Presentation is loading. Please wait.

Presentation is loading. Please wait.

Breaking Kill Chains A “How To” Guide for SecurityCenter.

Published byAyana Dickeson Modified over 9 years ago

Similar presentations

Presentation on theme: "Breaking Kill Chains A “How To” Guide for SecurityCenter."— Presentation transcript:

1 Breaking Kill Chains A “How To” Guide for SecurityCenter

2 Breaking Kill Chains “cyber kill chain®”The “cyber kill chain®” framework was originally created by Lockheed Martin to describe the process of exploitation of information systems o Based on the military concept of a “kill chain,” the model details each step of a cybercriminal’s operation, from reconnaissance through delivery to command and control and ultimately action o If a link in the chain can be eliminated, the path is destroyed

3 Identifying Weakest Links To simplify the work of isolating and stopping kill chains, an organization must first track metrics that identify the most vulnerable points—the weakest links—in the chains o Armed with this data, the organization can identify the weakest exploitable links and prioritize the critical vulnerabilities to be plugged, patched, and mitigated kills the attack! o Breaking just one link in the chain kills the attack!

4 Identifying Weakest Links three metricsAs Ron Gula explains in his blog post, “Identifying the Weakest Links in Cyber Kill Chains®”, there are three metrics that are important to monitor to simplify breaking kill chains: 1. Identify exploitable Internet-facing systems 2. Identify systems that access the Internet with exploitable web clients (vulnerable or unsupported browsers, etc.) 3. Identify exploitable systems that have internal trusted connections to other systems on the network

5 Identifying Weakest Links Tenable’s SecurityCenter Research Team has created three new dashboards to assist organizations in monitoring these three metrics: 1. Internet Facing Exploits 2. Breaking Kill Chains Clients 3. Exploiting Internal Trust These new dashboards make use of assets; the purpose of this presentation is to describe how to set up these assets and dashboards

6 Add Assets

7 Adding an Asset To add an asset from the SecurityCenter app store feed, within SecurityCenter select Support > Assets Click the “Add” button Select the desired asset and click “Add It Now”; Repeat to add more assets Click the “Finished” button

8 Add Assets Add the following dynamic assets: o Internet Facing Assets o Internet Browsing Systems o Exploitable (Generic) Add the following Device Behavior dynamic assets: o Hosts with Internal Connections FROM Other Hosts o Hosts with Internal Connections TO Other Hosts o Social Network Activity o YouTube Access

9 Add Assets Add the following Client Applications dynamic assets: o Client FTP o Client HTTP o Client IMAP o Client IRC o Client P2P o Chrome Web Browsers o Firefox Web Browsers o Internet Explorer o Opera Web Browsers o Safari Web Browsers o Skype

10 Combination Assets Combination assets (assets of assets) are used to locate systems that belong to both one group AND another group, or that belong to one group OR another group o For example, the “Internet Browsing Systems” asset could be combined with the “Hosts with Internal Connections TO Other Hosts” asset to find systems that both browse the Internet and also connect to other internal hosts Combination assets are dynamically updated, so any new vulnerabilities or network changes will be immediately reflected

11 Create Combination Assets To create a Combination Asset, within SecurityCenter select Support > Assets Click the “Add” button Click “Create Custom Asset” Set Type to “Combination” Add existing assets combined using logical operators in Combination Parameters…

12 Create Combination Assets Attacker Entry PointsCreate Attacker Entry Points combination asset: o All systems that connect to Internet, have exploitable vulnerabilities, and connect to other systems

13 Create Combination Assets Exploitable ServersCreate Exploitable Servers combination asset: o All systems that have exploitable vulnerabilities and other systems connect to them

14 Create Combination Assets Breaking Kill Chains ClientsCreate Breaking Kill Chains Clients combination asset: o All systems that have web client applications

15 Consider DMZ Systems Assets Consider also creating static asset(s) that enumerate those systems on the network known to interact with the Internet or be Internet-facing, such as systems in the DMZ o This enables identification of outward facing systems even if PVS is not available to scan for such systems o Add these asset(s) to the created combination assets

16 Add and Configure Dashboards

17 Internet Facing Exploits Dashboard Internet Facing ExploitsInternet Facing Exploits dashboard is located in the SecurityCenter feed under Security Industry Trends Click “Add It Now” “Add It Now” will change to “Configure Now” for about 10 seconds before the dashboard is added Click “Configure Now”…

18 Internet Facing Exploits Dashboard Internet Facing Assets…and select the asset Internet Facing Assets Click the “Save” button Click the “Finished” button to add the dashboard The asset will be added to all the dashboard components

19 Internet Facing Exploits Dashboard Note that this dashboard uses a pre-defined dynamic asset, not a created combination asset Therefore, if using a static DMZ Systems asset as described earlier is desired, then a combination asset combining “Internet Facing Systems” and DMZ Systems asset(s) will need to be created and applied to this dashboard

20 Internet Facing Exploits Dashboard Note: By default, dashboard components update daily; to achieve more continuous monitoring, consider setting them to update every few hours or even hourly Edit each component by clicking the drop menu arrow on the top right of the component and selecting “Edit Component” Set the “Update Frequency” Click the “Submit” button to finish editing the component

21 Internet Facing Exploits Dashboard For matrix components, the update frequency is set in each column of the matrix Note: If desired, the update frequency can be adjusted for the components in the following dashboards as well.

