ausgewildert: vom rookie zum cyber security analyst pdfs/dd...250 destinations all over the world....
TRANSCRIPT
Ausgewildert: vom Rookie zum CyberSecurity Analyst
Cyber Simulation Range
Andreas Günther // Managing Analyst & CDC Team Lead // SecureLink Germany
THE ISH PROJECT
TRAINING SPACEThere are 4 fully equipped training roomsthat provide the opportunity to developand test skills in a range of IT Security and aviation-specific topics.
LAB AREAAn essential part of the ISH is toprovide a great lab environment totrain the security experts oftomorrow. The lab enables us toprovide not only theoreticaltraining classes, but also incorporate a great deal of hands-on experience into the learningprocess.
EVENT HALL, FOUR TRAINING ROOMS AND AN EXTENDED LAB ENVIRONMENT FOR HANDS-ON TRAINING SESSIONS.
EVENT HALLThe brand new auditorium seats 120 people with the goal of sharingknowledge and hands-on learning.
In addition to high-level presentations, tinkering with typical airportinfrastructure in IT, OT andcommunication.
„Our vision is to provide the next generation and immersive training facility for the education of first class IT security experts.”
Boring Powerpointpresentations for endless hours
Outdated frontal teachinginstead of hands-on training
Restricted to products/vendors
Often no realistic but outdatedattack scenarios
Trainers are not experiencedanalysts
No metric to measureinvidivudal/team progress
26.04.2018 4
Where do traditional training methods fail?What has to be avoided to accomplish a successful training?
26.04.2018 5
…by joining forces to gather bundled security expertise!
How can we do better?
FMG (Flughafen Munchen GmbH), incorporated in 1949, operates Munich Airport, which opened at its present site on May 17, 1992. It is jointly owned by the Free State of Bavaria (51 percent), the Federal Republic of Germany (26 percent) and the city of Munich (23 percent). The FMG corporate group, with its 15 subsidiaries, employs more than 9,000 people. With a total workforce of about 35,000, employed by about 550 companies, Munich Airport is one of Bavaria’s largest workplaces. Within just a few years of opening, Munich Airport developed into a major air transportation hub and was firmly established as one of Europe's 10 busiest airports. Munich Airport now offers connections to more than 250 destinations all over the world. In 2016 Bavaria’s gateway to the world has handled approximately 400,000 flights with over 42 million passengers. Bavaria's gateway to the world became the first – and is so far the only – airport in Europe to be honored with the prestigious title of “5-Star Airport” by the London-based Skytrax Institute.
26.04.2018 6
Who are the players within ISH?
iT-CUBE SYSTEMS is a full-service provider for IT-security. Our Team consists of highly qualified, experienced and committed strategic consultants, technology experts and security analysts. All have one thing in common: an exceptional sense for futureproof technology trends. We focus our work on the German-speaking countries. Since January 2017 iT-CUBE is a member of SecureLink Group, belonging to Europe’s leading IT-security-providers. SecureLink operates in 9 European countries with 16 headquarters. The group owns 5 local Cyber Defence Centers (DCD) and 4 Network Operation Centers (NOC) with 24x7x365 support. We offer a comprehensive service and solution portfolio with knowledge from more than 625 security, IT- and network specialists based on leading security solutions from top producers.
26.04.2018 7
Who are the players within ISH?
ERNW Insight GmbH is the daughter company of Heidelberg based ERNW GmbH which specializes in different areas of IT Security. We work alongside the ERNW family (ERNW GmbH, ERNW Research, and ERNW Security Tools) which focus on penetration testing, security assessments as well as cutting edge research and software development, to bring knowledge of IT-Security topics to the world. Through trainings, events, conferences (such as TROOPERS), and e-learning in a wide-range of IT-Security topic Insight reaches its main goal of providing first class IT- Security know-how.
26.04.2018 8
Who are the players within ISH?
HvS-Consulting is a Munich based Cyber Security specialist. Our core competencies include consulting for Information Security Management / ISO 270xx / critical infrastructures, simulated industrial espionage attacks with social engineering, as well as Incident Response & IT-Forensics in case of an attack. Furthermore, we impart Security know-how: Coaching for Security Experts, Training of IT-staff and creating security awareness for information and data protection among managers & employees. For additional information please visit www.hvs-consulting.de.
26.04.2018 9
Who are the players within ISH?
BUSINESS CONTINUITY MANAGEMENT FOR CRITICAL INFRASTRUCTURE
EMERGENCY MANAGEMENT DRILLS FOR CRITICAL INFRASTRUCTURES
…
CSR101 – ISH Certificate “Security Incident Analyst - Level 1”
CSR102 – ISH Certificate “Security Incident Analyst - Level 2”
CSR103 – Cyber War Gaming
…
HACKING 101
IOT- SECURE DESIGN AND OPERATION
26.04.2018 10
What does ISH offer?https://infosec-hub.de/en/events/
Efficiently detect, assess and respondto cyber threats in a real-world IT & OT environment
Utilize the high-end CSR SOC technology stack and field-testedplaybooks from experienced SOC analysts
Enrich security event informationusing threat intelligence andautomate/orchestrate IR measures
Become acquainted with the latestthreats and understand the attacker‘smotivation
Slip into the roles of securityanalysts, incident responders, engineers – teamwork!
26.04.2018 11
Students defend against complex attacks in a hyper-realistic training environment.
