI cybersecurityShauryaGupta38

[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...CODE BLUE

Cyber Defense Matrix: ReloadedSounil Yu

Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu

Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and IdeasTripwire

Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu

AI for security or security for AI - Sergey GordeychikSergey Gordeychik

IBM Cyber Threat AnalysisIBM Government

Understanding the "Intelligence" in AIForcepoint LLC

Lessons Learned in Automated Decision Making / How to Delay Building SkynetSounil Yu

Operational Security IntelligenceSplunk

The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...IBM Security

SC Magazine eSymposium: SIEMEmulex Corporation

The Incident Response Playbook for Android and iOSPriyanka Aash

Two-factor authentication- A sample writing _ZamanAsad Zaman

The Security Challenge: What's Next?Cognizant

[CB16] Keynote: How much security is too much? by Karsten NohlCODE BLUE

What i learned at issa international summit 2019Ulf Mattsson

Soc and siem and threat huntingVikas Jain

Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...EC-Council

Tendances (20)

AI cybersecurity

[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...

Cyber Defense Matrix: Reloaded

Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security

Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and Ideas

Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...

AI for security or security for AI - Sergey Gordeychik

IBM Cyber Threat Analysis

Understanding the "Intelligence" in AI

Lessons Learned in Automated Decision Making / How to Delay Building Skynet

Operational Security Intelligence

The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...

SC Magazine eSymposium: SIEM

The Incident Response Playbook for Android and iOS

Two-factor authentication- A sample writing _Zaman

The Security Challenge: What's Next?

[CB16] Keynote: How much security is too much? by Karsten Nohl

What i learned at issa international summit 2019

Soc and siem and threat hunting

Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...

Similaire à LK Inhouse SOC — команда, задачи, грабли

ESET on cybersecurity.SOCIALware Benelux

Reducing cyber risks in the era of digital transformationSergey Soldatov

Understanding the Threat Landscape by SOPHOSNetpluz Asia Pte Ltd

Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...MrityunjayaHikkalgut1

sophos-intercept-x-license-guide.pdfSurendranadhaReddy1

Revolutionizing Advanced Threat ProtectionBlue Coat

Splunk for Enterprise Security featuring UBA Splunk

This is Next-GenSophos Benelux

Malware AnalysisRamin Farajpour Cami

The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor

Infosecurity Europe 2016: Operationalizing Threat IntelligenceSplunk

[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst PROIDEA

McAfee - Enterprise Security Manager (ESM) - SIEMIftikhar Ali Iqbal

SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...Splunk

Defining DevSecOpsUchit Vyas ☁

LIFT OFF 2017: Transforming SecurityRobert Herjavec

CSF18 - Incident Response in the Cloud - Yuri DiogenesNCCOMMS

Elastic Security: Your one-stop OODA loop shopElasticsearch

TalosMuhammad ilyas

PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadkówPROIDEA

Similaire à LK Inhouse SOC — команда, задачи, грабли (20)

ESET on cybersecurity.

Reducing cyber risks in the era of digital transformation

Understanding the Threat Landscape by SOPHOS

Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...

sophos-intercept-x-license-guide.pdf

Revolutionizing Advanced Threat Protection

Splunk for Enterprise Security featuring UBA

This is Next-Gen

Malware Analysis

The Hacking Games - Operation System Vulnerabilities Meetup 29112022

Infosecurity Europe 2016: Operationalizing Threat Intelligence

[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst

McAfee - Enterprise Security Manager (ESM) - SIEM

SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...

Defining DevSecOps

LIFT OFF 2017: Transforming Security

CSF18 - Incident Response in the Cloud - Yuri Diogenes

Elastic Security: Your one-stop OODA loop shop

Talos

PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków

Plus de Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days

Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days

Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days

Аналитика в проектах: TFS + QlikPositive Hack Days

Использование анализатора кода SonarQubePositive Hack Days

Развитие сообщества Open DevOps CommunityPositive Hack Days

Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days

Автоматизация построения правил для ApproofPositive Hack Days

Мастер-класс «Трущобы Application Security»Positive Hack Days

Формальные методы защиты приложенийPositive Hack Days

Эвристические методы защиты приложенийPositive Hack Days

Теоретические основы Application SecurityPositive Hack Days

От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days

Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days

Требования по безопасности в архитектуре ПОPositive Hack Days

Формальная верификация кода на языке СиPositive Hack Days

Механизмы предотвращения атак в ASP.NET CorePositive Hack Days

SOC для КИИ: израильский опытPositive Hack Days

Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days

Credential stuffing и брутфорс-атакиPositive Hack Days

Plus de Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes

Как мы собираем проекты в выделенном окружении в Windows Docker

Типовая сборка и деплой продуктов в Positive Technologies

Аналитика в проектах: TFS + Qlik

Использование анализатора кода SonarQube

Развитие сообщества Open DevOps Community

Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...

