Improve your SOC: SOAR or Threat Hunting or both?
Based on the sophistication and constant change of the threat landscape in the cyber space, many mature organizations have identified the necessity to improve the detection, analysis and response capabilities of their Security Operation Center (SOC). Currently, security analysts are often engaged with trivial copy-paste or other annoying low-level tasks rather than gaining a deep understanding...
Continue ReadingResilient Playbook and automated actions for Threat Hunting and DFIR
Some initial triage task instructions are listed under the Stage 1 Analysis phase of the incident which are processed by the Security Operations team. Once completed, the incident is handed off to the Threat Hunting team for scoping the attack and developing further intelligence. As you can see, all the TTP task instructions regarding APT28 have been loaded into the Stage 2 Analysis phase of this playbook...
Continue ReadingThreat Hunting – a relatively new discipline in Cyber defense
The idea behind Threat Hunting is to shift from a reactive IR model to a proactive approach. In Security Operations, a detection team hands off an alert to an Incident Response team which validates the incident and responds to it in case it’s a true incident. The goal with Threat Hunting is to proactively engage a team and hunt for known adversaries including their applied TTPs in an organization’s networked computing environment...
Continue ReadingResilient Workflows and Playbooks
How we are implementing the individual TTP detection and mitigation instructions with workflows and playbooks. For this, we will firstly integrate with additional Cyber Security systems and tools and secondly we will extend our solution draft in building Stage 1/2 Analysis capabilities. The goal is to help Security Operations and DFIR in streamlining deep security and forensic analysis, drastically reducing analysis and response time as well as understanding and keeping track of the full scope and complete impact of an attack...
Continue ReadingImplementation – STIX knowledge and relevance graph – steps 16-21
In order to generate the knowledge graph we are first checking whether a related Threat Actor has been provided as part of the CTI, and if yes, we are mapping it out to the MITRE Intrusion Set. Next we are searching recursively what tools and malware are utilized by that specific Intrusion Set. Then we are creating a STIX file that includes all the identified Tool SDOs and Malware SDOs along with the Intrusion Set SDO, all provided by MITRE. Next, we are further...
Continue ReadingImplementation – Related IP Addresses – steps 11-15
Now we want to take advantage of our actionable CTI. The goal is to verify the related IP addresses of the two RF matched destination IP addresses 81.7.11.83 and 93.184.220.29 that have been communicated as part of their corresponding CTI. We are verifying all related IP addresses against the QRadar Ariel database and are only considering the ones that have a local relevance, i.e. local-to-remote network traffic that matched against a related IP address. Finally we are taking those matching related IP addresses into the Resilient Incident Artifacts tab...
Continue ReadingImplementation – STIX bundle – steps 7-10
As part of this solution draft we are expressing the CTI provided IOCs in STIX Indicator SDOs and their local relevance in STIX Observed Data SDOs. We are further generating Sighting SROs in order to visualize that we sighted IOCs in the local context. We are also leveraging the Identity SDO in order to specify Recorded Future as an organization that we are receiving indicators from and myself – Rukhsar Khan, Security Analyst – as an individual. In order to put the Identity SDO into a relationship with other SDOs we are making use of the Relationship SRO. For generating a visualized graph...
Continue ReadingImplementation – Overview – steps 0-6
Our core implementation of the MITRE ATT&CK framework is performed in the IBM Resilient SOAR platform. In order to converge Security Operations and DFIR in this single platform we have defined two stages, namely Stage 1 Analysis and Stage 2 Analysis. Stage 1 Analysis corresponds to a Secops Level1 and Level2 team whereas Stage 2 Analysis applies to a DFIR team....
Continue ReadingSolution Draft
Based on the experience we’ve made in the last decade with dozens of large customers and new emerged market technologies like Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), sophisticated CTI and advanced tools and products for computer and network forensics, our claim is, that Security Operations and DFIR need to converge. Both disciplines have strengths and weaknesses, so the goal should be to merge the strengths and shun the weaknesses of both in a single platform. And what would be the most suitable for this other than a SOAR platform...
Continue ReadingCurrent Security Operations and DFIR problems
If you give an attacker 100 days of time to move freely in your environment after he has compromised it the evidence is fairly strong that your organization is pretty bad at Security Operations. This is what currently happens in a lot of organizations. According to a Forrester report the median breach confirmation time in 2017 was 101 days. So basically it took 101 days for Security Operations to confirm a breach and hand it off to the DFIR team...
Continue ReadingOperationalizing the MITRE ATT&CK framework for Security Operations, Threat Hunting and DFIR
Cyber attackers are constantly becoming more and more subtle while Security Operations (SOC, CERT and CSIRT) continues to scratch on the surface. It doesn’t matter whether that’s a large enterprise, bank or government institution. The evidence is fairly strong that most organizations are pretty bad at security operations . Why are there so many global high-profile breaches? Why can organizations today not adequately detect and respond to breaches while they have spent millions in their Cyber Security defense? You don’t have to be a genius to figure out that there must be vital gaps in the defense ecosystem of organizations. But how to identify these gaps and what course of actions are required?...
Continue Reading- Resilient Workflows and Playbooks
- Implementation – STIX knowledge and relevance graph – steps 16-21
- Implementation – Related IP Addresses – steps 11-15
- Implementation – STIX bundle – steps 7-10
- Implementation – Overview – steps 0-6
- Solution Draft
- Current Security Operations and DFIR problems
- Operationalizing the MITRE ATT&CK framework for Security Operations, Threat Hunting and DFIR
in an Attack Graph and Activity Thread Graph by applying The Diamond Model of Intrusion Analysis methodology as well as Tactics (Phases), Techniques and Procedures (TTP) from the MITRE ATT&CK framework
More precisely the Attack Graph aims to provide a graphical representation of a known attack scenario sourced by some adversary (Threat Actor) whereas the Activity Thread Graph represents the local findings... Read more
with SANS 6-step Incident Response, MITRE ATT&CK phase-ordered kill chain, The Diamond Model of Intrusion Analysis, TIBER-EU, Structured Threat Information Expression (STIX) and more
Abstract:
In order to increase their maturity level, SOC organizations frequently introduce intelligence-driven Threat Hunting. Benefits of intel-driven Threat Hunting are... Read more
Rukhsar’s GCFA Gold paper
Read Rukhsar's GCFA Gold paper with the title Threat Hunting and Incident Response in a post-compromised environment
