Tactical
Response

CERT-EE Symposium, Tallinn, May 30th 2016.

Extended version, updated June 5th.

About me

  • SML at Telenor CERT.
  • Seven years at NorCERT.
  • Comming from HW & SW QA.
  • Like models and taxonomies...

@FrodeHommedal

About this talk

I will try to give meaning to
the phrase tactical response.

The slides are TLP:WHITE.

Caveat

The talk is based on my personal experience,
and expresses my personal views on the matter.

Warning

The first slide said
extended version.

And it is. It's quite long.

(Pushing past a 100 slides...)

Head start

Tactical response addresses the
attackers, and their missions and goals.

Not just their tools and infrastructure.

Different domains of

response

A.k.a. "Uh, tactical...?"

The tactical space

exists in a continuum of different layers
of abstraction, scope and purpose.

Political

Strategic

Operational

Tactical

Technical

At the tactical level we think in
terms of single attacks and incidents.

Of single or sequences of engagements.

At the tactical level you are aware
that you have an intelligent and

mission driven opponent.

A tactical response is the

appropriate response

when you suspect a targeted
attack with an unknown scope.

Assertion

Way too many organizations only ever
respond in the technical domain.

Like re-imaging computers and
blocking IPs, domains and hashes.

And only that.

During a mainly

technical response

there is little or no acknowledgement,
awareness or focus on the opponent.

But if all you see are technical
artifacts, like shoes and tracks...

...you are missing something important.

The shadows in the back.
The guys wearing the shoes.

The result oriented and
mission driven attackers.

Happily hunting
in your networks...

...with your data as
their deliverables.

Responding at the technical
level is challenging enough.

But we need a lot more to
be effective as responders.

When the scope is unknown we need to
go beyond a purely technical response.

Assertion

Any mature response capability
must at the very least be able
to respond at the tactical level.

So what is

tactial response

then?

Wasting attacker time with a honeypot.

Sabotaging their exfil channel...

...but nothing else.

Or feeding them bogus data.

Or deceiving them in other ways.

It's focusing your efforts on effectively
stopping adversaries from achieving
their mission objectives.

While managing the fallout.

(Involve the right people...)

While limiting your risk exposure.

(Don't let them steal your crown jewels...)

While keeping a keen eye
on your operational security.

(Don't let them know you know...)

As you scope the incident and plan how to

execute the eviction

of the attacker once the scope
is known and the plan is ready.

What it's not is

blindly
cleaning up

computers they have compromised.

Having

operational
components

as part of your response
capability is also important.

Using threat group campaign analysis to inform
your IR is a form of operational response.

Or perhaps it's more a kind
of operational preparedness?

So is tracking threat group activity and specifically
hunt for them when they seem to be extra active.

When you know their spear-phishing cycle is three
weeks, you can use that in responding to that threat.

Operational response is responding to the

attacker's operation

as a whole, not just the particular
attacks you detect against yourself.

Looking beyond single incidents to

campaigns and
operations

will most likely strengthen your abiliy
to prepare, detect and respond.

To me, the much talked about

adversary hunting

is a form of operational response.

Political

Strategic

Operational

Tactical

Technical

Hopefully this way of
framing it made the concept of

tactical response

a bit clearer and more tangible.

Should you happen to disagree
I would love to hear from you.

@FrodeHommedal

Todo

Describe the strategic
and political levels.

(I may do that later.)

The CSIRT

Analysis Pyramid

CSIRTs are analysis driven response units.

So we need analytical models.

The CSIRT

analysis pyramid

is a CSIRT adaptation of
the intelligence process.

Created to help plan
our analysis capability.

And to help you to get
from data to wisdom.

So we can get past a pure
technical response.

Wisdom

Insight

Knowledge

Information

Data

Data is a digital blob.

Information are lists of
nodes and attributes.

Knowledge is said information
with relationships in a graph.

Insight is a contextualized
network of knowledge graphs.

Wisdom is knowing how to use it.

The CSIRT

Analysis Pyramid

is meant to help you organize your
analytical efforts to gain insight.

Then with experience you can gain wisdom.

Wisdom

Insight

Knowledge

Information

Data

Technical analysis extracts
needed information from data.

Like extracting CC domains
and IPs from a piece of malware.

Integration of other sources
brings in information and
knowledge from outside the CSIRT.

Like a network diagram from operations.

Or a set of indicators related
to the threat group you hunt
from a fellow secret squirrel.

Tactical analysis is piecing
together the knowledge graph
explaining what the attacker
is doing in your network.

Like explaining how they breached
A, pivoted to B, logged into C,
dumped X and exfil'd it via D.
using techniques i, n and m.

Operational analysis is learning
more about the attacker's entire
operation, across both your
incidents and those of others.

Like piecing together that your
incidents A, D and Y relates to
some external incidents k and p
and is likely threat group 42.

Strategic analysis is figuring
out why the attacker is running
their operations and which risks
they expose your organization to.

Like figuring out that APT1
is exposing you to the risk of
IP theft and competition from
the benefacting Chinese companies.

So which questions should
your CSIRT be answering?

Which decisions and
actions do you want your

analysis capability

to enable and support?

These are questions every

CSIRT member

should ask themselves.

The

Axis

of

Awesome

Because PICERL
isn't how CSIRTs work.

Because incident response
mostly isn't transitioning
between clear cut phases.

Because incident response
is better modelled as a set
of interacting loops.

And here's one:

The axis of awesome

A.k.a. the CSIRT circle of life.

It depicts the smallest possible loop
a CSIRT can operate and still deliver

tactical response.

Todo

Explaining the model in more detail.

(I will probably do this later.)

The

Tactical

response team

Any severe incident
needs a CORE IR TEAM.

(If you want to go beyond a technical response.)

Core

IR Team Roles

The information manager fights the
inevitable information overload.

  • Tracks the analysts.
  • Tracks what we know.

The tactical analyst figures out
what the adversary's mission is.

  • Tracks the adversary.
  • Tracks our knowledge gaps.

The coordinator is the IR process owner.

  • Tracks the team.
  • Tracks our progress.
  • Coordinates with our surroundings.

In my experience these roles are not optional
if you want to go beyond technical response.

They are essential.

And require different
mindsets and skill sets.

These are the guys that will run

The CSIRT
OODA Loop.

that will enable tactical response.

(More on that in a bit.)

Send backup!

The CORE IR TEAM
obviously needs support.

Extended

DFIR team Roles

These guys support the core
team in any way they can.

TODO

Describe the support needed from
the Situational Awareness Team,
the Detection Development Team
and the Security Monitoring Team.

The CSIRT

OODA Loop

Fighting your adversaries.

We are operating in a time
constrained, adversarial context.

Hence the OODA loop.

A model for understanding your
interaction with your adversaries.

Look for data gaps
and wasted time.

Improve.

Attack your attacker's OODA loop.

Be smarter. Be faster.
Decieve. Disrupt

TODO

Explain the model better.

In the meantime, read up on
John Boyd and the OODA loop.

Conclusion

To engage your adversaries and
not just their infrastructure

adopt a tactical mindset. Do
tactical analysis and response.

The End

Questions?

@FrodeHommedal