Getting SecOps Foundations Right with Techniques, Tactics, and Procedures Zero (TTP0)
Download as PPTX, PDF
0 likes1,439 views
The document discusses security operations and strategies for getting security operations right. It begins by discussing the strategic mission of a security operations center (SOC) to manage and report risk and interrupt adversary activity to mitigate loss. It emphasizes the importance of cyber threat intelligence being central to this mission. The document then provides examples of strategies for different phases of security operations including discover, monitor, respond, automate, transform, and learn. It provides specific examples for implementing strategies like zoning and determining essential security feeds. The document also introduces and discusses the TTP0 DRONE for automating incident creation. It concludes by providing information on additional resources available from TTP0.
Getting SecOps Foundations Right with Techniques, Tactics, and Procedures Zero (TTP0)
- 1. 0 Getting Security Operations Right with TTP0 Ismael Valenzuela SANS Instructor, McAfee @aboutsecurity Rob Gresham Splunk> Phantom @SOCologize
- 2. Where were you in 1986?
- 4. 0
- 5. What is the story? https://securingtomorrow.mcafee.com/mcafee- labs/emotet-trojan-acts-as-loader-spreads- automatically/ Google Market Summary
- 6. We keep seeing the same situation...
- 7. SOC Strategic Mission: manage & report risk Success: interrupt adversary activity to mitigate loss, managing and communicating risk Requires a strategic and tactical approach to security, where Cyber Threat Intelligence (CTI) is central to this mission
- 8. 10,000 hours or 6 months?
- 9. So we sat down... And started to think about what works...
- 11. 0Security Operations Story 30 9060 Understand the business, set initial goals & outline a realistic, high-impact plan Create awareness, maintain focus and augment visibility Report & celebrate success, identify points of change, increase scope in spiral motion
- 12. 0Security Operations Story: NSM 30 9060 Understand the business, set initial goals & outline a realistic, high-impact plan Create awareness, maintain focus and augment visibility Report & celebrate success, identify points of change, increase scope in spiral motion DISCOVER the business MONITOR define zones, critical assets RESPOND define IRP for them AUTOMATE core actions (Create tickets, data transfer processes) MEASURE time to notify, remediate TRANSFORM create awareness DISCOVER anomalies or gaps MONITOR critical, high alerts RESPOND refine IRP AUTOMATE contextual data MEASURE time to investigate, recovery TRANSFORM analytical quality DISCOVER hunt retroactively MONITOR new attack points (scope) RESPOND apply lessons learned AUTOMATE response scenarios MEASURE alignment to business goals
- 13. 0Discover Whats important, Crown Jewels, save ones SOEL Understand the Business Units and talk to your IT cohorts Understand whats critical to enterprise operations Review the Business Continuity Plan (if they have one) Start early, dont wait... In preparing for battle I have always found that plans are useless, but planning is indispensable. - Dwight D. Eisenhower
- 14. 0Monitor SOC Zoning Using the concept of SOC Zones to defend your organization allows for both IT and business context in order simplify building effective Use-Cases Set the stage to build efficient response processes around... Zones Categories Severity Sensitivity Resource Tiers
- 15. 0Monitor Other Examples: OT/ICS Manufacturing R&D PCI Zones business-critical application Cloud critical hosting DMZ Zoning should be implemented in a way that reflects business- critical capability
- 18. 0Response Block Processes and C2 Channels External Contextualization Internal Scoping (beyond reporting) Root Cause Analysis Triage Forensics Contain not remediate Eradicate / Recovery Lessons Learned
- 19. 0 AUTOMATE: Introducing TTP0 DRONE
- 20. 0Automate Configure & automate ticket creation with DRONE, by @DFIRENCE - https://github.com/TTP0/drone
- 42. 0Check out our WIKI https://github.com/TTP0/drone/wiki/OVERVIEW
- 43. 0TRANSFORM Create awareness by telling a story - https://github.com/TTP0/ttp0_community_templates
- 44. TLP: RED TLP: RED 44 JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC FEYE - APT1 Blog/Report Victim Weapons <ActorNameHere> - <YYYY> SPEARPHISHING
- 45. 00Tier Threat Response Team Threat Mitigation and Recovery Team (12 - Team) Incident Leader Hunt Scan & Assess Vulnerability Analysis Risk Assessment Find & Analyze System Integrity Forensics Monitor Network (SO, Bro, Snort) Host (HIPS, Raptor, ePO) Harden Windows (Applocker, GPO, EMET) Linux/Unix (IPTables, rkhunter) Infrastructure (ACLs, MAC Blocks) Intelligence - LE Liaison Incident Response Lead Incident Responder SOC IR SOC Analyst Red Teamer CTI Analyst Host Forensics Net Forensics Host Discovery
- 46. 0
- 47. 0www.ttp0.io
- 48. 0What is available today - TTP0 DRONE by @DFIRENCE - Automates incident creation with zones, tiers, etc - Requires python 2.7, installed TheHive - GitHub: https://github.com/TTP0/drone - Opbrief PPT templates by TLP - Actor Tracker PPT templates by TLP - 0Tier Threat Response model vs 3Tier Traditional SOC - A curated list of awesome GitHub resources we use
- 49. 0What we are working on - Security Operations Story templates - Tying Use Case to Responses Playbooks - Investigation and Response Metrics - Security Operations Templates for Managers - Tools matrix - SWOT * TWOS Analysis - Staff management & SOC scheduling configurations - How To Guidelines: - Zoning, tiers, etc. - Use Case prioritization - Standardize Automation Investigation Playbooks
- 50. 0Thanks! Follow us @TTP_0 TTP0 Founders: Ask us how to contribute: info@ttp0.io @dfirence @carric Carlos Diaz Carric Dooley Rob Gresham Ismael Valenzuela @SOCologize @aboutsecurity
- 51. Thank you!