Network operations center is usually responsible for
monitoring and maintenance of over all network infrastructure. Its primary
function is to ensure uninterrupted network service. CSOC leverages security
related network activity to refine security incidents response. CSOC and NOC
should complement each other and work in tandem.
Purpose of Cyber Security Operations Center
Continuous Monitoring:
• Keeping
someone from getting inside has failed miserably
• Firewalls
are not effective PROTECTION devices.
• They
are effective DETECTION devices
• Change
the strategy
• Assume
they are in so go hunt for the compromised hosts
• Monitor
outbound traffic
• Prevent
their command and control communication
• Inbound
monitors server side attacks; outbound monitors client side attacks
Why:
The CSOC is a logical place to collect, analyze and
distribute data collected to support our Defense in Depth Strategy
• Detecting
Network Based Attacks
• Detecting
Host Based Attacks
• Eliminating
Security Vulnerabilities
• Supporting
Authorized Users
• providing tools for Minimizing Business Loss
This is really
helpful to us when we want to measure and report compliance with our IT
policies, state/federal laws and regulations
Such as:
• FERPA,
HIPAA, PCI, ITAR, GLB, SOX
Where?
• OS
Syslog/event logs, IDS logs, IPS logs,
PID logs, Firewall logs, Pen Test Logs, PCI, netflow
• CSOC
needs to be able to analyze and display this data quickly
• Data
resides on separate, distributed servers
• CSOC
pulls data from these servers as needed
• CSOC
lives in the IT Security Office & Lab
Cyber Security Operation Center,
• Provides
real-time view of the VT network’s security status
• Provides
info to assess risk, attacks, mitigation
• Provide
data for network forensics
• Provides
metrics
• Executive
• Operational
• Incident
Generators in CSOC:
• Event
Generators (E boxes)
• Any
form of IDS sensor (firewalls, IPS, IDS, Snort, Active Directory servers,
Remedy, vulnerability scanners, TACACS, application software
• Most are Polling Generators
• Generate
specific event data in response to a specific action
• Example:
IDS or firewall
• Events
Databases (D boxes)
• Provide
basic storage, search and correlation tools for events collected
and sent to the CSOC •
Vulnerability databases contain info about security breaches, etc.
• Events
Reactions (R boxes)
• SOC Console
• Used
for internal analysis
• Real-time
monitors (Snort, Base, IPS, Dshield)
• Incident
Handling
• Service
Now trouble ticket system
• Location
tools
• Statistical
analysis
• End User Portals
• Multi
level reporting for various target audiences
• Sysadmin,
management
• Analysis
Engines (A Boxes)
• Helps
ID Analyst determine if an incident has occurred, its spread, its impact, etc.
• Knowledge
Base Engines (K boxes)
• Store
security configs of critical assets, tips/tricks and effective solutions to
previous
problems
• Reaction
and Report Engines (R boxes)
• Switches,
routers, IPS and associated management tools
Intrusion vs. Extrusion:
• Intrusion
detection is the process of identifying unauthorized activity by inspecting inbound network traffic
• Extrusion
detection is the process of identifying unauthorized activity by inspecting outbound network
• Network forensics is the art of collecting, protecting,
analyzing and presenting network traffic to support remediation or prosecution
CM Security
Principles
• Some
intruders are smarter than you
• Many
intruders are unpredictable
• Prevention
eventually fails
• Defensible
networks can be watched; they are monitored
• Defensible
networks limit an intruder’s freedom to maneuver; they are controlled
• Defensible
networks offer a minimum number of services and client-side applications; they
are minimized
• Defensible
networks can be kept current
CM/SOC Implementation
Interfaces in CSOC:
Two kind of interfaces are made available: The SOC console and the End-user portal.
SOC
Console
The SOC console (R Box) is designed for internal
analysis and presents mostly unformatted data from different parts of the K
Boxes. The three interfaces are:
-
real-time
monitoring interfaces, which provide raw data from the messages part of the
K box. This allows basic filtering functions such as “egrep” in order to
isolate specific messages and is used for debugging, in depth analysis of
specific events and replay of events.