22 Breaking Kill Chains Clients Dashboard Breaking Kill Chains ClientsBreaking Kill Chains Clients dashboard is located in the SecurityCenter feed under Security Industry Trends Click “Add It Now” “Add It Now” will change to “Configure Now” for about 10 seconds before the dashboard is added Click “Configure Now”…

23 Breaking Kill Chains Clients Dashboard Breaking Kill Chains Clients…and select the asset Breaking Kill Chains Clients Click the “Save” button Click the “Finished” button to add the dashboard The asset will be added to all the dashboard components

24 Exploiting Internal Trust Dashboard Exploiting Internal TrustExploiting Internal Trust dashboard is located in the SecurityCenter feed under Security Industry Trends Click “Add It Now” Note: This dashboard uses two different assets, so it cannot be configured using “Configure Now”, as done previously; each dashboard component will need to be configured individually.

25 Exploiting Internal Trust Dashboard Attacker Entry PointsThe four dashboard components on the left require the Attacker Entry Points asset: o Attacker Entry Points o Attacker Entry Points with Most Connections to Other Hosts o Top Remediations for Attacker Entry Points o Attacker Entry Point Vulnerabilities by Asset Group Exploitable ServersThe four dashboard components on the right require the Exploitable Servers asset: o Exploitable Servers o Exploitable Servers with Most Connections from Other Hosts o Top Remediations for Exploitable Servers o Exploitable Server Vulnerabilities by Asset Group

26 Exploiting Internal Trust Dashboard Edit each component by clicking the drop menu arrow on the top right of the component and selecting “Edit Component” Click the “Edit Filters” button Under Target Filters, select the proper asset Click the “Apply Filters” button Click the “Submit” button to finish editing the component

27 Conclusion Now that these assets and dashboards have been properly set up, they can be used to continuously monitor for the weakest links and prioritize the critical vulnerabilities to be mitigated kills the attack!Breaking just one link in the chain kills the attack!

28 For Questions Contact Tenable Customer Support Portal

Download ppt "Breaking Kill Chains A “How To” Guide for SecurityCenter."

Similar presentations

3D Tool Examples Dave Breslin (@ Tenable Discussions Forum)

3D Tool Examples Dave Breslin Tenable Discussions Forum)
® Microsoft Office 2010 Browser and Email Basics.

® Microsoft Office 2010 Browser and Basics.
Services Course Windows Live SkyDrive Participant Guide.

Services Course Windows Live SkyDrive Participant Guide.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
SecurityCenter Reporting Nessus Scan Report. SecurityCenter Reports For customers who use Nessus for vulnerability scanning and then move to SecurityCenter,

SecurityCenter Reporting Nessus Scan Report. SecurityCenter Reports For customers who use Nessus for vulnerability scanning and then move to SecurityCenter,
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
Integrating Access with the Web and with Other Programs.

Integrating Access with the Web and with Other Programs.
DVG-N5402SP.

DVG-N5402SP.
User Responsibility A “How To” Guide for SecurityCenter.

User Responsibility A “How To” Guide for SecurityCenter.
DHP-306AV & DHP-W306AV. Agenda: How to change Encryption on a DHP-306AV How to change the Device Password on a DHP-306AV What will happen if the Device.

DHP-306AV & DHP-W306AV. Agenda: How to change Encryption on a DHP-306AV How to change the Device Password on a DHP-306AV What will happen if the Device.
Chapter 1 Getting Started With Dreamweaver. Explore the Dreamweaver Workspace The Dreamweaver workspace is where you can find all the tools to create.

Chapter 1 Getting Started With Dreamweaver. Explore the Dreamweaver Workspace The Dreamweaver workspace is where you can find all the tools to create.
1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.

1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.
SecurityCenter & Palo Alto Configuration Guide. About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when.

SecurityCenter & Palo Alto Configuration Guide. About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when.
Getting an account with WordPress.com Open your web browser ( mozilla firefox, internet explorer, opera, etc.,)

Getting an account with WordPress.com Open your web browser ( mozilla firefox, internet explorer, opera, etc.,)
Finding Exploitable Admin Systems A “How To” Guide for SecurityCenter.

Finding Exploitable Admin Systems A “How To” Guide for SecurityCenter.
Vulnerability Types And How to Use Them.

Vulnerability Types And How to Use Them.
Working with SharePoint Document Libraries. What are document libraries? Document libraries are collections of files that you can share with team members.

Working with SharePoint Document Libraries. What are document libraries? Document libraries are collections of files that you can share with team members.
Using Iterators in Reports

Using Iterators in Reports
TUTORIAL # 2 INFORMATION SECURITY 493. LAB # 4 (ROUTING TABLE & FIREWALLS) Routing tables is an electronic table (file) or database type object It is.

TUTORIAL # 2 INFORMATION SECURITY 493. LAB # 4 (ROUTING TABLE & FIREWALLS) Routing tables is an electronic table (file) or database type object It is.

Similar presentations

Ads by Google