In earlier years, everyone depends on SOC (includes firewalls, WAF, SIEM, etc.) and the prioritize in building the SOC provides security and the CIA was maintained. However, later the emerge of the attacks and the threat actors becomes more challenge and the existing SOC will not able to provide better security over the CIA. There are many reasons for the failure of the existing SOC, where it only depends on the SIEM. Many organizations, believed integrating all the security devices like Firewall, Routers, AV and DB solutions in SIEM and the correlating the use cases will provide them 100% security over the CIA of the data. However, it all fails, since the APT emerges. APT attacks over these years deliberately show that in cyberspace, organizations should implement 0-trust defense model. Main reasons for the failures of existing SOC, we mostly care about the use cases of brute force login attempts, failure logins, failure HTTP requests, and malware propagations. Nevertheless, we have to understand when the defenders started to learn, the offenders also evolving in a better way. APT groups are evolving and abusing genuine applications we use often and stay in dwell time for years without being caught. [also read – Importance of security operations measurements & metrics]
Arise of APT
Advanced Persistence Threat, these groups are not an individual identity. They are mostly organizations or countries (based on agenda/political reasons) with expertise teams. Not a normal expert, they are trained professionals and they have the potential to break in any systems and move laterally in a LAN without being caught for years. Even your antivirus cannot detect this movement, because they do not create malware, they just abuse genuine applications (like PowerShell) and move laterally like a genuine process.
Key components of an APT is, moving laterally, being persistence, create CnC channel, getting payload with just a DNS request and more. Every APT attack so far recorded, they do have unique ways of propagating a network and they rely highly on open ports, unprotected network zones, vulnerable applications, network shares, etc. Once they break in, they do whatever they intend to do.
Proactive Defense Model
Your perception towards the defense against any modern day cyber-attacks and the APT attacks, you should think and build a defense mechanism exactly like an “adversary“. For building a defense model, you should know the adversary tactics, how they get in? How they propagate? How they exfiltrate?
For these queries, Lock Martin’s cyber kills chain and Mitre ATT&CK gives a better understanding over the attacks. Exactly how an adversary sneak into your network and how he moves out without being caught. You can also, implement use cases in your existing SOC based upon the stages of Cyber Kill chain, which will provide you an insight over the cyber-attacks.
Cyber Threat Intelligence
Blocking the IOC’s and Ips does not provide you 100% security over the cyber-attacks. Recent APT attacks are evolving much, using DGA algorithms and often change domains, source IP address using VPN and TOR nodes (DarkNet), spoofing, etc. As per the record, so far 5 million IP addresses have been blacklisted globally because of malware attacks, cyberespionage, APT, TOR, etc.
Let us assume our existing SOC; are we going to put watchlists for monitoring 5 million blacklisted IPS in SIEM? On the other hand, are we going to block the 5 million blacklisted IPs in perimeter firewalls? Both were considered as a plan of action, not as incident response. APT groups are using various techniques and hide their traces forever, so just depending on IOC’s (IP, domain, hashes, URL’s) do not work anymore. You should think about TTP’s (Tactics, Techniques, and Procedures also sometimes referred to as Tools, Techniques, and Procedures). These TTP’s plays a vital role in gathering information about the OS and network artifacts used by the adversaries, based upon the information, building a use case for a specific way of traffic or specific “dll” or “exe”, provides insight over the attacks. DarkNet intelligence also needed, where most of the exfiltered or stolen data’s are sold in dark market either for money or for further asylum.
Threat intelligence, also provides the global threat information based on available resources. Many OEM’s are also providing various threat matrix informations, tools used, artifacts used, etc. Every day, your intelligence team should gather the informations not only about IOC’s also; they have to strive details about emerging IOA and IOE’s. APT groups are well trained in exploiting the vulnerability. Therefore, we need to gather more informations for the indications of exploitations in the organizations and ensure it is fixed, before the adversary exploit.
A cyber intelligence program is all about uncovering the who, what, where, when, why and how behind a cyberattack. Tactical and operational intelligence can help identify what and how of an attack, and sometimes the where and when.
Cyber Threat Hunting
After gathering the information, we have to hunt. Cyber threat hunting is the modern methodology to have an idea of cyber kill chains or the Mitre Attack and hunt the unknown variants of attacks. When you know, what is happening in your LAN, you can directly drive into Incident response. But, when you suspect an event, that you want to hunt in your LAN for the traces of unknown variants (APT), threat hunting comes in. Threat hunting provides you the in-depth analysis over the threat vectors and you can narrow down the events before it becomes an incident.
