A Brief Process Of Create a Cyber Security Infrastructure

In earlier years, everyone depends on SOC (including firewalls, WAF, SIEM,etc.) and the priority in building the SOC provides security and the CIA was maintained.

However, later the emergence of the attacks and the threat actors becomes more challenging and the existing SOC will not be able to provide better security over the CIA. There are many reasons for the failure of the existing SOC, where it only depends on the SIEM.

Many organizations, believed integrating all the security devices like Firewalls, Routers, AV, and DB solutions in SIEM and correlating the use cases will provide them 100% security over the CIA of the data. However, it all fails, since the APT emerges.                                                                                                

APT attacks over these years deliberately show that in cyberspace, organizations should implement a 0-trust defense model. The main reasons for the failures of existing SOC, we mostly are the use cases of brute force login attempts, failure logins, failure http requests, and malware propagations.

Nevertheless, we have to understand when the defenders started to learn, the offenders also evolved in a better way. APT groups are evolving and abusing genuine applications we use often and stay in dwell time for years without being caught.               

Arise of APT

Advanced Persistence Threat, these groups are not an individual identity. They are mostly organizations or countries (based on agenda/political reasons) with expertise teams. Not normal experts, they are trained professionals and they have the potential to break in any system and move laterally in a LAN without being caught for years.

Even your antivirus cannot detect this movement, because they do not create malware, they just abuse genuine applications (like PowerShell) and move laterally like a genuine process.

Key components of an APT is, moving laterally, being persistent, creating CnC channel, getting payload with just a DNS request and more. Every APT attacks so far recorded, they do have unique ways of propagating a network and they rely highly on open ports, unprotected network zones, vulnerable applications, network shares, etc. Once they break in, they do whatever they intend to do.

Proactive Defense Model

Your perception towards the defense against any modern-day cyber-attacks and APT attacks, you should think and build a defense mechanism exactly like an “adversary“.For building a defense model, you should know the adversary tactics, and how they get in. How do they propagate? How do they exfiltrate?

For these queries, Lock Martin’s cyber kills chain and Mitre ATT&CK give a better understanding of the attacks. Exactly how an adversary sneaks into your network and how he moves out without being caught. You can also, implement use cases in your existing SOC based upon the stages of the Cyber Kill chain, which will provide you an insight into the cyber-attacks.

Cyber Threat Intelligence

Blocking the IOCs and Ip’s does not provide you 100% security over the cyber-attacks. Recent APT attacks are evolving much, using DGA algorithms and often changing domains, source IP addresses using VPN and TOR nodes (DarkNet), spoofing, etc. As per the record, so far 5 million IP addresses have been blacklisted globally because of malware attacks, cyber espionage, APT, TOR, etc.

Let us assume our existing SOC; are we going to put watchlists for monitoring 5 million blacklisted IPS in SIEM? On the other hand, are we going to block the 5 million blacklisted Ips in perimeter firewalls?

Both were considered as plans of action, not as incident responses.

APT groups are using various techniques and hide their traces forever, so just depending on IOCs (IP, domain, hashes, URLs) do not work anymore. You should think about TTPs (Tactics, Techniques, and Procedures also sometimes referred to as Tools, Techniques, and Procedures).

These TTPs plays a vital role in gathering information about the OS and network artifacts used by the adversaries, based upon the information, building a use case for cases in a specific way of traffic or specific “dll” or “exe“, provides insight over the attacks. DarkNet intelligence also needed, where most of the or stolen data’s are sold in dark market either for money or for further asylum.     

Threat intelligence, also provides the global threat information based on available resources. Many OEM’s are also providing various threat matrix information’s, tools used, artifacts used, etc. Every day, your intelligence team should gather the information’s not only about IOC’s also; they have to strive details about emerging IOA and IOE’s.

APT groups are well-trained in exploiting the vulnerability. Therefore, we need to gather more information for the indications of exploitations in the organizations and ensure it is fixed, before the adversary exploits.                         

A cyber intelligence program is
all about uncovering the who, what, where, when, why and how behind a
cyberattack. Tactical and operational intelligence can help identify what and
how of an attack, and sometimes the where and when.              

Cyber Threat Hunting

After gathering the information, we have to hunt.  Cyber threat hunting is the modern methodology to have an idea of cyber kill chains or the Mitre Attacks and hunt the unknown variants of attacks. When you know, what is happening in your LAN, you can directly drive into Incident response.

