MRO Security Advisory Council (SAC) Webinar One Companys Path to - - PowerPoint PPT Presentation

MRO Security Advisory Council (SAC) Webinar

“One Company’s Path to Establishing Threat Intelligence and Hunting”

Jamie Buening, Manager, Threat Intelligence and Hunting, MISO

August 21, 2019

MRO SAC Update

Technical Training and Social Networking Event – September 24, 2019 Security Conference – September 25, 2019 Regional Security Risk Assessment (In place

• f the SAC Qtr 3 meeting) – September 26,

2019 MRO SAC Qtr 4 Meeting – November 6, 2019

MISO’s Path to Threat Intelligence and Hunting

1

August 21,2019

Topics

• Evolution of the Threat Landscape
• Recognition of need
• Organizational Changes
• Threat Hunting
• Tools and Processes
• Alternative Paths
• Resources We Used

2

Quick Intro

About Me

Jamie Buening

• Purdue University
• Telecommunications & Networking
• ExxonMobil – 7 years
• UNIX Admin / Network Security
• MISO – 12 years
• Network Analyst / Compliance / InformationSecurity

4

Midcontinent Independent System Operator

• Membership
• 51 Transmission Owners
• 135 Non-transmission Owners
• Network Model
• 293,832 SCADA data points
• 6,624 generating units
• Manages one of theworld’s

largest energy markets

• $29.9 billion (2018)

5

Evaluation of the Threat Landscape

MISO’s Cyber RelatedRisks

7

ThreatActors

Activists / Extremists Insiders NationState CyberCriminal Enterprise

What are we up against?

8

• Business & technology outpace security
• New malware found every day
• Passive defenses will fail against

determined adversaries

• Breaches continue to occur

Result

9

• Advanced attackers hide their tracks
• Signature based technologylimited
• Must hunt for anomalies andIOCs
• Using external and internal threat intelligence

FALSE POSITIVE

Organizational Changes

Original Cyber Security Organization

11

CISO Cyber Security

New Cyber Security Organization

12

CISO Threat Intelligence andHunting Information SecurityRisk Cyber Security Operations Physical Security

Continued Evolution

Changing culture to consider more teams aspart

• f security

13

• AccessManagement
• Assurance & Process
• Security Controls&

Engagement

• IT Operations
• Device Management
• Change &

Configuration

Threat Intelligence andHunting

Candidates

• Particle Physics PhD
• Others

14

Hiring to fill positions

• Manager
• 1st full timeanalyst
• 2 analysts transitioned
• 4th full timeanalyst

Threat Intelligence andHunting

• Learning
• Hunting
• Projects

15

• Generallyfocus
• Team Capabilities

time in 1/3’s

• Threat Hunting
• Intelligence
• IR (CIP-008)
• Forensics

Threat Hunting

But what is ThreatHunting

• Needed to define
• Ambiguous
• Big Data?
• Lots of documentation
• Hard to find examples of application

17

Sliding Scale of CyberSecurity

18

• RobertM. Lee, “The Sliding Scale of CyberSecurity,” SANS InstituteInformationSecurity ReadingRoom, Aug. 2015,

https://www.sans.org/reading-room/whitepapers/ActiveDefense/sliding-scale-cyber-security-36240

Hunting MaturityModel

19

David Bianco, “A Simple Hunting Maturity Model,”EnterpriseDetection & Responseblog,Oct. 15, 2015, http://detect-respond.blogspot.com/2015/10/a-simple-hunting-maturity-model.html

Initial

• Automated

alerting

• Little or no

data

Minimal

• IOC

searches

• Moderateor

high data

Procedural

• Follow

procedures

• High orvery

high data

Innovative

• Create

procedures

• High orvery

high data

Leading

• Automate

procedures

• High orvery

high data

HMM0 HMM1 HMM2 HMM3 HMM4

Threat Hunting In General

• Human drivenactivity
• Part of detection
• Hypothesis based and otherstyles
• Statistical methods
• Consequence driven
• Intelligence driven

20

How MISO Defines Threat Hunting Today

Traditional Information Security

22

• Network segmentation
• Patching
• Reducing attack surface
• Firewalls
• Anti-malware
• IPS/IDS

Threat Hunting

23

• Analyst driven
• Applying knowledge
• Proactive
• Iterative

“Assume you are already compromised.”

