
<p>2019 CLUS </p><p>Implementing </p><p>Cisco Cyber Security Operations </p><p>Paul Ostrowski / Patrick Lao / James Risler Cisco Security Content Development Engineers </p><p>LTRCRT-2222 </p><p>2019 CLUS </p><p>Cisco Webex Teams </p><p>Questions? </p><p>Use Cisco Webex Teams to chat </p><p>with the speaker after the session </p><p>How </p><p>Find this session in the Cisco Live Mobile App </p><p>12</p><p>3</p><p>Click “Join the Discussion” </p><p>Install Webex Teams or go directly to the team space </p><p>4 Enter messages/questions in the team space </p><p>Webex Teams will be moderated by the speaker until June 16, 2019. </p><p></p><ul style="display: flex;"><li style="flex:1">cs.co/ciscolivebot# </li><li style="flex:1">LTRCRT-2222 </li></ul><p></p><p>3</p><p>2019 CLUS </p><p>© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public </p><p>Agenda </p><p>• Goals and Objectives </p><p>• Prerequisite Knowledge & Skills (PKS) </p><p>• Introduction to Security Onion • SECOPS Labs and Topologies • Access SECFND / SECOPS eLearning Lab Training <br>Environment </p><p>• Lab Evaluation • Cisco Cybersecurity Certification and Education <br>Offerings </p><p>4</p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public </li></ul><p></p><p>Goals and Objectives: </p><p>•</p><p>Today's organizations are challenged with rapidly detecting cybersecurity breaches in order to </p><p>effectively respond to security incidents. Cybersecurity provides the critical foundation </p><p>organizations require to protect themselves, enable trust, move faster, add greater value and </p><p>grow. </p><p>•</p><p>Teams of cybersecurity analysts within Security Operations Centers (SOC) keep a vigilant eye </p><p>on network security monitoring systems designed to protect their organizations by detecting </p><p>and responding to cybersecurity threats. </p><p>•</p><p>•</p><p>The goal of <strong>Cisco’s CCNA Cyber OPS </strong>(<strong>SECFND / SECOPS</strong>) courses is to teach the fundamental skills required to begin a career working as an associate/entry-level cybersecurity analyst within a </p><p>threat centric security operations center. This session will provide the student with an understanding of <strong>Security Onion </strong>as an open source </p><p>network security monitoring tool (NSM). The student will also explore common attack vectors, </p><p>malicious activities, and patterns of suspicious behaviors typically encountered within a threatcentric Security Operation Center (SOC). </p><p>••</p><p>We will provide you 30 days of continued access to the SECFND and SECOPS Training Portal. </p><p>This training is NOT focused on Cisco’s family of security products and solutions. </p><p>5</p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public </li></ul><p></p><p>Prerequisite Knowledge & Skills (PKS) </p><p>• This topic lists the skill, knowledge, and attitudes that students must possess to benefit fully from </p><p>the labs. It includes recommended Cisco learning offerings that the learner may complete to </p><p>benefit fully from the labs. <br>• <strong>Recommended Prerequisite Skills </strong>• The knowledge, skills, and attitudes that a student is expected to have before attending this </p><p>course are as follows: </p><p>•</p><p>Understanding Cisco Cybersecurity Fundamentals (<strong>SECFND</strong>) <br>• <strong>Learning Resources for Prerequisite Skills </strong>• Cisco learning offerings that contribute to recommended knowledge, skills, and attitudes: </p><p>• <strong>CCNA Cyber Ops SECFND #210-250 Official Cert Guide</strong>, by Omar Santos, Joseph Muniz, </p><p>Stefano De Crescenzo </p><p>• <strong>CCNA Cyber Ops SECOPS #210-255 Official Cert Guide</strong>, by Omar Santos, Joseph Muniz </p><p>6</p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public </li></ul><p></p><p>Introduction to Security Onion </p><p>Video </p><p><strong>Cisco 2018 Annual Cybersecurity Report Highlights </strong></p><p>The <a href="/goto?url=https://www.cisco.com/c/en/us/products/security/security-reports.html?CCID=cc000160&DTID=esootr000875&OID=anrsc005983" target="_blank">Cisco 2018 Annual Cybersecurity Report</a>, highlights findings and insights derived from </p><p>threat intelligence and cybersecurity trends observed over the past 12-18 months from threat researches and six technology partners: Anomali, Lumeta, Qualys, Radware, SAINT, and TrapX. </p><p>Also, included in the report are results of the annual Security Capabilities Benchmark Study (SCBS), which this year surveyed 3,600 chief security officers (CSOs) and security </p><p>operations (SecOps) managers from 26 countries about the state of cybersecurity in their organizations. </p><p><strong>The financial cost of attacks is no longer a hypothetical number: </strong></p><p>• According to study respondents, more than half of all attacks resulted in financial damages of more </p><p>than US $500,000, including, but not limited to, lost revenue, customers, opportunities, and out- </p><p>of-pocket costs. </p><p>Source: <a href="/goto?url=https://newsroom.cisco.com/press-release-content?type=webcontent&articleId=1911494" target="_blank">https://newsroom.cisco.com/press-release-content?type=webcontent&articleId=1911494 </a></p><p>10 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public </li></ul><p></p><p><strong>Cisco 2018 Annual Cybersecurity Report Highlights </strong></p><p><strong>Supply chain attacks are increasing in velocity, complexity </strong></p><p>These attacks can impact computers on a massive scale and can persist for months or even years. Defenders should be aware of the potential risk of using software or hardware from organizations that </p><p>do not appear to have a responsible security posture. </p><p>• Two such supply chain attacks in 2017, Nyetya and Ccleaner, infected users by attacking trusted </p><p>software. </p><p>o <strong>Nyetya </strong>(also known as NotPetya) arrived in June 2017 This wiper malware also masqueraded </p><p>as ransomware and it used the remote code execution vulnerability nicknamed “EternalBlue,” </p><p>as well as the remote code execution vulnerability “EternalRomance” (also leaked by Shadow </p><p>Brokers), and other vectors involving credential harvesting o <strong>Ccleaner </strong>arrived in September 2017, involved the download servers used by a software vendor to distribute a legitimate software package known as CCleaner.7 CCleaner’s </p><p>binaries, which contained a Trojan backdoor, were signed using a valid certificate, giving </p><p>users false confidence that the software they were using was secure. </p><p>Source: <a href="/goto?url=https://newsroom.cisco.com/press-release-content?type=webcontent&articleId=1911494" target="_blank">https://newsroom.cisco.com/press-release content?type=webcontent&articleId=1911494 </a></p><p>11 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public </li></ul><p></p><p><strong>Cisco 2018 Annual Cybersecurity Report Highlights </strong></p><p><strong>Security is getting more complex, scope of breaches is expanding </strong></p><p>Defenders are implementing a complex mix of products from a cross-section of vendors to protect against breaches. This complexity and growth in breaches have many downstream effects on an </p><p>organization's ability to defend against attacks, such as increased risk of losses. </p><p>• In 2017, 25 percent of security professionals said they used products from 11 to 20 vendors, compared with </p><p>18 percent of security professionals in 2016. <br>• Security professionals said 32 percent of breaches affected more than half of their systems, compared </p><p>with 15 percent in 2016. </p><p><strong>Trends in malware volume have an impact on defenders' time to detection (TTD) </strong></p><p>• The Cisco median TTD of about 4.6 hours for the period from November 2016 to October 2017 — well below </p><p>the 39-hour median TTD reported in November 2015, and the 14-hour median reported in the Cisco 2017 </p><p>o Annual Cybersecurity Report for the period from November 2015 to October 2016. </p><p>• The use of cloud-based security technology has been a key factor in helping Cisco to drive and keep its median </p><p>TTD to a low level. Faster TTD helps defenders move sooner to resolving breaches. </p><p>Source: <a href="/goto?url=https://www.cisco.com/c/dam/m/digital/elq-" target="_blank">https://www.cisco.com/c/dam/m/digital/elq- </a></p><p><a