But, when you suspect an event, that you want to hunt in your LAN for the traces of unknown variants (APT), threat hunting comes in. Threat hunting provides you an in-depth analysis of the threat vectors and you can narrow down the events before it becomes an incident.

In every organization, threat-hunting teams should be hired and proactively they hunt for suspicious events and ensure it do not becomes incidents or the adversary’s breach. They should understand the APT attack history and check for the artifacts in their network. Not to look for known IOCs, break down the methodologies they propagate.

Exactly what to hunt? – Examples     

• Hunt for Network Beaconing     
• Hunt for Insider Privilege Escalations      
• Hunt for Unusual DNS requests
• Hunt for Unusual Network Shares           
• Hunt for Network Reconnaissance          
• Hunt for mismatch windows services (parent/child processes)   
• Hunt for Privilege Escalation – Access token manipulation              
• Hunt for UAC Bypass     
• Hunt for Credential Dumping     
• Hunt for beacon over SMB pipes              
• Hunt for Covert Channels            
• Hunt for CnC traffics                                      
• Hunt for shadowing       
• Hunt for Suspicious Tunnels

Likewise, there are several conditions to hunt in a LAN. We can utilize the Mitre ATT&CK framework and check for the APT history and understand them. It will provide better understanding and we can map the hunting methods to the framework and see how far we can achieve.                                                                                                          

Dwell time, the time were the adversaries stay in your network and learn each and every zones, share, Database, network protocol, mapping, routes, vulnerable endpoints, etc. Threat hunting helps you to find the lateral movement and the persistent behaviour of any cyber-attacks.

Incident Response         

Traditional incident response provides mitigation and remediation over the incidents (breached events), whereas Threat hunting provides understanding of any suspicious or weird events and mitigating before it becomes an incident.

But incident responder and the response team is definitely needed in any SOC, where they helps to mitigate the current incident and helps to resolve the open vulnerabilities, this will break the attack chain and possibility of cyber threat is reduced.                                                                                                                   

IR team should ensure that the CIA was not breached and no data’s has been exfiltered. Incident response teams also can deploy the cyber kill chain model in their checklists and map down the attacks.

An incident response plan can benefit an enterprise by outlining how to minimize the duration of and damage from a security incident, identifying participating stakeholders, streamlining forensic analysis, hastening recovery time, reducing negative publicity and ultimately increasing the confidence of corporate executives, owners and shareholders.

Modern SOC and the Expertise skills     

As we seen and experienced various APT attacks and modern-day cyber espionage, we should evolve and create an enhanced cyber security strategy. This model provides insights over cyber-attacks, so we need expertise teams with various skills.

The specific skill sets of threat hunting, open source threat intelligence and DarkNet intelligence, Proactive incident handlers and first responder, malware researchers, and who can understand the windows architecture and the malware behaviors. These skill sets are mostly needed to defend a network against modern-day cyber-attacks.

Conclusion  

Cyber resilience is an evolving perspective that is rapidly gaining recognition. The concept essentially brings the areas of information security, business continuity and (organizational) resilience together.

This model has a conceptual idea of bringing the Threat Intel, hunting, response and SOC together to provide a complex array of security structures for an organization. It will be more helpful to prioritize the activity and we can defend ourselves against modern-day attacks easily.

This model comprises key elements of “Adaptive response, Analytic monitoring, Deception, Intelligence, Diversity, Dynamic positioning, privilege restriction based on existing policies, realignment of mission-critical and noncritical services/servers, correlation of events and rapid responses”. It mainly addresses the APT threats and provides an in-depth insight of the attack and the possible vectors.

 Remember,

Earlier: “Malware or Malicious”, was classified as scripts that intend to do something. But in the POV of an APT or adversaries, they are well aware of the current antivirus functionalities and their defensive mechanisms. So they do not rely much on scripts or malware, instead, they abuse genuine programs and move laterally without being detected.

Cyber Threat Hunter POV  – Whatever is not needed for an individual, in any endpoints, or in an organization, these vulnerable keys are the critical assets of an APT. So these are considered to malware in the perception of threat hunters. Ex: “PowerShell is not used by everyone unless needed by admin in servers. So not disabling the execution of PowerShell in endpoints is a loophole and adversaries can exploit it.           

 This model has a five-point view of the deployment of each module, where “Threat Intelligence”, “Cyber hunting”, “SOC”, “Incident Response” and “kill chain models”.

These are the pillars of the CyberSOC and it can be separately maintained or used along as per organizational policies. However, everything should be synchronized logically and use each module effectively when a suspicious event occurs.   

Network Security Checklist – Download Free E-Book