In earlier years, everyone depends on CyberSOC (including firewalls, WAF, SIEM, etc.) and the priority in building the SOC provides security, and the CIA was maintained.

However, later the emergence of the attacks and the threat actors becomes more challenging and the existing SOC will not be able to provide better security over the CIA.

There are many reasons for the failure of the existing SOC, where it only depends on the SIEM.

Many organizations, believed integrating all the security devices like Firewalls, Routers, AV, and DB solutions in SIEM and correlating the use cases will provide them 100% security over the CIA of the data.

However, it all fails, since the APT emerges.                                                                                                

APT attacks over these years deliberately show that in cyberspace, organizations should implement a 0-trust defense model.

The main reasons for the failures of existing SOC, we mostly are the use cases of brute force login attempts, failure logins, failure HTTP requests, and malware propagations.

Nevertheless, we have to understand when the defenders started to learn, the offenders also evolved in a better way.

APT groups are evolving and abusing genuine applications we use often and stay in dwell time for years without being caught.               

            

Arise of APT

Advanced Persistence Threat, these groups are not an individual identity. They are mostly organizations or countries (based on agenda/political reasons) with expertise teams.

Not normal experts, they are trained professionals and they have the potential to break into any system and move laterally in a LAN without being caught for years.

Even your antivirus cannot detect this movement, because they do not create malware, they just abuse genuine applications (like PowerShell) and move laterally like a genuine process.

Key components of an APT are, moving laterally, being persistent, creating a CnC channel, getting payload with just a DNS request, and more.

Every APT attack so far recorded, they do have unique ways of propagating a network and they rely highly on open ports, unprotected network zones, vulnerable applications, network shares, etc.

Once they break in, they do whatever they intend to do.

Proactive Defense Model

Your perception towards the defense against any modern-day cyber-attacks and APT attacks, you should think and build a defense mechanism exactly like an “adversary“.

For building a defense model, you should know the adversary tactics, and how they get in. How do they propagate? How do they exfiltrate?

For these queries, Lock Martin’s cyber kills chain and Mitre ATT&CK give a better understanding of the attacks. Exactly how an adversary sneaks into your network and how he moves out without being caught.

You can also, implement use cases in your existing SOC based upon the stages of the Cyber Kill chain, which will provide you an insight into the cyber-attacks.

Cyber Threat Intelligence

Blocking the IOCs and IPs does not provide you 100% security over cyber-attacks.

Recent APT attacks are evolving much, using DGA algorithms and often changing domains, source IP addresses using VPN and TOR nodes (DarkNet), spoofing, etc.

As per the record, so far 5 million IP addresses have been blacklisted globally because of malware attacks, cyber espionage, APT, TOR, etc.

Let us assume our existing SOC; are we going to put watchlists for monitoring 5 million blacklisted IPS in SIEM? On the other hand, are we going to block the 5 million blacklisted Ips in perimeter firewalls?

Both were considered as plans of action, not as incident responses.

APT groups are using various techniques and hiding their traces forever, so just depending on IOCs (IP, domain, hashes, URLs) does not work anymore.

You should think about TTPs (Tactics, Techniques, and Procedures also sometimes referred to as Tools, Techniques, and Procedures).

These TTPs play a vital role in gathering information about the OS and network artifacts used by the adversaries, based upon the information, building a use case for cases in a specific way of traffic or specific “dll” or “exe”, provides insight over the attacks.

DarkNet intelligence is also needed, where most of the stolen data are sold in the dark market for money or further asylum.     

Threat intelligence also provides global threat information based on available resources. Many OEMs are also providing various threat matrix information, tools used, artifacts used, etc.

Every day, your intelligence team should gather information not only about IOC’s also; they have to strive for details about emerging IOAs and IOEs.

APT groups are well-trained in exploiting the vulnerability.

Therefore, we need to gather more information for the indications of exploitations in the organizations and ensure it is fixed before the adversary exploits.                         

A cyber intelligence program is all about uncovering the who, what, where, when, why, and how behind a cyberattack.

Tactical and operational intelligence can help identify what and how of an attack, and sometimes the where and when.              

Cyber Threat Hunting

After gathering the information, we have to hunt.  Cyber threat hunting is the modern methodology to have an idea of cyber kill chains or Mitre Attacks and hunt the unknown variants of attacks.

When you know, what is happening in your LAN, you can directly drive into Incident response.

But, when you suspect an event, that you want to hunt in your LAN for the traces of unknown variants (APT), threat hunting comes in.

Threat hunting provides you an in-depth analysis of the threat vectors and you can narrow down the events before it becomes an incident.