Comparison

24

House Security Technology Fence, windows, doors Firewalls, IAM Motion detectors IDS House Method Routine searches Statistical Analysis Safe pried open? Consequence driven hunt

TraditionalSecurity Threat Hunting

Threat Hunting

25

Know MISO Know Adversaries Hunt

• Operatingenvironment
• Business

26

Threat Hunting – KnowMISO

Understand and know our environment in the same wayour adversaries will attempt todo.

Threat Hunting – KnowAdversaries

27 ALLANITE What: Informationgathering to prepare disruptive capabilities How:Phishingand wateringholes Who:DHSassociateswithRussia COVELLITE What: Gathers intellectualproperty and industrial operations intelligence How: Targeted phishing Who:DHSassociateswithNorthKorea ELECTRUM What: Disruptoperations How:Commonexploitationbehaviors(no 0-days) Who:DHSassociateswithRussia RASPITE What: Information gatheringand remote access How: Strategic websitecompromise Who:Symantec associateswithIran

Adversary Reports,https://dragos.com/adversaries/

Threat huntingmethodology

• Proactive anditerative

Hypothesisbased Human analystusing

• Automation

Machineassistance

28

Threat Hunting – ProactivelySearch

Hypothesis: ALLANITE has gained access to MISO’s network and is gathering informationon Control Roomoperations. Tests:

• Can we find evidence of aphishing

campaign to stealcredentials?

• Have there been anomalous VPN

connections into MISO’snetwork?

• Is there activity showing collectionof

Control Room consolescreenshots?

Tools and Processes

Threat Intelligence Platform

• Evaluated vendors
• Implemented and integrated
• Ingestion of data feeds
• Manual indicator submission
• Research
• TTPs / Threat Actors / Campaigns

30

SSL Inspection

• Solution to improve visibility
• Enables root cause identification
• Previously unavailable data
• Prevented a conclusive hunt outcome
• Allows other tools to inspectpreviously

unavailable data

31

Other Tools

• SIEM
• Kansa Framework
• DFIR Tools
• R and Python Pandas

32

Team Interactions

• New processes needed betweenteams
• Event escalation
• Risk tracking
• Shared processes

33

Alternative Paths

Other Options

• Different team capabilities
• Red Team and Hunting
• No dedicated team
• Set asidetime
• Perform team hunts
• Vendor engagement
• Encourage other teams to hunt
• Don’t limit hunting to specificpeople

35

Resources We Used

*Not an endorsement!

Papers/Models

• HMM
• Active Defense
• SANS ReadingRoom
• MITRE ATT&CK

37

https://www.sans.org/reading-room/whitepapers/threathunting

Books

• Data-Driven Security
• R for Data Science
• Network Security Through Data Analysis
• Industrial Network Security
• Applied Cyber Security and the SmartGrid

38

Conferences and Activities

• SANS ICS Summit and others
• CS3STHLM ICS SecuritySummit
• Black Hat USA
• Working Groups
• MRO SAC Weekly Threat Calls
• *S4xEvents ICS Security Event

39

Training

• SANS Courses, ICS / DFIR /CTI
• Black Hat Courses
• ICS SCADA Honeypot TechnicalTraining
• Applied NetworkDefense
• Investigation Theory
• Practical Threat Hunting
• ELK for Security Analysis

40

Determine acommon base set oftraining. Get people onthe samepage.

Conclusion

Threat Intelligence andHunting

• A lot about Threat Hunting
• Intelligence is integral
• Know MISO
• Know Adversaries
• Explore to determine yourpath
• Find value through identifying risksand
• ptimizations for systems

42

Thank You

MISO Threat Hunting Training at the MRO Security Conference