Highlight of ISH: Cyber Simulation Range
blue team red team
networktraffic
generator
attack trafficgenerator
trainer
CSR: Structural model
• Implement malware
• Infect systems and accounts
• Exploit vulnerabilities
• Setup CnC botnets
• Exfiltrate or destroy data
• Sabotate productionenvironments
• Detect and assess attack activity alongthe cyber kill chain
• Analyse and eradicate malware
• Detect and quarantine compromisedaccounts, systems and backdoors
• Implement active defense measures
• Restore compromised systems and getback to usual business
• React, communicate and coordinate in different SOC roles
• Lead through all use-cases
• Evaluate attack and defenseactivities
26.04.2018 12
enterprise IT/OT environment
Brute force attempt
DNS Reconnaissance
DOS/DDOS: DoS/DDoS attacks 10,000 in 15 minutes
Anti-virus failed to clean or quarantine.
Email with Malicious attachment
Database connections: unsuccessful connection attempts.
Excessive SMTP traffic outbound.
Excessive traffic inbound (streaming, web, etc.).
Excessive port blocking attempts from endpoint protection
Known Exploit Payload detected
Logs deleted from source
Suspicious traffic to known vulnerable host
Unauthorized subnet access to confidential data
Ransomware Infection
Sinkhole Attack
System Compromise : CnC communication
System Compromise: Suspicious Behavior
Waterhole attack
• IRC Connections proceeded by Server Initiated Connection to Dynamic Hosts
• Login to sleeping account: Login attempt to account that was unused for last
• Admin Login Fail: Admin 3 Failed logins to any system within 24 hours
• Freq. Account Locked: Frequent account locked 3 in 7 days [3/7d]
• Login 1 to many: Login attempt from 1 station to more than 2 accounts
• Login at off hours Night: Admin login in non-working hours 22:00-06:00
• Login at off hours Weekend: Admin login in non-working weekend hours Friday-Sunday
• Login Root: Login Directly to Root and not via “SU”
• Multiple Account Locking: Multiple locked accounts from same source IP
• Multiple changes from administrative accounts
• Multiple infected hosts detected on a subnet "from your end-user protection solution“
• Same account different countries within 5 days (user traveled abroad)
• SMTP traffic from an unauthorized host.
• Privilege Elevation: Permissions were changes from user to Admin
• Threat Intel Feed: IOCs detection
• Trojan Infection
• Virus Found
• Vulnerable Software Version Detected
26.04.2018 13
IR playbooks for a variety of security incidents: Brute force attempt
DNS Reconnaissance
DOS/DDOS: DoS/DDoS attacks 10,000 in 15 minutes
Anti-virus failed to clean or quarantine.
Email with Malicious attachment
Database connections: unsuccessful connection attempts.
Excessive SMTP traffic outbound.
Excessive traffic inbound (streaming, web, etc.).
Excessive port blocking attempts from endpoint protection
Known Exploit Payload detected
Logs deleted from source
Suspicious traffic to known vulnerable host
Unauthorized subnet access to confidential data
Ransomware Infection
Sinkhole Attack
System Compromise : CnC communication
System Compromise: Suspicious Behavior
Waterhole attack
• IRC Connections proceeded by Server Initiated Connection to Dynamic Hosts
• Login to sleeping account: Login attempt to account that was unused for last
• Admin Login Fail: Admin 3 Failed logins to any system within 24 hours
• Freq. Account Locked: Frequent account locked 3 in 7 days [3/7d]
• Login 1 to many: Login attempt from 1 station to more than 2 accounts
• Login at off hours Night: Admin login in non-working hours 22:00-06:00
• Login at off hours Weekend: Admin login in non-working weekend hours Friday-Sunday
• Login Root: Login Directly to Root and not via “SU”
• Multiple Account Locking: Multiple locked accounts from same source IP
• Multiple changes from administrative accounts
• Multiple infected hosts detected on a subnet "from your end-user protection solution“
• Same account different countries within 5 days (user traveled abroad)
• SMTP traffic from an unauthorized host.
• Privilege Elevation: Permissions were changes from user to Admin
• Threat Intel Feed: IOCs detection
• Trojan Infection
• Virus Found
• Vulnerable Software Version Detected
26.04.2018 14
Learn how to optimize IR processes with automation and orchestration.
SOC technology stack & workflow
Ticketing / IRSIEM
NAC
Endpoint Response
Cyber Simulation Range – blue team‘s „toolbox“Security solutions & SOC technology stack for high speed and efficiency in incident response
NG Firewall
SecurityOrchestration
Endpoint Protection Security Orchestration &
Automation (SOA)
Vulnerability
Visibility
External TI
Flow Analysis
Deception
Asset DataSandbox / Proxy
UEBA
Detection – Investigation – Response
SOC Playbook Example
Find Malware Extract Process
2
Detonate File/ Analyze
4
kill processes, perform memory dump, quarantine infected
endpoints
6
update URL / IP block list
7
Query for endpoints infected with the known malware/hash
5
Envoke Cross-Check against Threat Intel
Feed
3
CnCDetected &
Alerted
CnC
@
1 Query for time-related IoCs
... don‘t forget: it‘s a battle.
Vielen Dank für Ihre Aufmerksamkeit!
iT-CUBE SYSTEMS AGPaul-Gerhardt-Allee 2481245 MünchenTel: +49 (0) 89 2000 148 00Mail: [email protected]
We keep IT secure.