In every organization, threat-hunting teams should be hired and proactively they hunt for suspicious events and ensure they do not becomes incidents or the adversary’s breach.

They should understand the APT attack history and check for the artifacts in their network. Not to look for known IOCs, and break down the methodologies they propagate.

Exactly what to hunt? – Examples     

  • Hunt for Network Beaconing     
  • Hunt for Insider Privilege Escalations      
  • Hunt for Unusual DNS requests
  • Hunt for Unusual Network Shares           
  • Hunt for Network Reconnaissance          
  • Hunt for mismatch Windows services (parent/child processes)   
  • Hunt for Privilege Escalation – Access token manipulation              
  • Hunt for UAC Bypass     
  • Hunt for Credential Dumping     
  • Hunt for beacon over SMB pipes              
  • Hunt for Covert Channels            
  • Hunt for CnC traffics                                      
  • Hunt for shadowing       
  • Hunt for Suspicious Tunnels

Likewise, there are several conditions to hunt in a LAN. We can utilize the Mitre ATT&CK framework and check for the APT history and understand them.

It will provide a better understanding and we can map the hunting methods to the framework and see how far we can achieve.                                                                                                          

Dwell time is the time were the adversaries stay in your network and learn each and every zones, share, Database, network protocol, mapping, route, vulnerable endpoints, etc.

Threat hunting helps you to find the lateral movement and the persistent behavior of any cyber-attacks.


Incident Response         

Traditional incident response provides mitigation and remediation over the incidents (breached events), whereas Threat hunting provides an understanding of any suspicious or weird events and mitigating them before it becomes an incident.

But the incident responder and the response team are definitely needed in any SOC, where they help to mitigate the current incident and help to resolve the open vulnerabilities, this will break the attack chain, and the possibility of cyber threat is reduced.                                                                                                                   

IR team should ensure that the CIA was not breached and that no data has been exfiltered. Incident response teams also can deploy the cyber kill chain model in their checklists and map down the attacks.

An incident response plan can benefit an enterprise by outlining how to minimize the duration of and damage from a security incident, identifying participating stakeholders, streamlining forensic analysis, hastening recovery time, reducing negative publicity and ultimately increasing the confidence of corporate executives, owners and shareholders.

Modern SOC and the Expertise skills     

As we have seen and experienced various APT attacks and modern-day cyber espionage, we should evolve and create an enhanced cyber security strategy.

This model provides insights into cyber-attacks, so we need expert teams with various skills.

The specific skill sets of threat hunting, open source threat intelligence and DarkNet intelligence, Proactive incident handlers and first responder, malware researchers, and who can understand the Windows architecture and the malware behaviors.

These skill sets are mostly needed to defend a network against modern-day cyber-attacks.

An example, how a modern CyberSOC team should be planned.

Conclusion  

Cyber resilience is an evolving perspective that is rapidly gaining recognition. The concept essentially brings information security, business continuity, and (organizational) resilience together.

This model has a conceptual idea of bringing the Threat Intel, hunting, response, and SOC together to provide a complex array of security structures for an organization.

It will be more helpful to prioritize the activity and we can defend ourselves against modern-day attacks easily.

This model comprises key elements of “Adaptive response, Analytic monitoring, Deception, Intelligence, Diversity, Dynamic positioning, privilege restriction based on existing policies, realignment of mission-critical and noncritical services/servers, correlation of events and rapid responses”.

It mainly addresses the APT threats and provides an in-depth insight into the attack and the possible vectors.

 Remember,

Earlier: “Malware or Malicious”, was classified as scripts that intend to do something. But in the POV of an APT or adversaries, they know the current antivirus functionalities and their defensive mechanisms.

So they do not rely much on scripts or malware, instead, they abuse genuine programs and move laterally without being detected.

Cyber Threat Hunter POV  – Whatever is not needed for an individual, in any endpoints, or in an organization, these vulnerable keys are the critical assets of an APT.

So these are considered malware in the perception of threat hunters.

Ex: “PowerShell is not used by everyone unless needed by admin in servers. So not disabling the execution of PowerShell in endpoints is a loophole and adversaries can exploit it.           

 This model has a five-point view of the deployment of each module, where “Threat Intelligence”, “Cyber hunting”, “SOC”, “Incident Response” and “kill chain models”.

These are the pillars of the CyberSOC and they can be separately maintained or used as per organizational policies. However, everything should be synchronized logically, and use each module effectively when a suspicious event occurs.   

Read, More

50 Best Free Cyber Threat Intelligence Tools – 2023

US Government Agencies Hit By Clop In MOVEit Global Cyberattack

50+ Network Penetration Testing Tools for Hackers & Security Professionals – 2023

BALAJI N
https://gbhackers.com
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here