Автоматизация построения правил для Approof

Мастер-класс «Трущобы Application Security»

Формальные методы защиты приложений

Эвристические методы защиты приложений

Теоретические основы Application Security

От экспериментального программирования к промышленному: путь длиной в 10 лет

Уязвимое Android-приложение: N проверенных способов наступить на грабли

Требования по безопасности в архитектуре ПО

Формальная верификация кода на языке Си

Механизмы предотвращения атак в ASP.NET Core

SOC для КИИ: израильский опыт

Honeywell Industrial Cyber Security Lab & Services Center

Credential stuffing и брутфорс-атаки

Dernier

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub

AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin

presentation ICT roal in 21st century educationjfdjdjcjdnsjd

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays

[BuildWithAI] Introduction to Gemini.pdfSandro Moreira

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays

Exploring Multimodal Embeddings with MilvusZilliz

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10

CNIC Information System with Pakdata Cf In Pakistandanishmna97

Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1

WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2

DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity

Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea

Apidays New York 2024 - The value of a flexible API Management solution for O...apidays

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz

Dernier (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

AWS Community Day CPH - Three problems of Terraform

presentation ICT roal in 21st century education

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

[BuildWithAI] Introduction to Gemini.pdf

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Exploring Multimodal Embeddings with Milvus

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

CNIC Information System with Pakdata Cf In Pakistan

Boost Fertility New Invention Ups Success Rates.pdf

WSO2's API Vision: Unifying Control, Empowering Developers

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

Vector Search -An Introduction in Oracle Database 23ai.pptx

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Apidays New York 2024 - The value of a flexible API Management solution for O...

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

LK Inhouse SOC — команда, задачи, грабли

1. INSIDE KL SOC POSITIVE HACK DAYS, MAY 2017 Sergey Soldatov, Head of SOC

2. SCOPE • Monitoring (Alerting) • Vulnerability assessment • Incident management • … Infosecrisks Automotive toolsService Residualrisk Prevention Alerting (SOC) Threat hunting Threat hunting KLscope KMPservuce Customer operation security

3. Detect scenarios Evidence collection INCIDENT LIFECYCLE Goals Priorities Scenarios deployment Detection Data analysis Validation Categorization Prioritization Live response Memory dump Disk dump Malware analysis Live response analysis Forensic examination Network forensics Host forensics Incident Response Digital forensics, Malware analysis (respond) Threat intelligence TI, Security assessment (prepare) Threat Hunting SOC process (unknown & non- malware attacks) Prevent & Monitoring Tools, SOC (known attacks)

4. TI: AUTODETECT INFRASTRUCTURE PRODUCT

5. DF LAB Search for sample Play sample Ask AMR for analysis

6. SEARCH FOR INFO Hash URL IP Verdict

7. Duqu miniFlame Gauss Icefog NetTraveler Miniduke RedOctober 2010 Sofacy Carbanak Desert Falcons Equation Naikon Hellsing TeamSpy Duqu 2.0 Animal Farm Kimsuky Stuxnet Flame2011 2012 2013 2014 GREAT APT INTELLIGENCE 8 APT campaign early warning 3-5 reports/month Targeted attacks TTP Insight into non-public APTs Retrospective analysis Continuous APT campaign monitoring MRTI IoC (Open IOC/yara) Campaign artifacts Darkhotel – part 2. MsnMM Compaigns Satellite Turla Wild Neutron Blue Termite Spring Dragon

8. INTERNAL REDTEAMING Test modern TTP detection and investigation ‘Lessons learned’ after each pentest

9. THE CONCEPT OF ‘HUNT’

10. LEVELS OF DETECTION Data  All AM Detects  Process behavior  OS events Micro correlation on EP level:  All EP detection technologies  Reputation Macro correlation, hypotheses:  All TTP knowledge:  Internal research GReAT, TARG, SOC, SSR  Security assessment (red team)  Incident response (DF, MA, IR)  Monitoring practice Additionalnotificationsifrequired

11. INTERNAL SERVICE LINES Project 1 Project 2 Project i 1st tier: 24x7 shift RP1 RP2 RPi 2nd tier: Responsible for project 3rd tier: SOC research All SOC detects: Alerts & Hunts SOC detects customization Hunts processing Customer detects creation Threat hunting Alerts, hunts processing Infrastructure maintenance Infrastructure development Reporting & Client management KL internal research & Infrastructure

12. QUESTIONS? Sergey Soldatov, CISA, CISSP Head of Security Operations Center