Keith Weber - SIEMplifying your IR playbook

hello everybody we're here to talk about simplifying your ir playbook if you're not sure what that is well it's the sim and you have an ir playbook and now you combine them together so um my name is keith weber i am a senior information security engineer for a company here in knoxville cellular sales it's just right off of 40. you see the big building big sign i've been doing security for about 14 15 years now i have a bunch of certifications that just means i can regurgitate a book but hopefully today what we're going to draw out of this discussion is how do we take our sim does everybody know what a sim is before

i go on okay do you have an ir playbook how many people have an ir playbook don't be shy there you go so now we're just going to talk about those who don't have an ir playbook we're going to just basically go over and how we can integrate all the different alerts and different noise that our sim makes and how we respond to it through a and it's not working and cool merry christmas all right so that was the talk everybody have a good time the bar is open so that is true the bar is open so you can go use your tickets now i'm not going to be offended if you get up and

go and get a drink speaking of which if anybody wants to get me a drink that'd be cool so um basically recapping really quick how you take your sim integrated with your playbook and how do you do incident response whenever you that thing the sim uh alerts and kicks off uh so basically in this discussion we are going to go over briefly on what a sem is and how it integrates with um our everyday business and then we're going to talk about the ir playbook and david the speaker before this did a great job of presenting on what mitre attack is and how minor attack can be used in our environment and basically make us better security

professionals so a sim it is a it is our brain child it is the the device that helps us and makes us look good with senior management so what a basic boost is a log management correlation analytic and incident monitoring and security alerts and compliance management reporting tool cool what does that mean well we take all the events that every single server makes all those events that a host makes and then something has got to process and and take all that information in and say this is kind of odd maybe we should somebody should look at that so there are many flavors or how we got to the sim because back in the day there

was actually two components before the sim came out the first component i got to figure out where this mic is right the first component was the central uh security information management tool it just basically took all the log data and did an analysis of it and then eventually a second component came about and it became the system event management and it did all the correlation all the noise that we don't want to sift through one million logs a day trying to figure out that this event id triggered at the wrong time and then eventually some marketing guy said why don't we put them together and now we have the sim the s-i-e-m it is been seen also s-e-i-m but that's

just wordplay so there are many flavors of sims out there that some are really expensive some are really cheap some are open source and some have proprietary software associated with their code each one i'm sorry let me go back each one has a unique flavor and some of them even claim that they have the ability to do everything for you now this has some pros and cons associated with it but for the most part you know they will do a lot of alerting and what i can say about the sim and you have to tune it i don't care if a sales person your sales manager says we've got the one solution that's going to solve all your

security threats and this is how it's going to do it we've got it right here i don't care you've got to tune your sim every single time i have in my 14-year career i've been on the government side i've been a consultant i've been well where i am now and all the different places i've been doing a security assessment the sim has never touched it has people think that you can turn it on and it will do what you want to do but you will run into a lot of problems if you are not actively in your sim making sure you have all the correct tools properly configured so the next topic of discussion is our

incident incident response playbook this is a kicker this is the one that can be overly complicated or it can be very simplistic where it doesn't tell you much of anything i just recently got back from a forensic conference and there was it was a good conference but it was more geared towards law enforcement than it was security professionals um so when the topic came up and one of the sessions came up and they were talking about incident response the gentleman was basing his incident response off of computers not necessary law enforcement so obviously if you can imagine the law enforcement incident response policy is massive and there was a lot of questions and it was a good conversation a lot of

these guys didn't have a clue on what exactly happens behind the scenes in a normal corporation they just know what they know and there's nothing wrong with that an incident response policy or playbook excuse me just bringing the gap between chaos and security if you have i mean how many people here like their incident response cool one person awesome so this is a challenging discussion or challenging topic for a lot of people in our industry because of the fact that it can be overly complicated and now here's another question in fact first person to answer hans you might get a price how many people have printed out their incident response playbook and is on their desk

boom you work at y12 that's not fair you have to that's the rule somebody pass that back to him i don't want to throw it at him

so it's always a good idea to have your your ir playbook printed out just in case you get that ransomware attack and you have no clue how to respond and it's okay if you don't know how to respond you just have to look like you know what you're doing i've done that before i've worked responded to my first ransomware attack and i was working for a company down in chattanooga and i walked in there and i said yep that's a random ware yep i don't know what to do so it is important to understand how your different internet response policy excuse me your incident response playbook benefits you it's important to go through your incident response playbook

using tabletop exercises or even if you are want to be really clever and you want to keep your analysts on their toes you kick off a simulated attack and that's fun to do and then you realize how many people on your team look at the incident response playbook i'm looking at them right now

um all right so how do we shoot did i click the right thing all right so what if you don't know how to start with your incident response playbook so we've got the sim we know it takes a lot of data we know it takes all the logs it does all the hard work for us and then you throw in some yara rules you throw in some different types of detection and then now we open the incident response book we see that a a host in one of our stores downloaded malware and what do we do so there's different ways that we can go about creating our incident response playbook and one of boy that is small

i'm standing right next to it so keep it simple your incident response playbook should be able to be understood at the most highest level and what i mean by that is that theoretically you i'm getting a phone call theoretically your ceo or your cio should be able to walk down look at your incident response playbook and then be able to follow through the process now i don't know what is what is the likelihood of a ceo coming down looking at your instant response look probably low i know where we work at cellular sales our senior leadership is actively engaged with the security program and if you don't have that i encourage you to have sit downs and talk with them

on a regular basis not high level pain no not very in the wii's conversations but ask them what do you expect from this from the security department if this happens what do i do and that should all be identified at least in your incident response policy the other thing is you have to establish roles okay so now you have all these different you know parts to the incident response playbook how who's doing what do you have an incident commander who's who's handling all the forensics who's handling uh who's working with the different departments and technologies you know all this has to be integrated i'll stand right here um and then apparently i can't stand anywhere

and then you have to enter you know work with all the different departments and then you need to kick off your tabletop exercises everybody needs to do a tabletop exercises minimum of two years just because incidents are typically infrequent but that one time that everybody's on the same page and everybody's working together as one team makes things easier in the long run

um so also yep that's pretty much it on that now david the previous presenter had a really good talk on the mitre attack framework i'm not going to go into it i think he did a very good job on trying to break down and this is a very high level approach to understanding how your sim integrates with your ir playbook and you know so we won't go too indeed but i will just add to that conversation that what david said this is a tremendous resource i got to see a presentation from mitre attack one time at rsa and it just opened my eyes and i for now forever included in our incident response playbook the different uh ttps

or techniques tactics and procedures that [Music] is associated with the miter attack it's just in your best interest to at least look at the miter attack framework see how each different technique can be used in your environment and then sometimes you can even associate that with if you have a risk register or you have some kind of risk matrix that can be introduced and made things easy down the road so this is a fantastic framework to understand and it's not just for security people i encourage if you're on the system side i encourage you to are y'all hearing that feedback or is it just me okay um maybe it's this other thing we'll turn that off okay

um i encourage all the different departments including networking including infrastructure including your ops team if you have a support desk help desk whatever i encourage them to go look at it because this will give them different ideas or different perspectives uh how these different attacks work just makes things better for everybody in the long run all right now let's just blend it all together this is the hard part this is i mean i look at my incident response playbook every day and i still don't know if it's the right one i still don't know if everything is done the way that it's supposed to in an effective uh manner and the only way that i know that we are doing

everything correctly is we do have those um table top exercises on that point and at this conference i learned something new and i didn't realize that the taxpayers us were paying for it and it's completely free there is a federal agency called cisa cisa they give pen tests risk assessments tabletop exercises the whole nine yards and it's free and uh i said luckily the one of the presenters was the representative for tennessee and i had a great conversation with them they will come on site they will customize and make your their excuse me they will customize a tabletop exercise man i want country right there shoot my eight senior slaves coming out um they will come through and they will

create a custom tabletop exercise for you and then work with through you and also take a look at your incident response policy tweak it where they think is best the great thing is they don't report anything they don't record anything they are there to help you i didn't realize that it was tax funded taxpayer funded but i told my manager i said hey we need to start using their service because it can only make us better so that's just i think it's just cisa.gov and then you can go see who your representative is and you can email them directly the guys were terrific they are government so they they do follow very stringent nist guidelines

and everything is based on the dod framework pretty much okay so now how do we blend all this together how do we make our sim and our incident response playbook and our minor attack and we do it make this beautiful bob ross painting and just a side note if anybody in half has kids and if you want your kids to shut up put bob ross on i'm not kidding it's on netflix and for some reason that nice soft sultry voice will chill kids it's crazy so how do we blend it all together how do we take all those different components and we make this beautiful incident response plan that we can present to our senior management and

