Upload
kirill-ermakov
View
585
Download
0
Embed Size (px)
Citation preview
SOC trainingHow to teach the blind to drive
Kirill “isox” Ermakov,SOC in Russia IV, 2016
2
#:whoami
- QIWI Group CTO/CISO- vulners.com founder- Web penetration tester- Member of “hall-of-fames” (Yandex, Mail.ru, Apple and
so on)- JBFC community participant- Well known integrator hater
3
One more time about the essentials
- Stop calling it a “SOC”. It’s security monitoring
- Some kind of collectors and correlation rules
- Pretty little monkeys tired of a false positives (“SOC team”)
- Some kind of a software for operations management
- Technical solution does not matter
4
The problem
5
Common mistakes
- Templates usage
- Events overflow (system outage)
- Ignorance of it’s own architecture
- Lack of competence in hacking
- Faith in marketing bullshit
6
Perfect correlation rules out of the box
- ICMP timeouts- Multiple login failures to the same destination (usually
domain controller)- IRC chat protocol- ”Connect to the known botnet C’n’C” (usually CDN)- Excessive firewall accepts across multiple hosts- Outbound connection to a foreign country/region- Systems using many different protocols
7
Anomaly detection is useless unless you got:
- Asset management
- Stable product lifecycle
- Change management
- Documentation
- Network scheme with information flows
- Policies that are not just a paper sheet
8
What da hell are you looking for?
- Collecting every logged event is not only stupid but also is very expensive
- Malicious activity as told by Certified Ethical Hackers
- Erotic fantasies of SIEM developers
- Infrastructure that actually didn’t match the reality
9
Monitoring kiwi reservation
- Almost about 3 years of monitoring- Svetlana “Mona” Arkhipova as a gamekeeper- IBM qRadar as a log collector- IBM Guardium for DB- IBM XGS + StoneGate for the network- Verdasys Digital Guardian for the OS- OSSEC as a HIDS- Something about 3000 of kiwis in the wild- And many more other wild animals
10
SOC KPI’s
- All that CISSP guys recommendations are outdated- There is no need to measure garbage like:
- Resolution time- Number of employee certification- Total count of the incidents
- You need to know it’s real efficiency
- One metric: ratio of registered attacks to performed attacks
11
Sidestep: Penetration testing
- Hope that I have no need to explain what is it and what for
- In case of dramatic sclerosis:- Independent security audit- Hackers simulation attempts- Fast and dirty assessment
- Activity in three separated fields:- Perimeter- Internal network- Social
12
About the classic approach
13
Red team exercise
- Reinventing the wheel. Today with SOC realities.
- Survival game
- As close as possible to the real world hacking
- Challenge between the offensive and defensive lords
14
Basic rules
- Game lasts until victory- Only CISO has “red stop button”. If he will press it –
red team wins- No restrictions on the attack surface or methods- Worst scenario for the blue team:
- Insider with tech expertise- No daytime limits
- Devices hijacking allowed- Drop-ins are welcome- Real life field operations - Any social attacks
15
Team “Red”
- Cooperation of d0znpp with ONSEC team + BeLove with DSEC team
- Target: getting access to any sensitive information
- Must record all their actions to the timeline table
- Perfectly balanced pool of skills
16
Team “Blue”
- QIWI security team
- Target: defend your home
- KPI: register at least 80% of the attacks
17
One slide for the results
- 3 month of hell- Red team won- Aprox. 70% of attacks were registered- Gained access to the security team laptop- Disappointment in all the security toys- Lot of black holes in the monitoring - More in my ZeroNights 2015 presentation
18
Let’s get back to the SOC
- Correlation of the attack table and monitoring results
- Real attack = real vectors- Now learn your systems to detect them- Not enough? Make honeypot and monitor it to
create patterns- Try to hack yourself if you can
19
Learning your SOC to defend
- Practice. Only practice. - Don’t be lazy! Simulate attacks, perform pentests- There is no magic configuration, that suites
everyone- Get experienced team with at least one hacker in it- Don’t expect it will save you- Sometimes good compliance management shows better results
20
That’s all. Questions?
- As usual thanks to my team for the great performance and endurance.
- Join us at the defensive section of the ZeroNights 2016
21
See ya!