Add Assets - Tenable Discussions Forum

Report
Breaking Kill Chains
A “How To” Guide for SecurityCenter
Breaking Kill Chains
• The “cyber kill chain®” framework was
originally created by Lockheed Martin to
describe the process of exploitation of
information systems
Based on the military concept of a “kill chain,” the
model details each step of a cybercriminal’s
operation, from reconnaissance through delivery to
command and control and ultimately action
o If a link in the chain can be eliminated, the path is
destroyed
o
Identifying Weakest Links
• To simplify the work of isolating and stopping kill
chains, an organization must first track metrics
that identify the most vulnerable points—the
weakest links—in the chains
o
Armed with this data, the organization can identify the
weakest exploitable links and prioritize the critical
vulnerabilities to be plugged, patched, and mitigated
o
Breaking just one link in the chain kills the attack!
Identifying Weakest Links
• As Ron Gula explains in his blog post,
“Identifying the Weakest Links in Cyber Kill Chains®”,
there are three metrics that are important to
monitor to simplify breaking kill chains:
1.
2.
3.
Identify exploitable Internet-facing systems
Identify systems that access the Internet with exploitable web
clients (vulnerable or unsupported browsers, etc.)
Identify exploitable systems that have internal trusted
connections to other systems on the network
Identifying Weakest Links
• Tenable’s SecurityCenter Research Team has
created three new dashboards to assist
organizations in monitoring these three metrics:
1.
2.
3.
Internet Facing Exploits
Breaking Kill Chains Clients
Exploiting Internal Trust
• These new dashboards make use of assets;
the purpose of this presentation is to describe
how to set up these assets and dashboards
Add Assets
Adding an Asset
• To add an asset from the
SecurityCenter app store
feed, within SecurityCenter
select Support > Assets
• Click the “Add” button
• Select the desired asset
and click “Add It Now”;
Repeat to add more assets
• Click the “Finished” button
Add Assets
• Add the following dynamic assets:
o
Internet Facing Assets
o
Internet Browsing Systems
o
Exploitable (Generic)
• Add the following Device Behavior dynamic assets:
o
Hosts with Internal Connections FROM Other Hosts
o
Hosts with Internal Connections TO Other Hosts
o
Social Network Activity
o
YouTube Access
Add Assets
• Add the following Client Applications dynamic assets:
o
Client FTP
o
Client HTTP
o
Client IMAP
o
Client IRC
o
Client P2P
o
Chrome Web Browsers
o
Firefox Web Browsers
o
Internet Explorer
o
Opera Web Browsers
o
Safari Web Browsers
o
Skype
Combination Assets
• Combination assets (assets of assets) are used
to locate systems that belong to both one group
AND another group, or that belong to one group
OR another group
o
For example, the “Internet Browsing Systems” asset could be
combined with the “Hosts with Internal Connections TO Other
Hosts” asset to find systems that both browse the Internet and
also connect to other internal hosts
• Combination assets are dynamically updated,
so any new vulnerabilities or network changes
will be immediately reflected
Create Combination Assets
• To create a Combination
Asset, within SecurityCenter
select Support > Assets
• Click the “Add” button
• Click “Create Custom Asset”
• Set Type to “Combination”
• Add existing assets combined
using logical operators in
Combination Parameters…
Create Combination Assets
• Create Attacker Entry Points combination asset:
o
All systems that connect to Internet, have exploitable
vulnerabilities, and connect to other systems
Create Combination Assets
• Create Exploitable Servers combination asset:
o
All systems that have exploitable vulnerabilities and
other systems connect to them
Create Combination Assets
• Create Breaking Kill Chains Clients
combination asset:
o
All systems that have web client applications
Consider DMZ Systems Assets
• Consider also creating static asset(s) that
enumerate those systems on the network known
to interact with the Internet or be Internet-facing,
such as systems in the DMZ
This enables identification of
outward facing systems even
if PVS is not available to scan
for such systems
o Add these asset(s) to the
created combination assets
o
Add and Configure Dashboards
Internet Facing Exploits Dashboard
• Internet Facing Exploits
dashboard is located in the
SecurityCenter feed under
Security Industry Trends
• Click “Add It Now”
• “Add It Now” will change
to “Configure Now” for
about 10 seconds before
the dashboard is added
• Click “Configure Now”…
Internet Facing Exploits Dashboard
• …and select the asset
Internet Facing Assets
• Click the “Save” button
• Click the “Finished” button
to add the dashboard
• The asset will be added to all
the dashboard components
Internet Facing Exploits Dashboard
• Note that this dashboard uses a pre-defined
dynamic asset, not a created combination asset
• Therefore, if using a static DMZ Systems
asset as described earlier is desired, then a
combination asset combining “Internet Facing
Systems” and DMZ Systems asset(s) will need
to be created and applied to this dashboard
Internet Facing Exploits Dashboard
• Note: By default, dashboard
components update daily;
to achieve more continuous
monitoring, consider setting
them to update every few
hours or even hourly
• Edit each component by
clicking the drop menu arrow
on the top right of the
component and selecting
“Edit Component”
• Set the “Update Frequency”
• Click the “Submit” button to
finish editing the component
Internet Facing Exploits Dashboard
• For matrix components, the
update frequency is set in
each column of the matrix
• Note: If desired, the update
frequency can be adjusted
for the components in the
following dashboards as well.
Breaking Kill Chains Clients Dashboard
• Breaking Kill Chains Clients
dashboard is located in the
SecurityCenter feed under
Security Industry Trends
• Click “Add It Now”
• “Add It Now” will change
to “Configure Now” for
about 10 seconds before
the dashboard is added
• Click “Configure Now”…
Breaking Kill Chains Clients Dashboard
• …and select the asset
Breaking Kill Chains Clients
• Click the “Save” button
• Click the “Finished” button
to add the dashboard
• The asset will be added to all
the dashboard components
Exploiting Internal Trust Dashboard
• Exploiting Internal Trust
dashboard is located in the
SecurityCenter feed under
Security Industry Trends
• Click “Add It Now”
• Note: This dashboard uses
two different assets, so it
cannot be configured using
“Configure Now”, as done
previously; each dashboard
component will need to be
configured individually.
Exploiting Internal Trust Dashboard
• The four dashboard components on the left
require the Attacker Entry Points asset:
o
Attacker Entry Points
o
Attacker Entry Points with Most Connections to Other Hosts
o
Top Remediations for Attacker Entry Points
o
Attacker Entry Point Vulnerabilities by Asset Group
• The four dashboard components on the right
require the Exploitable Servers asset:
o
Exploitable Servers
o
Exploitable Servers with Most Connections from Other Hosts
o
Top Remediations for Exploitable Servers
o
Exploitable Server Vulnerabilities by Asset Group
Exploiting Internal Trust Dashboard
• Edit each component by
clicking the drop menu arrow
on the top right of the
component and selecting
“Edit Component”
• Click the “Edit Filters” button
• Under Target Filters,
select the proper asset
• Click the “Apply Filters”
button
• Click the “Submit” button to
finish editing the component
Conclusion
• Now that these assets and dashboards
have been properly set up, they can be used
to continuously monitor for the weakest links
and prioritize the
critical vulnerabilities
to be mitigated
• Breaking just one
link in the chain
kills the attack!
For Questions Contact
Tenable Customer Support Portal

similar documents