they think we're fantastic and it's like wow we need to pay you more it's not going to happen i'm going to tell you that right now um but you could you can dream um so it's easy okay i'm gonna go back to what i said a moment ago keep it simple start working through the different frameworks within the minor attack framework and figure out okay now that i have my sim just alerted and it says john doe has an irregular time sign in at two o'clock what do i do okay well if i go to my playbook and i look in and at that specific technique and i'm looking for okay it says well i've got a regular

login time so maybe i need to go check you know all the different um time parameters and what time do they log in or what time is their normal work schedule um okay well that's kind of odd now we've got to cl you know this uh john doe he normally on average he signs into work around 8 30 but he's never doing it at uh three in the morning oh yeah by the way he just connected to the vpn well that's strange don doe doesn't have a vpn profile now my my heart rate's racing now i've got to figure out why does john doe sign in at three in the morning on a vpn profile

now well we got to work through it so there is an actual technique on the miter attack framework that will go through the vpn connections and it will tell you that this technique is used and this is the this is what the attributes are on how to go about detecting it so then you put that into your playbook that you should check this area this area this area now you go to your sim you run your queries that you're looking for and then okay cool well now i know it was an international ip address oddly enough we didn't block russia on the firewall and okay cool now we're kicking it off now we're quarantining now

depending on how within your playbook do you quarantine do you want to leave it open um so you can collect more data is it possibly insider insider threat these are different ideas that you all have to talk amongst your team and this is where the tabletop exercise comes into and only becomes a benefit for your team on the table top exercises include your senior management whether it's your your managers or your ciso or your cio include them because they have different observations that you may not be aware of and it only can benefit you if you include them now i wouldn't include them for the full two hour session just say hey can you come

in here for 30 minutes and would be cool great oh by the way it's at lunch i need you to flip lunch bill please that'd be great you can help us out um so we include all these different [Music] ideas these different you know components and we introdu you know and we put into our instant response plugs and we make things um easier on the analyst or the different infrastructure your systems person to pull the information and to quarantine it and work with your different different departments um so the good news is i didn't realize i talked very fast so lunch is pretty soon so the next slide conclusion so we can be at the front of the line

yes take that other group um i kind of went through fast because this is the second time i've ever third time i've ever spoke and so this is very nerve-wracking being up here one thing i can tell you of all the years that i've been doing this is take your time and i know in our industry time is not something we usually have time is just our enemy uh most of the time but if you take your time and you build out each technique into your incident response playbook and then you correlate that playbook with your sim so when you know you get that alert at two o'clock in the morning because of john doe

access not normal you know that you can turn to that playbook and you can follow through it and you can eliminate a much time headache and stress and i can't stress enough doing tabletop exercises it only builds all your teams together more chrome together more tighter and then also other departments get to learn what you do i mean most security professionals have an idea of what networking does what a system does what ops does but a lot of people don't understand what exactly security does you know we use bloodhound at our in our department and bloodhound can give you huge visibility into different active directory permissions and different controls and we also use other cool tools

that the different departments want to use and that's another issue another thing i'd like to bring up security preferentials we like to be tight-knit we like to be close we like to keep everything to ourselves i think and this is just my opinion in my opinion only does not reflect opinion of cellular sales but the good news is my boss has the same opinion so i can say it we need to be more open about our tools we need to share our tools with other departments now i'm not saying give them admin rights i'm not saying they can have the right to configure anything i'm just saying that they need to see what we see

and that only makes us better you know we should not be the stop gap that prohibits the company from moving forward you know that's just my personal belief thank you for listening but um damn that was quick um you know we'll open it now to qa i have one more thing to give out i'm not sure what it is what is it it's like a back door thing back doors and breaches stickers oh it's just stickers oh okay cool well if the sticker's missing i took it um kyle go ahead hey yes uh do you have recommendations on time yeah so so there's different uh what kyle asks is is there in the incident response

tabletop exercises or you engage in a in a live demonstration of your of your sim what tools are available out there that can alert you or help you identify or basically test your sim and make sure that you are configured correctly so the one of the great tools is obviously your brain just you know putting a linux machine out there and then putting it with a lot of ocean a lot of different tools github go to github and then download anything so uh there are some websites i'm a little um i'm not i can't think of the one right now that will actively use benign code and that will drop a payload i know if you use some

