Tuesday, March 19, 2024

SOC Second Defense Phase – Understanding the Cyber Threat Profiles

In the first phase of architecturing the SOC, we have seen the basic level understanding of the attacks and necessary steps to breaking the Attack Chain. Let’s move on to the phases of SOC and advanced level of protecting the organization from various Threat Profiles.

Early years, when we say the virus, it’s just an ‘exe’ file with some pop-ups. Most of the viruses created by script kiddies and they don’t cause any damages to any PCs.

But the modern-day malware is not created by script kiddies, but they are developed by companies for profit and there are motives and agenda behind every malware created.

Malware families were grouped into virus/ worm/ PUP/ Spyware/ Adware/ Polymorphic Virus/ FakeAV/ Screensaver Virus. These won’t create much impact or there will be no business motive behind these.

Threat Profiles
Threat Profiles

But, nowadays the Threat Profiles & modern malware landscape is huge and wider with unique ways of codings, this malware having in-built capabilities of downloading a further piece of malicious codes, exfiltrate data, communicate outside servers, data erase, encrypt the files and much more.

This modern-day malware is created with agenda, modus, money-minded, etc.

Malware families were grouped into virus/ worm/ PUP/ Spyware/ Adware/ Polymorphic Virus/ FakeAV/ Screensaver Virus.

These won’t create much impact or there will be no business motive behind these.

But, nowadays the modern malware landscape is huge and wider with unique ways of codings, this malware having in-built capabilities of downloading a further piece of malicious codes, exfiltrate data, communicate outside servers, data erase, encrypt the files and much more.

This modern-day malware is created with agenda, modus, money-minded, etc.

The modern day malware families will be, Trojans/ Rootkit/ Bot/ Botnet/ POS Malware/ ATM Malware/ Ransomware/ Cryptomining Malware/ Spybot/ Wiper/ CnC Trojan/ Exploit Kit/ Browser Hijacker/ Credential Stealer/ RAT/ WMI Backdoors/ Skeleton Key/ Keylogger etc..

Also you can learn SOC Analyst – Cyber Attack Intrusion Training | From Scratch

So, the basic understanding of modern threats becomes necessary for every SOC team. Understanding the threat profiles is much more important in SOC monitoring.

SOC should know what they are dealing with, they should understand the behavior, they should differentiate the pattern, they should know the variants released by hackers community and also SOC team should know the ways to handle it without any disrupt.

Threat Profiles are the types of the malware/scripts/vulnerable abused applications/ Network & windows Artifacts used by the cybercriminal (Threat Actor) to accomplish their cyber attack on your organization.
These capabilities can be classified as:

1.) Initial Access – Attackers use to gain an initial foothold within a network.

2.) Execution – Execution of adversary/attacker-controlled code on a local or remote system. This tactic is often used in conjunction with initial access as the means of executing code once access is obtained, and lateral movement to expand access to remote systems on a network.

3.) Persistence – Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system.

Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.

4.) Privilege Escalation – Privilege escalation is the result of actions that allows an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation.

Adversaries can enter a system with unprivileged access and must take advantage of system weakness to obtain local administrator or SYSTEM/root-level privileges.

5.) Defense Evasion – Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation.

6.) Credential Access – Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment.

Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network.

7.) Discovery – Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network.

When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion.

8.) Lateral Movement – Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems.

The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool.

9.) Collection – Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.

10.) Exfiltration – Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network.

This category also covers locations on a system or network where the adversary may look for information to exfiltrate.

11.) Command and Control – The command and control tactic represents how adversaries communicate with systems under their control within a target network.

There are many ways an adversary can establish command and control with various levels of covertness, depending on system configuration and network topology.

Due to the wide degree of variation available to the adversary at the network level, only the most common factors were used to describe the differences in command and control.

Let’s see the variants of malware families which cause more noise as attack vectors in Threat Profiles. This list is not complete, just a sample of variants released.







Threat Profiles




Conclusion – Threat Profiles

Why should I worry about malware and their behaviors?

We should worry! Because modern malware have some specific ways to propagate with a more complex structure of commands to accomplish for further asylum.

Every malware you face, it’s not the responsibility of your organization AV team, it’s the core responsibility of the SOC to understand it’s behavior and the capabilities they possess to intrude in your network.

They won’t alone, in most instances they work combine to get their work done. S

Website

Latest articles

Researchers Hack AI Assistants Using ASCII Art

Large language models (LLMs) are vulnerable to attacks, leveraging their inability to recognize prompts...

Microsoft Deprecate 1024-bit RSA Encryption Keys in Windows

Microsoft has announced an important update for Windows users worldwide in a continuous effort...

Beware Of Free wedding Invite WhatsApp Scam That Steal Sensitive Data

The ongoing "free wedding invite" scam is one of several innovative campaigns aimed at...

Hackers Using Weaponized SVG Files in Cyber Attacks

Cybercriminals have repurposed Scalable Vector Graphics (SVG) files to deliver malware, a technique that...

New Acoustic Keyboard Side Channel Attack Let Attackers Steal Sensitive Data

In recent years, personal data security has surged in importance due to digital device...

Discontinued WordPress Plugin Flaw Exposes Websites to Cyber Attacks

A critical vulnerability was discovered in two plugins developed by miniOrange.The affected plugins,...

ShadowSyndicate Hackers Exploiting Aiohttp Vulnerability To Access Sensitive Data

A new Aiohttp vulnerability has been discovered, which the threat actor ShadowSyndicate exploits.Aiohttp...

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles