To begin, let’s try to understand the role of the SOC.
Learn About the Tasks and Challenges of a SOC
A SOC is a security incident detection and response team.
Its tasks are to:
detect incidents as early as possible.
respond to incidents, by blocking the potential attacker and resolving the initial cause of the incident.
implement the necessary measures to prevent incidents from happening again (or in the first place).
A SOC cannot always guarantee the security of the entire organization. During its creation, we defined a security perimeter to be monitored and defended. These are the parts of the organization’s IS that are identified as being the most critical.
Understand Your Information System Through a Risk Analysis
How do you identify what’s critical and what isn’t?
It’s true that attackers can attack whatever they want:
Users
Network infrastructure
IS software management (including directory services)
Websites
Cloud architecture, etc.
All these elements of the organization’s IS are known as assets. We can’t monitor them all with the same level of resources! But not everything is classified as critical.
To identify what is the most critical, we need to think like an attacker. For this, we can ask the question:
“What can an attacker do to the organization if they have compromised a particular asset?”
This is the purpose of risk analysis, namely to identify critical assets and their associated risks.
Understand the Main Terms Used
When we talk about risks, what exactly do we mean?
Risk is the consequence of a possible attack, such as a data breach, denial of access, or destruction. For example, there may be a risk of ransomware preventing access to all of the organization’s computers.
A scenario represents the most precise form an attack can take. An example is a data breach through a hacked website.
A threat is anything that can trigger an incident, whether intentionally or not. It could be a hacker or even an unhappy employee!
A vulnerability is something that an attacker could exploit to cause damage.
Understand the Risks Your Organization Faces
Regardless of the methodology used, the aim is to prioritize risks according to:
their impact on the organization’s operations.
the attackers’ capabilities, and therefore the probable outcome.
But let’s not get carried away with the finer details in this course. After all, risk analysis is a whole subject in itself!
Standardize Cyberattack Communication With MITRE ATT&CK
Now that we’ve identified the risks, what can we do to detect and block them?
To set up our detection process, we need to understand how a cyberattack works.
The Cyber Kill Chain
For example, for a ransomware attack, which is the risk we are trying to prevent at Méditronique, we can envisage the following scenario:
Attackers collect employee email addresses.
They hide malware in a scam email to employees.
They then use this malware to remotely take control of an employee’s computer.
They can then identify vulnerabilities in the IS from the compromised computer.
They exploit these vulnerabilities to compromise additional accounts and machines.
Gradually, they manage to compromise users with increasingly elevated privileges.
Once an IS administrator has been compromised, the attackers launch ransomware across the entire domain.
In this example, we can see that the attackers have to follow a series of steps. This is the Cyber Kill Chain concept: we find the same steps in every attack.
Characterize a Cyberattack
The good news is that, at every stage, there are elements that can help us to detect attackers, such as:
traffic to an IP address.
malware used to take control of the computer.
searching for vulnerabilities on the infected machine.
techniques used to move around the network.
All of these elements require a thorough knowledge of the attackers, their tools, their IP addresses, and their techniques!
Okay, but how do you learn about all of the techniques available to attackers? Is there a list somewhere?
Yes, there are references out there where you can learn about all the known techniques. These can help you figure out your detection process:
Select the techniques to be prioritized.
Identify techniques that have already been detected—or look for blind spots.
Exchange ideas with other teams and learn more about ongoing attacks.
This matrix classifies the fundamental techniques used by attackers into 14 columns, called tactics, which correspond to what the attackers are trying to accomplish with that technique.
This organization gives you insight into potential attackers through the techniques, tactics, and procedures (TTPs) they use.
The MITRE ATT&CK matrix is an important concept for the SOC! You’ll be using it regularly in later chapters within this course. For example, it can be used to represent the ransomware scenario described above. The attack follows the same steps as the Kill Chain, but with more detailed techniques, such as an identification of which protocols have been exploited. We can see that the Installation phase on the IS is actually an exploitation cycle involving discovery of the network, the exploitation of administration protocols, and obtaining login credentials. It is useful to identify these kinds of patterns so that we can prioritize the actions to be detected.
Use MITRE D3FEND to Identify Attack Countermeasures
So, we need to be familiar with the attackers and their techniques. But how do you translate their attack techniques into effective actions for detection?
You can use the MITRE D3FEND matrix for this.
And it goes beyond simple detection to include more generally any type of action that can help protect a security perimeter:
Model what is exposed, what elements need to be protected, and what they depend on.
Harden, or protect, your systems to make attacks more difficult for attackers.
Isolate the various systems to prevent attackers from moving around your IS.
Deceive attackers, if possible, with false assets.
Evict attackers by blocking compromised assets.
Restore access to networks, user accounts etc. once compromised assets have been successfully defended.
And that’s the true benefit of this framework. You can identify the actions to perform in D3FEND based on an ATT&CK technique, and vice versa! Once you’ve set up a D3FEND action, you can easily identify all the techniques it protects against.
Over to You!
You need to protect Méditronique from the scenario outlined in the course. Look at the MITRE ATT&CK matrix and the MITRE D3FEND matrix to identify the steps in the scenario. Suggest and fill in the missing boxes in this table.
Description | Tactic (ATT&CK) | Technique (ATT&CK) | Detection |
Search for email addresses | Reconnaissance |
| N/A |
Use phishing emails with malicious attachments |
| T1566.001: | D3-PMAD: Protocol Metadata Anomaly Detection D3-HD: Homoglyph Detection D3-SMRA: Sender MTA Reputation Analysis |
Run malware with the help of a hidden macro | Execution |
|
|
Exploit a vulnerability to become a workstation administrator |
|
| D3-SSC: Shadow Stack Comparisons D3-PCSV: Process Code Segment Verification |
Connect to additional machines in the IS |
| T1021: Remote Services |
|
Deploy ransomware and encrypt Méditronique’s data | Impact |
| N/A |
Click here for the answer key!
Let’s Recap!
The role of a Security Operations Center (SOC) is to manage security incidents using detection, response, and prevention.
To determine what to monitor and protect, you need a thorough understanding of your information system, its risks, and its potential attackers. This is the purpose of risk analysis.
There are a number of elements that can be used to detect an attack, including the steps involved, the components under attack, the vectors used, the techniques employed, the tools implemented, and the traces left behind.
Other, simpler models like the Cyber Kill Chain are useful, particularly for communication purposes.
We know what we have to defend and how our adversaries might proceed. Now, it’s time to empower our SOC with eyes and ears, so let’s talk about logs!
