By automating everything you possibly can, your SOC will be measurably improved. But to improve the quality of your SOC, you always need to anticipate where attackers will strike and take the preventive step of securing your IS.
Set Up Your Monitoring and Threat Intelligence System
How can you predict where the attackers will strike?
You really can’t predict that with any certainty. But you can anticipate the attacks!
A cyberattack on your organization is the result of a combination of factors in your organization that have piqued the attackers’ interest. Why your organization specifically?
CTI provides information on potential attackers, allowing you to adapt your defense to the context, including the following factors:
The size of your organization
Your sector (public, industry, consulting, etc.)
Your field (IT, aeronautics, medical, etc.)
The goal of CTI is to provide you with answers to the following questions and turn them into actionable steps:
Which current attack campaigns could affect your organization?
Who are the attackers that are interested in your organization?
What traces (IoCs) can you use to detect them?
What are their methods?
How can you detect them?
How can you block them?
Subscribe to Cyber Threat Intelligence feeds to stay up to date with the latest, most relevant information. You can use specialized tools for this purpose:
MISP allows you to subscribe to IoC feeds. You can filter the IoCs that are relevant to your organization and subscribe to feeds specific to your sector and field. These feeds supply information to a database that can be used with your SIEM to continuously detect attackers, based on recent and relevant IoCs.
OpenCTI also lets you subscribe to CTI feeds, but it is geared more toward technical information about attacker behavior. While MISP focuses on IoCs, OpenCTI looks at the TTPs of the MITRE ATT&CK matrix. This informs you about the methods used by attackers in your sector and domain. OpenCTI also provides the option of enriching these feeds with detailed reports on attackers, published by CTI providers.
The two platforms use different languages, but you can connect them and easily convert from one language to another.
Improve Your Understanding of Your Information System by Continuously Assessing Its Security
It’s good to analyze the context when anticipating attacks! But it’s not just the context outside your organization. You also need to monitor the status of your IS to understand where attackers may strike.
Identify the Sources of Vulnerabilities
The SOC must contribute to identifying the easiest way for attackers to compromise the organization. To achieve this, it must constantly hunt for vulnerabilities that have been introduced into the IS.
These vulnerabilities can come from a variety of sources:
Public vulnerabilities are identified by the community on systems used by the organization. Vendors regularly release security patches along with updates to correct these vulnerabilities. Regular system updates are vital to avoiding these vulnerabilities! And it’s often the role of the SOC to monitor the existence of vulnerabilities.
Vulnerabilities can also appear as the IS evolves. For example, a migration may expose a server or database to the internet that was previously unexposed. It’s the SOC’s responsibility to recognize this as soon as possible and notify the relevant team to immediately correct this exposure.
Vulnerabilities can also be caused by bad practices within the organization. For example, an administrator who grants extensive permissions to their office account, so as to bypass their administration account, introduces a compromise path into the IS. An attacker who has compromised office accounts could use this path to move around the IS. Therefore, the SOC must detect this type of risky practice as quickly as possible and implement suitable measures to raise awareness to stop them.
Perform Vulnerability Scans
To detect vulnerabilities, the SOC needs to perform regular security scans using specialized tools such as:
Nessus (paid), OpenVAS (open source alternative), or Nuclei to identify IS vulnerabilities.
Nmap or Masscan to determine what is exposed on the internet and on the various network zones of the IS.
PingCastle or Purple Knight to assess the security of the directory.
or even BloodHound to identify compromise paths in the directory.
These scans give you an essential overview, but to maximize their results, you’ll need to spend time understanding how they work and what is and isn’t covered by the scans.
Go a Step Further With Security Audits
To get a better understanding of your information system, you can request a security audit. Scans give you some insight, but the involvement of specialized teams allows you to see the bigger picture and introduce a human perspective into the analysis of your security level.
There are various types of audits, depending on the approach used, the scenario simulated, and other factors. Penetration tests are used when the aim is to simulate the behavior of an attacker, while reviews or audits are used when the aim is to be comprehensive and go into greater detail.
Leverage the Advantages of Defense
Is it really necessary to test everything? That’s a lot of work!
You don’t have to keep retesting everything! It’s often said that, in cybersecurity, the attacker has the advantage because there are an infinite number of attackers. But the defense also has an advantage because they control the environment!
To leverage these advantages, make good use of existing processes:
Use the IS inventory to track the application of security patches and the presence of vulnerabilities.
Get involved in development and project management processes. This can help you think about security in all phases of your projects. Being involved is particularly helpful in the design stage, where you can ensure that each and every project contributes to improving the security level of the IS.
Continuously communicate with the organization’s teams to increase your knowledge of the IS and enforce best practices for security.
Learn about the realities of threat intelligence and continuous assessment in this video by Raphaël.
Let’s Recap!
To increase the relevance of your detection, learn about current threats with Cyber Threat Intelligence (CTI). This allows you to adapt to attackers that target your sector and type of organization.
Subscribe to CTI feeds to stay relevant. You can use MISP to receive threat intelligence feeds (IoCs) and OpenCTI to receive information on the techniques used by attackers (TTPs).
Get a more detailed overview to prevent incidents! For this, it’s essential to monitor threat intelligence about recent vulnerabilities and to have an up-to-date inventory so that you can detect whether you’re affected by these vulnerabilities.
Perform regular vulnerability scans to identify at-risk areas and bring them back under control with the help of relevant teams.
Make your SOC more effective by taking into account the context around cyberattacks, both inside and outside the organization. This improvement is not necessarily measurable in qualitative terms.
How can we assess the relevance and effectiveness of the SOC? And above all, how can we prioritize which improvements to implement? This is the focus of the next chapter!