software like proofpoint you can use benign malware that will distribute email out to our users and then if they click on it we'll see if our endpoint protection is working we'll see if we get an alert notification on our sim and then we will then correlate that to our incident response playbook and to make sure everything works well together sorry i don't have the website there's a cool website that that will you can download the payload and then just get your one of your laptops and distribute it and see if you can piss off your system any other question here kyle do you really want this [Music] okay all right cool oh what's up brother

uh i don't have a question so i don't want it

i found at some um and you talked about open sourcing heard of sharing and i recently found just a repository on git lab that is uh institutional consequences very well built out so did everybody hear that all right hold on let me walk down that was very well said so i'ma let him talk i don't know that i can do it again um uh we were recently building our instance response playbook so i just want to give a plug for something that i found that uh i'm entirely unaffiliated with but if you're just searching google for like gitlab instance response playbooks public i think you'll find a repository that has very well built out workflows for various instances so i

just want to throw it out these days awesome thank you that was cool any other questions or does everybody just want me to shut up so y'all can go get in line oh you get it now you can't take it back you raise your hand i mean yeah thanks for putting a short stage all right together and what's your question that you were talking about yeah sorry you did so first that you were talking about is the are the representative names on the site yep yeah on their website and you know i wasn't planning on talking about system because i just learned about them the other day um yes on their website they actually have

um their folks breaking out into regions so the guy who represents tennessee also represents uh georgia and florida and he is based out of atlanta georgia he said he's very interested in traveling meeting people now that we've lessened our coveted restrictions so he enjoys being on site he has a team about six in his department and they come the great thing is is travel is paid by the government um all their food expenses everything is paid all you have to do is invite them i mean i guess they're vampires so you have to invite them to the door so but uh all right any other questions oh hey oh shoot man that's a dangerous question

the question was how how broad is and how broad is it to make your ir playbook you can make it so complicated with so many moving pieces with so many different people that you get into the finger pointing game my advice when creating in your playbook and then you're like you're about to get show and tell so this is just a copy of our does that show up so i am in the process of redoing this so this is a copy of our incident response playbook please no flash photography this is proprietary information and i will change it um so in the playbook that i design i like colors it makes it easier for everybody to see

their responsibilities and jobs so if there is uh i know it's hard to see but is a first part to our playbook this is just the beginning this is is this an event or is this an incident okay so there's a separate uh document uh that explains the general actions okay and this incident response playbook was designed after the nist uh cr crf and they also have the nist 867 is a great incident response documentation this does a great job they they like to overload you with information and um so i just redid ours here pretty soon in two weeks we have a tabletop exercises to make sure that we work through any type of malware that occurs that we are

currently collecting the necessary information so there is a section here for incident handlers and there is a section for our infrastructure team then we make sure that we're collecting all the necessary information we have a great epp tool at cellular cells that also does our forensics so you know if and we can anybody wants to talk after this i can help give you some other direction on what i've seen over the years that has helped me but color coordination to me is fantastic because i know where to go uh then we have an incident commander this is an instant commander and our incident response policy is the person who is going to be the liaison talking to

senior management should they be involved you know talking to our director to making sure they are on top of what's going on and so this is just kind of our process um you know um the is just information security is infrastructure and if y'all notice that there are little there's containment these are all based off the nest crs the eradication processes the recovery process the lessons learned process and stop talking um so that's just kind of you know our example you know so i hope that answers your question i know it's very hard to answer that question because it's up to the person who is responsible for that document yep sure

so that's a very good question is which framework do you use i am in the process of changing ours to the the mitre attack framework it is they they do all the research they are non-public um non-profit sorry not non-public non-profit organization and this is all they do every day and they just list it all out now i'm still going to use the net crs the cyber risk framework that will help uh guide that um but yeah nope somebody over here nope cool all right no more questions all right everybody go get in line for lunch oh there was i'm sorry i'm sorry premature clap i'm sorry with the attack framework have you utilized that and tying it into like

threat with the attack framework have you utilized tying it into the threat like threatmodeler.com and building threat models yes those who don't know threatmodeling.com is another great resource to answer your question is no i have not because i haven't figured out how to take all these moving pieces and mesh them together i haven't bob rosted yet yeah i would appreciate that there's a lot of there's a lot of great uh information on that website as well anything else cool well thank you