href="/goto?url=https://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/acr2018/acr2018final.pdf?dtid=odicdc000016&ccid=cc000160&oid=anrsc005679&ecid=8196&elqTrackId=686210143d34494fa27ff73da9690a5b&elqaid=9452&elqat=2" target="_blank">c</a><a href="/goto?url=https://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/acr2018/acr2018final.pdf?dtid=odicdc000016&ccid=cc000160&oid=anrsc005679&ecid=8196&elqTrackId=686210143d34494fa27ff73da9690a5b&elqaid=9452&elqat=2" target="_blank">m</a><a href="/goto?url=https://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/acr2018/acr2018final.pdf?dtid=odicdc000016&ccid=cc000160&oid=anrsc005679&ecid=8196&elqTrackId=686210143d34494fa27ff73da9690a5b&elqaid=9452&elqat=2" target="_blank">c</a><a href="/goto?url=https://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/acr2018/acr2018final.pdf?dtid=odicdc000016&ccid=cc000160&oid=anrsc005679&ecid=8196&elqTrackId=686210143d34494fa27ff73da9690a5b&elqaid=9452&elqat=2" target="_blank">global/witb/acr2018/acr2018final.pdf?dtid=odicdc000016&ccid=cc000160&oid=anrsc005 </a></p><p>679&ecid=8196&elqTrackId=686210143d34494fa27ff73da9690a5b&elqaid=9452&elqat=2 </p><p>12 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public </li></ul><p></p><p>Network Security Monitoring Tool </p><p>• A Network Security Monitoring (NSM) tool is software that collects, maintains, processes, and presents network security monitoring data (security related events). </p><p>• The Security Operations Center (SOC) analyst will examine data produced by the network security monitoring tool. Without NSM data, SOC analysts could not perform their job effectively. Without </p><p>NSM tools, SOC analysts would not have network data to analyze. </p><p>• An NSM can enhance network visibility by using context-rich telemetry and threat-based intelligence collected from within the </p><p>network infrastructure. </p><p>13 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public </li></ul><p></p><p>Network Security Monitoring Using Security Onion </p><p>• Security Onion is an open source Linux distribution that focuses on NSM. Security </p><p>Onion is used for log management, intrusion detection and network security event </p><p>monitoring. The distribution is managed by Security Onion Solutions. Many of the tools that comprise the Security Onion NSM have broad community support. </p><p>• Security Onion Solutions provides a straightforward package to install the network </p><p>security monitoring space. Security Onion Solutions also offers training and support </p><p>services for the distribution. </p><p>• Security Onion can be deployed as a simple standalone system where one network </p><p>interface card (NIC) is used for management and one or more additional NICs are used for monitoring security events on the network. </p><p>• Security Onion can also scale using a distributed deployment where one system acts </p><p>as the master server and the monitoring duties are spread across multiple sensor </p><p>systems. </p><p>14 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public </li></ul><p></p><p>Security Onion Core Components </p><p>• <strong>Core Primary Functions: </strong></p><p>• <strong>Full packet captures: </strong></p><p>• <strong>Netsniff-ng </strong></p><p>• <strong>Network-based(NIDS) and Host-based(HIDS)Intrusion Detection Systems: </strong></p><p>• NIDS: </p><p>• Rules-driven NIDS Alerts from <strong>Snort </strong>or <strong>Suricata</strong>in passivemode (not NIPS inline mode) </p><p>• Analysis-drivenNIDS from <strong>Zeek(Bro)</strong>Network Security Monitor (traffic is captured via SPAN, TAP port or packet broker) </p><p>- <strong>Zeek v2.6.2 (Bro) </strong>is a protocol parsing engine that provides three key network security capabilities: </p><p><strong>Traffic Logging </strong>(generates comprehensive, protocol specific network traffic logs for 35+ protocols: DNS, HTTP, files), <strong>Automated Analysis </strong>(traffic analysis using Bro scripts), and <strong>FileExtraction </strong>(extracts & re-assembles any file type off the wire) </p><p>• HIDS: <strong>Wazuh </strong>(wah-zoo) replaced <strong>OSSEC </strong>and is used to monitor/defendSecurity