Breaking Kill Chains A “How To” Guide for SecurityCenter.

Slides:



Advertisements
Similar presentations
3D Tool Examples Dave Breslin Tenable Discussions Forum)
Advertisements

® Microsoft Office 2010 Browser and Basics.
Services Course Windows Live SkyDrive Participant Guide.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
SecurityCenter Reporting Nessus Scan Report. SecurityCenter Reports For customers who use Nessus for vulnerability scanning and then move to SecurityCenter,
Lesson 4: Web Browsing.
Integrating Access with the Web and with Other Programs.
DVG-N5402SP.
User Responsibility A “How To” Guide for SecurityCenter.
DHP-306AV & DHP-W306AV. Agenda: How to change Encryption on a DHP-306AV How to change the Device Password on a DHP-306AV What will happen if the Device.
Chapter 1 Getting Started With Dreamweaver. Explore the Dreamweaver Workspace The Dreamweaver workspace is where you can find all the tools to create.
1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.
SecurityCenter & Palo Alto Configuration Guide. About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when.
Getting an account with WordPress.com Open your web browser ( mozilla firefox, internet explorer, opera, etc.,)
Finding Exploitable Admin Systems A “How To” Guide for SecurityCenter.
Vulnerability Types And How to Use Them.
Working with SharePoint Document Libraries. What are document libraries? Document libraries are collections of files that you can share with team members.
Using Iterators in Reports
TUTORIAL # 2 INFORMATION SECURITY 493. LAB # 4 (ROUTING TABLE & FIREWALLS) Routing tables is an electronic table (file) or database type object It is.
Malware Hunter How To Guide for SecurityCenter Continuous View™
1 Guide to Novell NetWare 6.0 Network Administration Chapter 11.
Adobe Certified Associate Objectives 6 Evaluating and Maintaining a site.
Using Assets with Dashboards A Guide. About this Guide This guide shows how to create, export, and load a dashboard that requires an asset This guide.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Introduction to Routing and Packet Forwarding Routing Protocols and.
7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -0/17- OfficeServ 7400 Enterprise IP Solutions Quick Install Guide.
1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Table of Contents TopicSlide Administrator Login 2 Administrator Navigations 3 Managing AlternativeDr.com Blogs 4 Managing Dr. Lloyd May Blogs 5 Managing.
Chapter 1 Getting Started With Dreamweaver. Exploring the Dreamweaver Workspace The Dreamweaver workspace is where you can find all the tools to create.
How to Deploy and Configure the Smart Net Total Care CSPC Collector
Information Security 493. Lab # 4 (Routing table & firewalls) Routing tables is an electronic table (file) or database type object that is stored in a.
SecurityCenter & Palo Alto Configuration Guide. About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
Using Find / Update in SecurityCenter Reports A “How To” Guide for SecurityCenter.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
XP New Perspectives on Microsoft Office Access 2003, Second Edition- Tutorial 8 1 Microsoft Office Access 2003 Tutorial 8 – Integrating Access with the.
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring Windows Server 2008 Printing.
COM: 111 Introduction to Computer Applications Department of Information & Communication Technology Panayiotis Christodoulou.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Standard Demo 1 © Hacking Team All Rights Reserved.
17 Copyright © 2006, Oracle. All rights reserved. Information Publisher.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Kevin Watson and Ammar Ammar IT Asset Visibility.
Understanding Cyber Attacks: Technical Aspects of Cyber Kill Chain
Getting an account with WordPress.com
Compatible with the latest browsers; Chrome, Safari, Firefox, Opera and Internet Explorer 9 and above.
Chapter 10: Web Basics.
Contract Compliance: Reporting
Automating Security Frameworks
Lesson 4: Web Browsing.
PerformanceI Q User Guide
Hourly Time Capture & Review
Welcome to Employee Self Service
PCard Supporting Documentation: OnBase tips, tricks and best practices
Introducing Version 9 for Security Suite and SAINT Cloud
IIS.
Multi-host Internet Access Portal (MIAP) Enhancement Guide
Optimizing Efficiency + Funding
Microsoft Office Access 2003
Microsoft Office Access 2003
Lesson 4: Web Browsing.
RPM: Basic plan data entry process A step-by-step guide for Plan Leads
What is StudentWeb? In StudentWeb you can access:
What is StudentWeb? In StudentWeb you can access:
Importing your Favorites/Bookmarks
Become a Google Calendar Pro.
What is StudentWeb? In StudentWeb you can access:
EStarkState welcomes you to ANGEL Training!.
What is StudentWeb? In StudentWeb you can access:
OSL150 – Get Hands on with Ivanti Endpoint Security
Presentation transcript:

Breaking Kill Chains A “How To” Guide for SecurityCenter

Breaking Kill Chains “cyber kill chain®”The “cyber kill chain®” framework was originally created by Lockheed Martin to describe the process of exploitation of information systems o Based on the military concept of a “kill chain,” the model details each step of a cybercriminal’s operation, from reconnaissance through delivery to command and control and ultimately action o If a link in the chain can be eliminated, the path is destroyed

Identifying Weakest Links To simplify the work of isolating and stopping kill chains, an organization must first track metrics that identify the most vulnerable points—the weakest links—in the chains o Armed with this data, the organization can identify the weakest exploitable links and prioritize the critical vulnerabilities to be plugged, patched, and mitigated kills the attack! o Breaking just one link in the chain kills the attack!

Identifying Weakest Links three metricsAs Ron Gula explains in his blog post, “Identifying the Weakest Links in Cyber Kill Chains®”, there are three metrics that are important to monitor to simplify breaking kill chains: 1. Identify exploitable Internet-facing systems 2. Identify systems that access the Internet with exploitable web clients (vulnerable or unsupported browsers, etc.) 3. Identify exploitable systems that have internal trusted connections to other systems on the network

Identifying Weakest Links Tenable’s SecurityCenter Research Team has created three new dashboards to assist organizations in monitoring these three metrics: 1. Internet Facing Exploits 2. Breaking Kill Chains Clients 3. Exploiting Internal Trust These new dashboards make use of assets; the purpose of this presentation is to describe how to set up these assets and dashboards

Add Assets

Adding an Asset To add an asset from the SecurityCenter app store feed, within SecurityCenter select Support > Assets Click the “Add” button Select the desired asset and click “Add It Now”; Repeat to add more assets Click the “Finished” button

Add Assets Add the following dynamic assets: o Internet Facing Assets o Internet Browsing Systems o Exploitable (Generic) Add the following Device Behavior dynamic assets: o Hosts with Internal Connections FROM Other Hosts o Hosts with Internal Connections TO Other Hosts o Social Network Activity o YouTube Access

Add Assets Add the following Client Applications dynamic assets: o Client FTP o Client HTTP o Client IMAP o Client IRC o Client P2P o Chrome Web Browsers o Firefox Web Browsers o Internet Explorer o Opera Web Browsers o Safari Web Browsers o Skype

Combination Assets Combination assets (assets of assets) are used to locate systems that belong to both one group AND another group, or that belong to one group OR another group o For example, the “Internet Browsing Systems” asset could be combined with the “Hosts with Internal Connections TO Other Hosts” asset to find systems that both browse the Internet and also connect to other internal hosts Combination assets are dynamically updated, so any new vulnerabilities or network changes will be immediately reflected

Create Combination Assets To create a Combination Asset, within SecurityCenter select Support > Assets Click the “Add” button Click “Create Custom Asset” Set Type to “Combination” Add existing assets combined using logical operators in Combination Parameters…

Create Combination Assets Attacker Entry PointsCreate Attacker Entry Points combination asset: o All systems that connect to Internet, have exploitable vulnerabilities, and connect to other systems

Create Combination Assets Exploitable ServersCreate Exploitable Servers combination asset: o All systems that have exploitable vulnerabilities and other systems connect to them

Create Combination Assets Breaking Kill Chains ClientsCreate Breaking Kill Chains Clients combination asset: o All systems that have web client applications

Consider DMZ Systems Assets Consider also creating static asset(s) that enumerate those systems on the network known to interact with the Internet or be Internet-facing, such as systems in the DMZ o This enables identification of outward facing systems even if PVS is not available to scan for such systems o Add these asset(s) to the created combination assets

Add and Configure Dashboards

Internet Facing Exploits Dashboard Internet Facing ExploitsInternet Facing Exploits dashboard is located in the SecurityCenter feed under Security Industry Trends Click “Add It Now” “Add It Now” will change to “Configure Now” for about 10 seconds before the dashboard is added Click “Configure Now”…

Internet Facing Exploits Dashboard Internet Facing Assets…and select the asset Internet Facing Assets Click the “Save” button Click the “Finished” button to add the dashboard The asset will be added to all the dashboard components

Internet Facing Exploits Dashboard Note that this dashboard uses a pre-defined dynamic asset, not a created combination asset Therefore, if using a static DMZ Systems asset as described earlier is desired, then a combination asset combining “Internet Facing Systems” and DMZ Systems asset(s) will need to be created and applied to this dashboard

Internet Facing Exploits Dashboard Note: By default, dashboard components update daily; to achieve more continuous monitoring, consider setting them to update every few hours or even hourly Edit each component by clicking the drop menu arrow on the top right of the component and selecting “Edit Component” Set the “Update Frequency” Click the “Submit” button to finish editing the component

Internet Facing Exploits Dashboard For matrix components, the update frequency is set in each column of the matrix Note: If desired, the update frequency can be adjusted for the components in the following dashboards as well.

Breaking Kill Chains Clients Dashboard Breaking Kill Chains ClientsBreaking Kill Chains Clients dashboard is located in the SecurityCenter feed under Security Industry Trends Click “Add It Now” “Add It Now” will change to “Configure Now” for about 10 seconds before the dashboard is added Click “Configure Now”…

Breaking Kill Chains Clients Dashboard Breaking Kill Chains Clients…and select the asset Breaking Kill Chains Clients Click the “Save” button Click the “Finished” button to add the dashboard The asset will be added to all the dashboard components

Exploiting Internal Trust Dashboard Exploiting Internal TrustExploiting Internal Trust dashboard is located in the SecurityCenter feed under Security Industry Trends Click “Add It Now” Note: This dashboard uses two different assets, so it cannot be configured using “Configure Now”, as done previously; each dashboard component will need to be configured individually.

Exploiting Internal Trust Dashboard Attacker Entry PointsThe four dashboard components on the left require the Attacker Entry Points asset: o Attacker Entry Points o Attacker Entry Points with Most Connections to Other Hosts o Top Remediations for Attacker Entry Points o Attacker Entry Point Vulnerabilities by Asset Group Exploitable ServersThe four dashboard components on the right require the Exploitable Servers asset: o Exploitable Servers o Exploitable Servers with Most Connections from Other Hosts o Top Remediations for Exploitable Servers o Exploitable Server Vulnerabilities by Asset Group

Exploiting Internal Trust Dashboard Edit each component by clicking the drop menu arrow on the top right of the component and selecting “Edit Component” Click the “Edit Filters” button Under Target Filters, select the proper asset Click the “Apply Filters” button Click the “Submit” button to finish editing the component

Conclusion Now that these assets and dashboards have been properly set up, they can be used to continuously monitor for the weakest links and prioritize the critical vulnerabilities to be mitigated kills the attack!Breaking just one link in the chain kills the attack!

For Questions Contact Tenable Customer Support Portal

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.