In earlier years, everyone depends on CyberSOC (including firewalls, WAF, SIEM, etc.) and the priority in building the SOC provides security, and the CIA was maintained.
However, later the emergence of the attacks and the threat actors becomes more challenging and the existing SOC will not be able to provide better security over the CIA.
There are many reasons for the failure of the existing SOC, where it only depends on the SIEM.
Many organizations, believed integrating all the security devices like Firewalls, Routers, AV, and DB solutions in SIEM and correlating the use cases will provide them 100% security over the CIA of the
However, it all fails, since the APT emerges.
APT attacks over these years deliberately show that in cyberspace, organizations should implement a 0-trust defense model.
The main reasons for the failures of existing SOC, we mostly are the use cases of brute force login attempts, failure logins, failure HTTP requests, and malware propagations.
Nevertheless, we have to understand when the defenders started to learn, the offenders also evolved in a better way.
APT groups are evolving and abusing genuine applications we use often and stay in dwell time for years without being caught.
Arise of APT
Advanced Persistence Threat, these groups are not an individual identity. They are mostly organizations or countries (based on agenda/political reasons) with expertise teams.
Not normal experts, they are trained professionals and they have the potential to break into any system and move laterally in a LAN without being caught for years.
Even your antivirus cannot detect this movement, because they do not create
Key components of an APT are, moving laterally, being persistent, creating a CnC channel, getting payload with just a DNS request, and more.
Every APT attack so far recorded, they do have unique ways of propagating a network and they rely highly on open ports, unprotected network zones, vulnerable applications, network shares, etc.
Once they break in, they do whatever they intend to do.
Proactive Defense Model
Your perception towards the defense against any modern-day cyber-attacks and APT attacks, you should think and build a defense mechanism exactly like an “adversary“.
For building a defense model, you should know the adversary tactics, and how they get in. How do they propagate? How do they exfiltrate?
For these queries, Lock Martin’s cyber kills chain and Mitre ATT&CK give a better understanding of the attacks. Exactly how an adversary sneaks into your network and how he moves out without being caught.
You can also, implement use cases in your existing SOC based upon the stages of the Cyber Kill chain, which will provide you an insight into the cyber-attacks.
Cyber Threat Intelligence
Blocking the IOCs and IPs does not provide you 100% security over cyber-attacks.
As per the record, so far 5 million IP addresses
Let us assume our existing SOC; are we going to put
Both were considered
APT groups are using various techniques and hiding their traces forever, so just depending on IOCs (IP, domain, hashes, URLs) does not work anymore.
You should think about TTPs (Tactics, Techniques,
These TTPs play a vital role in gathering information about the OS and network artifacts used by the adversaries, based upon the information, building a use case for cases in a specific way of traffic or specific “dll” or “exe”, provides insight over the attacks.
DarkNet intelligence is also needed, where most of the stolen data are sold in the dark market for money or further asylum.
Threat intelligence also provides global threat information based on available resources. Many OEMs are also providing various threat matrix information, tools used, artifacts used, etc.
Every day, your intelligence team should gather information not only about IOC’s also; they have to strive for details about emerging IOAs and IOEs.
APT groups are well-trained in exploiting the vulnerability.
Therefore, we need to gather more information for the indications of exploitations in the organizations and ensure it is fixed before the adversary exploits.
A cyber intelligence program is all about uncovering the who, what, where, when, why, and how behind a cyberattack.
Tactical and operational intelligence can help identify what and how of an attack, and sometimes the where and when.
Cyber Threat Hunting
After gathering the information, we have to hunt. Cyber threat hunting is the modern methodology to have an idea of cyber kill chains or Mitre Attacks and hunt the unknown variants of attacks.
When you know, what is happening in your LAN, you can directly drive into Incident response.
But, when you suspect an event, that you want to hunt in your LAN for the traces of unknown variants (APT), threat hunting comes in.
Threat hunting provides you an in-depth analysis of the threat vectors and you can narrow down the events before it becomes an incident.
In every organization, threat-hunting teams should be hired and proactively they hunt for suspicious events and ensure they do not becomes incidents or the adversary’s breach.
They should understand the APT attack history and check for the artifacts in their network. Not to look for known IOCs, and break down the methodologies they propagate.
Exactly what to hunt? – Examples
- Hunt for Network Beaconing
- Hunt for Insider Privilege Escalations
- Hunt for Unusual DNS requests
- Hunt for Unusual Network Shares
- Hunt for Network Reconnaissance
- Hunt for mismatch Windows services (parent/child processes)
- Hunt for Privilege Escalation – Access token manipulation
- Hunt for UAC Bypass
- Hunt for Credential Dumping
- Hunt for beacon over SMB pipes
- Hunt for Covert Channels
- Hunt for CnC traffics
- Hunt for shadowing
- Hunt for Suspicious Tunnels
Likewise, there are several conditions to hunt in a LAN. We can utilize the Mitre ATT&CK framework and check for the APT history and understand them.
It will provide a better understanding and we can map the hunting methods to the
Dwell time is the time were the adversaries stay in your network and learn each and every zones, share, Database, network protocol, mapping, route, vulnerable endpoints, etc.
Threat hunting helps you to find the lateral movement and the persistent behavior of any cyber-attacks.
But the incident responder and the response team are definitely needed in any SOC, where they help to mitigate the current incident and help to resolve the open vulnerabilities, this will break the attack chain, and the possibility of cyber threat is reduced.
IR team should ensure that the CIA was not breached and that no
An incident response plan can benefit an enterprise by outlining how to minimize the duration of and damage from a security incident, identifying participating stakeholders, streamlining forensic analysis, hastening recovery time, reducing negative publicity and ultimately increasing the confidence of corporate executives, owners
Modern SOC and the Expertise skills
As we have seen and experienced various APT attacks and modern-day cyber espionage, we should evolve and create an enhanced cyber security strategy.
This model provides insights into cyber-attacks, so we need expert teams with various skills.
The specific skill sets of threat hunting, open source threat intelligence and DarkNet intelligence, Proactive incident handlers and first responder, malware researchers, and who can understand the Windows architecture and the malware behaviors.
These skill sets are mostly needed to defend a network against modern-day cyber-attacks.
Cyber resilience is an evolving perspective that is rapidly gaining recognition. The concept essentially brings information security, business continuity, and (organizational) resilience together.
This model has a conceptual idea of bringing the Threat Intel, hunting, response,
It will be more helpful to prioritize the activity and we can defend ourselves against modern-day attacks easily.
This model comprises key elements of “Adaptive response, Analytic monitoring, Deception, Intelligence, Diversity, Dynamic positioning, privilege restriction based on existing policies, realignment of mission-critical and noncritical services/servers, correlation of events and rapid responses”.
It mainly addresses the APT threats and provides an in-depth insight into the attack and the possible vectors.
Earlier: “Malware or Malicious”, was classified as scripts that intend to do something. But in the POV of an APT or adversaries, they know the current antivirus functionalities and their defensive mechanisms.
So they do not rely much on scripts or malware, instead, they abuse genuine programs and move laterally without being detected.
Cyber Threat Hunter POV – Whatever is not needed for an individual, in any endpoints, or in an organization, these vulnerable keys are the critical assets of an APT.
So these are considered malware in the perception of threat hunters.
Ex: “PowerShell is not used by everyone unless needed by admin in servers. So not disabling the execution of PowerShell in endpoints is a loophole and adversaries can exploit it.
This model has a five-point view of the
These are the pillars of the CyberSOC and they can be separately maintained or used as per organizational policies. However, everything should be synchronized logically, and use each module effectively when a suspicious event occurs.