In every organization, threat-hunting teams should be hired and proactively they hunt for suspicious events and ensure it do not becomes incidents or the adversary’s breach. They should understand the APT attack history and check for the artifacts in their network. Not to look for known IOC’s, breakdown the methodologies they propagate.
Exactly what to hunt? – Examples
- Hunt for Network Beaconing
- Hunt for Insider Privilege Escalations
- Hunt for Unusual DNS requests
- Hunt for Unusual Network Shares
- Hunt for Network Reconnaissance
- Hunt for mismatch windows services (parent/child processes)
- Hunt for Privilege Escalation – Access token manipulation
- Hunt for UAC Bypass
- Hunt for Credential Dumping
- Hunt for beacon over SMB pipes
- Hunt for Covert Channels
- Hunt for CnC traffics
- Hunt for shadowing
- Hunt for Suspicious Tunnels
Likewise, there are several conditions to hunt in a LAN. We can utilize the Mitre ATT&CK framework and the check for the APT history and understand them. It will provide better understanding and we can map the hunting methods to framework and see how far we can achieve.
Dwell time, the time were the adversaries stays in your network and learn each and every zones, shares, Database, network protocols, mapping, routes, vulnerable endpoints, etc. Threat hunting, helps you to find the lateral movement and the persistence behaviour of any cyber-attacks.
So you as a threat hunter, you have to keep in mind: 1.) Be proactive, 2.) Assume you are already a victim 3.) Understand the adversary behavior 4.) Finding the unknown 5.) Understand your network.
The traditional incident response provides mitigation and remediation over the incidents (breached events), whereas Threat hunting provides an understanding of any suspicious or weird events and mitigating before it becomes an incident. But incident responder and the response team is definitely needed in any SOC, where they help to mitigate the current incident and helps to resolve the open vulnerabilities, this will break the attack chain and possibility of cyber threat is reduced.
IR team should ensure that the CIA was not breached and no data’s has been exfiltered. Incident response teams also can deploy the cyber kill chain model in their checklists and map down the attacks. An incident response plan can benefit an enterprise by outlining how to minimize the duration of and damage from a security incident, identifying participating stakeholders, streamlining forensic analysis, hastening recovery time, reducing negative publicity and ultimately increasing the confidence of corporate executives, owners and shareholders.
Modern SOC and the expertise skills
As we seen and experienced various APT attacks and the modern day cyber espionages, we should evolve and create an enhanced cyber security strategy. This model provides insights over cyber-attacks, so we need an expertise teams with various skills. The specific skill sets of threat hunting, open source threat intelligence and DarkNet intelligence, Proactive incident handlers and first responder, malware researchers and who can understand the windows architecture and the malware behaviours. These skillsets are mostly needed to defend a network against the modern day cyber-attacks.
An example, how a modern CyberSOC team should be planned.
Conclusion Cyber resilience is an evolving perspective that is rapidly gaining recognition. The concept essentially brings the areas of information security, business continuity and (organizational) resilience together. This model having a conceptual idea of bringing the Threat Intel, hunting, response and SOC together to provide the complex array of security structure for an organization. It will be more helpful to prioritize the activity and we can defend ourselves against modern day attacks easily.
This model comprises key elements of “Adaptive response, Analytic monitoring, Deception, Intelligence, Diversity, Dynamic positioning, privilege restriction based on existing policies, realignment of mission critical and noncritical services/servers, correlation of events and rapid responses”. It mainly addresses the APT threats and provide an in-depth insight of the attack and the possible vectors.
Earlier: “Malware or Malicious”, were classified as scripts which intend to do something. But in the POV of an APT or adversaries, they well aware of the current antivirus functionalities and their defensive mechanisms. So they do not rely much on scripts or malwares, instead they abuse genuine programs and move laterally without being detected.
Cyber Threat Hunter POV – Whatever is not needed for an individual, in any endpoints, or in an organization, these vulnerable keys are the critical assets of an APT. So these are considered to a malware in the perception of threat hunter. Ex: “PowerShell is not used by everyone, unless needed by admin in servers. So not disabling the execution of powershells in endpoints is a loophole and adversaries can exploit it.
This model has a five-point view of the deployment of each module, where “Threat Intelligence”, “Cyber hunting”, “SOC”, “Incident Response” and “kill chain models”. These are the pillars of the CyberSOC and it can be separately maintained or used along as per organizational policies. However, everything should be synchronized logically and use each modules effectively when a suspicious event occurs.