-
Incident
handling interface, is the internal engine used for generation and follow-up
of incident tickets and reaction procedures described below. It provides
qualified alert information as well as numerous debugging data and checkpoints.
It is the more complex interface, as it must fit either with operational
performance, ergonomics and advanced filters or, research and identification
functions. Such an interface is the very corner-stone of a timely and
appropriate human reaction to intrusions.
-
statistical
analysis interface, provides raw data of security activity statistics over
short, medium and long term periods. This is mainly used as an under-layer for
graphical representation.
End-user portal
The end-user portal provides formatted data of
activity. It is designed in order to provide multi-level reporting, for targets
ranging from security engineers to high-level management through Security
Officers. It is divided into three main parts:
-
permanent risk
evaluation interface, gives information about the current security level of
supervised systems configuration and software versions. It provides information
on the overall security level, vulnerability characteristics and criticity,
intrusion scenarios and patch or configuration details. - security activity, is a mid-term to long-term reporting, providing
macro data about intrusion types, frequency, sources and consequences on the
supervised system. At a lower level, it is to be used in order to determine
trends and identify specific items such as a recurring attack sources or mostly
targeted services to watch for.
-
system status,
which is the “pseudo real-time” interface for end-user, allowing a close
follow-up of open incidents, systems under attack and intrusion paths activated
by intruders. It also provides information about the reaction and escalation
procedure currently occurring in order to circumscribe the attack.
Reaction
and escalation procedures
Eventually, reacting appropriately to an attack is mostly a
question of organization and procedures to be applied by the incident response
teams . Reaction ranges from passive monitoring for further information through
to target system emergency halt through CERT incident reporting . Of course,
appropriate reaction should be determined before an attack takes place and
procedures must be validated then securely (mainly in terms of integrity)
stored and made accessible to supervision teams. In simple terms, a certain
level of escalation must be defined in order to ensure quick and effective
reaction, in parallel with the use of appropriate human resources. Escalation
procedures are given in figure below.
Another aspect to be specified is the delay, defined in the figure above, in which the reaction
procedure must be launched, according to attack criticity. Once this delay is
exhausted, escalation to the next (upper) level should be automatic.
-
the first level
should be what we refer to as agents, i.e. mid-technical level staff, which are
able to understand events generated by A Boxes as well as the reaction
procedure to apply (this is necessary as it is important to be able to know when
the application of such a procedure failed). Agents escalate incidents to level
two, if the event does not match “known events” or “pre-defined reaction”
criteria or if the time limit (t1) is reached depending upon the incident
criticity.
-
the second level
should be a team of technical experts. These experts are responsible for the
analysis of intrusion events that have not been defined a priori. Their priority is to qualify events with the help of SOC
console interfaces and provide a
workaround to be applied by level one agents, pending further research or
permanent solutions.
-
the third level
should be a “laboratory” in which suspicious packets, system operations and so
on will be re-played, in order to determine the nature of the unknown intrusion
and provide a fully qualified reaction procedure. The lab will also be
responsible for contacting vendors of OS, applications, hardware, etc. for
patch design and / or their application.
SOC Challenges
•
Funding
•
Commercial/Freeware + Infrastructure + Staff Salaries
•
Training
•
1st level needs specialized training
•
Not just point & clickers
•
Process
•
Find the data, get access to the data
•
Help Desk Trouble Ticket process
•
Technology
•
Backbone speeds, MPLS, IPV6
•
Sensor placement – inline or span port
•
APT
•
Understandable threats
Problem:
Security Operations Centers (SOC) are growing Respondents
indicated that the SOC’s primary strengths are flexibility and adaptability
while its biggest weakness is lack of visibility: SOCs still can’t
detect previously unknown
threats, which
is a consistent problem across many other International surveys including SANS (The SysAdmin, Audit, Network, and Security Institute).The
surveys also found a need for more automation across the prevention, detection
and response functions—particularly in prevention and detection, where the
tools respondents use are mostly the same.