Onion. Add <strong>Wazuh </strong>agents to endpoint hosts </p><p>• <strong>Syslog data received by Zeek (Bro)</strong>or <strong>syslog-ng </strong></p><p>• <strong>Powerful DataAnalysisTools: </strong></p><p>• <strong>Sguil </strong>Analyst Console / <strong>Squert </strong>PHP Web Interface / <strong>Kibana </strong>(Squert & Kibana can pivot to <strong>CapMe</strong>to retrieve full packet captures) • <strong>Wireshark </strong></p><p>• <strong>NetworkMiner </strong>• <strong>ELSA / ElasticStack®(ELK) </strong></p><p>• <strong>CyberChef </strong></p><p>Source: <a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/IntroductionToSecurityOnion" target="_blank">https://github.com/Security-Onion-Solutions/security-onion/wiki/IntroductionToSecurityOnion </a></p><p>15 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public </li></ul><p></p><p>Simplified Security Onion Architecture </p><p>The Security Onion architecture is more robust than is conveyed in the figure above. The figure serves to </p><p>introduce the complexity of and interactions between the NSM tools in Security Onion. The tools in the </p><p>bottom row are largely dedicated to the collection and production of raw NSM data. The tools/components in the middle row are associated with the optimization and maintenance of the data. For example, <strong>Zeek </strong></p><p><strong>(Bro)</strong>, <strong>Wazuh (OSSEC)</strong>, and <strong>syslog-ng </strong>all produce flat files with one log entry per line. The <strong>ELSA </strong>system </p><p>takes this raw data and organizes it into a relational MySQL database, using high-performance Sphinx indexing. The tools listed in the top row are responsible for the presentation of the data to the SOC analyst. </p><p>16 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public </li></ul><p></p><p>Security Onion with Elastic Stack® </p><p><strong>Security Onion Migrated from ELSA to the Elastic Stack® (“Hybrid Hunter”) </strong>The new Elastic Stack® components are comprised from Docker container images </p><p>based on CentOS 7: </p><p><strong>Elastic Stack® Core Components: </strong></p><p><a href="/goto?url=https://www.elastic.co/products/beats" target="_blank"><strong>Beats</strong></a>® - lightweight data shipper server agent </p><p>that sends specific types of operational data </p><p>to <strong>Logstash </strong>and <strong>Elasticsearch </strong></p><p><strong>Elastic Stack® Auxiliary Components: </strong></p><p><a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/Curator" target="_blank"><strong>Curator </strong></a>- Manage indices through scheduled maintenance. <a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/ElastAlert" target="_blank"><strong>ElastAlert </strong></a>- Query Elasticsearch and alert on user-defined </p><p>anomalous behavior or other interesting bits of information. </p><p><a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/Logstash" target="_blank"><strong>Logstash</strong></a>® - Data ingestion engine, parsing and format logs. </p><p><a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/FreqServer" target="_blank"><strong>FreqServer </strong></a>-Detect DGAs and find random file names, script </p><p>names, process names, service names, workstation names, </p><p>TLS certificate subjects and issuer subjects, etc. </p><p><a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/Elasticsearch" target="_blank"><strong>Elasticsearch</strong></a>® - Ingest and index logs, large </p><p>scalable search engine based on Apache Lucene. </p><p><a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/DomainStats" target="_blank"><strong>DomainStats </strong></a>- Get additional info about a domain by providing additional context, such as creation time, age, reputation, etc. </p><p><a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/Kibana" target="_blank"><strong>Kibana</strong></a>® - offers web based visualizations of </p><p>ingested log data and data exploration. </p><p><strong>ELSA </strong>reached End Of Life status on October 9, 2018. Security Onion will not provide any updates or </p><p>support for ELSA. </p><p>Source: <a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/Elastic-Architecture" target="_blank">https://github.com/Security-Onion-Solutions/security-onion/wiki/Elastic-Architecture </a></p><p>17 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public </li></ul><p></p><p>Security Onion with Elastic Stack® </p><p><strong>A Very Brief Introduction to Linux (Docker) Containers </strong></p><p>Linux containers are standalone, lighter virtualization alternatives to virtual machines that include code, </p><p>system tool libraries, and settings in a ‘portable’ capsule or bottle. </p><p>• Containers are isolated from each other and bundle their own application, tools, libraries, and </p><p>configuration files. <br>• Containers can communicate with each other through overlay network subsystems. </p><p>• All containers are run by a single host operating-system kernel and are thus, more lightweight </p><p>than virtual machine images. Containers rely on the host kernel's functionality and use resource isolation for CPU and memory resources and separate namespaces to isolate the application's view of </p><p>the operating system. </p><p>• Unlike a virtual machine image, which requires a hypervisor (VMware, Virtual Box), containers do not </p><p>utilize a hypervisor. Containers are created from images that can either be stateful (using persistent storage) or stateless. </p><p>• Why the change from Ubuntu DEB packages (used in Security Onion) to Docker images? </p><p>o Docker images are easier to build & maintain and will allow support for other distros, like CentOS. </p><p><strong>Fun Fact</strong>: there is no formal definition of a Linux “container.” Most people identify a Linux container with </p><p>keywords like: LXC, libvirt, Docker, Kubernetes, namespaces, cgroups, CoreOS rkt, BDS jails, Zones </p><p>Source: <a href="/goto?url=https://en.wikipedia.org/wiki/Docker_(software)" target="_blank">https://en.wikipedia.org/wiki/Docker_(software) </a></p><p>18 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public </li></ul><p></p><p>Security Onion with Elastic Stack® </p><p>Security Onion Architecture using Elastic Stack® (ELK) </p><p>19 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public </li></ul><p></p><p>Security Onion / Open Source Tools </p><p>• <strong>argus - </strong><a href="/goto?url=http://www.qosient.com/argus/" target="_blank">http://www.qosient.com/argus/ </a></p><p>"Argus is a data network transaction auditing tool that categorizes network packets that match the </p><p>libpcap filter expression into a protocol-specific network flow transaction model. Argus reports on the </p><p>transactions that it discovers, as periodic network flow data, that is suitable for historical and near real- </p><p>time processing for forensics, trending and alarm/alerting." </p><p>• <strong>barnyard2 - </strong><a href="/goto?url=http://www.securixlive.com/barnyard2/" target="_blank">http://www.securixlive.com/barnyard2/ </a></p><p>"Barnyard2 is an open source interpreter for Snort unified2 binary output files. Its primary use is </p><p>allowing Snort to write to disk in an efficient manner and leaving the task of parsing binary data into various formats to a separate process that will not cause Snort to miss network traffic." </p><p>• <strong>Bro (Zeek) </strong>- <a href="/goto?url=http://zeek.org/" target="_blank">http://zeek.org/ </a></p><p>”Zeek (Bro) provides a comprehensive HIDS/NIDS platform for network traffic analysis." </p><p><a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/Bro" target="_blank">https://github.com/Security-Onion-Solutions/security-onion/wiki/Bro </a><br>• <strong>CapME </strong>- <a href="/goto?url=http://chaosreader.sourceforge.net/" target="_blank">http://chaosreader.sourceforge.net/ </a></p><p>CapMe will download a pcap file and view a pcap transcript rendered with tcpflow and Zeek </p><p>(Bro) (especially helpful for dealing with gzip encoding) </p><p>Source: <a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/Tools" target="_blank">https://github.com/Security-Onion-Solutions/security-onion/wiki/Tools </a></p><p>20 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public </li></ul><p></p>
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages65 Page
-
File Size-