Advance Persistent Threats (APT) are also one of big
problems present into Security operations center, Advanced Persistent Threats
(APTs) often use social engineering to obtain contact information and send
phishing emails to unsuspecting people. They exploit security vulnerabilities
in Internet of Things (IoT) devices, and hide in high-value business assets to
steal or compromise target information. Attacks are commonly seen in
compromised infrastructure, such as the finance sector, resource suppliers, and
government agencies, affecting people’s livelihoods. Before launching attacks,
perpetrators are usually well-prepared and wait patiently for their
opportunity. Once attacks are launched, perpetrators usually use technologies,
such as advanced evasion techniques, to exploit known vulnerabilities. This
makes traditional security devices that detect attack traffic ineffective.
Cybercriminals have figured out how to evade detection by
bypassing traditional defenses. Using toolkits to design polymorphic threats
that change with every use, move slowly, and exploit zero-day vulnerabilities,
the criminals have broken in through the hole left by traditional and
next-generation firewalls, IPS, anti-virus and Web gateways. This new
generation of organized cybercrime is persistent, capitalizing on
organizational data available on social networking sites to create very
targeted 'phishing' emails and malware targeted at the types of applications
and operating systems (with all their vulnerabilities) typical in particular
industries.
Once inside, advanced malware, zero-day and targeted APT
attacks will hide, replicate, and disable host protections. After it installs,
it phones home to its command and control (CnC) server for instructions, which
could be to steal data, infect other endpoints, allow reconnaissance, or lie
dormant until the attacker is ready to strike. Attacks succeed in this second
communication stage because few technologies monitor outbound malware
transmissions. Administrators remain unaware of the hole in their networks
until the damage is done.
APTs can be characterized by the attackers’ quest to gain
long-term control of compromised computer systems. Whether attackers use
viruses, Trojans, spyware, rootkits, spear phishing, malicious email
attachments or drive-by downloads; their malware enables the simple disruption
or long-term control of compromised machines. APTs can be nation-state or rogue
actors using completely unknown malware or buying access to systems previously
compromised with known malware installed through social engineering, spear
phishing, or drive-by downloads.
Examples of APT attacks:
Stuxnet is one of examples of
APT. Attack on HBO in 2017 and stolen series of Game of thrones is
latest example of APT.
Big problem of today is that we don’t have enough resources to view big volume of logs and find solution about them neither this planet have enough experts to stop major attacks in Security Operations Centers. Advance persistent attacks and Zero days are also the problems that cannot be understand by Security Operations Centers L1 or L2. Because Advance Persistent can also be generated manually.
Solution:
Alkhawarzimi institute of Computer Sciences, UET proposes
to Next Generation Threat Awareness
System which will the first BDS (Breach Detection System)
product specifically to perceive and defend APT attacks. The system will adopt
the application level sandbox and the environmental awareness technology,
embedded auxiliary detection modules of AV (Antivirus) and IDS, integrated the
threat intelligence service, and effectively compensated for the deficiencies
of traditional feature-detection and sandbox technologies. By these means our
product will be able to detect and prevent the APT and Zero day attacks
precisely and efficiently with the concept of Zero day detection.
We give concept of Zero day detection by holistic
monitoring of every process over the time, whether malicious or not.
•
File attributes
•
File contents
•
File heuristics
•
Access patterns
•
Registry
•
Configuration
•
Network activity
•
System calls.
This will be excellent solution for Pakistani market in
lowest possible cost as this solution will be integrated in Security operations
center and will help to make it fool proof secure.
Proposed Industries: (Priority wise)
1.
Educational Sector
2.
Health sector
3.
Financial sector
4.
Law and enforcement sector
5.
Law and justice