Proposing Recommendations Part 1
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
3 hours 16 minutes
Difficulty
Intermediate
CEU/CPE
2
Video Transcription
00:00
>> Welcome to Lesson 5,
00:00
Module 3 within
00:00
the attack-based SOC assessments training course.
00:00
In this lesson, we're going to
00:00
talk about how you can propose
00:00
recommendations after running through
00:00
an attack-based SOC assessment.
00:00
This lesson fits in as the last stage
00:00
within our generic attack-based
00:00
SOC assessment methodology.
00:00
So far, you've framed the assessment, you set a rubric,
00:00
you did the technical analysis,
00:00
you interviewed staff, and you
00:00
compiled the results into a final heatmap.
00:00
Now, by proposing changes for the SOC to enact,
00:00
you can help position them or rather help them orient
00:00
themselves towards a more threatened form of defense.
00:00
This lesson has two primary learning objectives.
00:00
After the lesson, you should number 1 understand
00:00
the basic types of recommendations
00:00
and the importance of them,
00:00
and number 2, be able to deliver a set of
00:00
prioritized techniques for the SOC to focus on.
00:00
One of the ways we like to contextualize
00:00
recommendations is that when running an assessment,
00:00
you should never attack and run.
00:00
For some SOCs, maybe delivering
00:00
a heatmap is enough for them.
00:00
But for many, when you deliver that heatmap,
00:00
you're positioned well to help them understand how they
00:00
can improve and increase your coverage and just
00:00
generally orient themselves towards
00:00
a more threatened form of defense.
00:00
We like to say that you should always
00:00
try to give recommendations
00:00
immediately after an assessment
00:00
for basically two reasons.
00:00
Number 1, the SOCs details are fresh in your mind,
00:00
so your recommendations are going to be
00:00
most accurate right after the assessment.
00:00
Number 2, for the SOC receiving the recommendations,
00:00
the assessment is going to be fresh in their mind,
00:00
so they're going to be most receptive
00:00
to what you might be proposing.
00:00
Towards that, we have
00:00
four primary recommendation categories.
00:00
Number 1 is technique prioritization.
00:00
This is the focus of this lesson where we talk
00:00
about how you can create a small set of
00:00
techniques for the SOC to focus on for them to
00:00
really amp up their adoption of the attack framework.
00:00
The second is process refinement.
00:00
These are things that aren't as attack focus,
00:00
just general security operations that
00:00
might not tie into the attack framework directly,
00:00
but will help this SOC improve what you're doing.
00:00
The third is coverage improvement.
00:00
This is of key importance.
00:00
It's not enough to just say, "Well,
00:00
I have where my gaps are, I'm going to walk away."
00:00
You always want to have
00:00
a strategy for how you're going to
00:00
remediate those gaps and improve your coverage,
00:00
and last is follow-up engagements.
00:00
These are things like additional assessments or
00:00
other kinds of interactions
00:00
and engagements to SOC can pursue.
00:00
Diving into technique prioritization,
00:00
here's an example chart that you might deliver
00:00
as part of an attack-based SOC assessment.
00:00
For many SOCs, they might look at this and say, "Oh,
00:00
this is super-helpful, but,
00:00
what do I do with this?
00:00
Where do I even start?"
00:00
You can look at this and you can say,
00:00
"I have all these gaps,
00:00
all these low confidence of detection.
00:00
What's important for me to do right now?"
00:00
This is where technique prioritization comes in.
00:00
In addition to the heatmap,
00:00
always try to provide a small set of
00:00
techniques for the SOC to focus on.
00:00
This number 1, it makes
00:00
interpreting the heatmap more tractable to them
00:00
because you're really focusing
00:00
their efforts and their eyes
00:00
on the things that are
00:00
the biggest concerns in the short term.
00:00
Number 2, it grounds the results in
00:00
something clear and tangible.
00:00
It's not just, here's this sea of gaps in your coverage,
00:00
but rather here are these gaps and
00:00
then here are the ones you should really
00:00
care about right now.
00:00
Then lastly, it provides
00:00
a really effective starting spot
00:00
for other recommendations,
00:00
such as adding a new analytics or
00:00
conducting atomic tests or purple teaming.
00:00
Let's walk through a couple of examples
00:00
of what this looks like.
00:00
This again is a notional chart of
00:00
coverage and we're going to highlight in orange
00:00
a set of techniques that we've identified that might
00:00
be specifically high priority
00:00
for the SOC we're working with.
00:00
In this case, we followed a few metrics for
00:00
determining which ones are high priority.
00:00
These three: commands and
00:00
scripting interpreter, brute force,
00:00
and application layer protocol
00:00
are selected because they're popular and they
00:00
can give the biggest return on investment when it
00:00
comes to increasing coverage.
00:00
These four: boot or logon initialization scripts,
00:00
bits jobs, execution guardrails,
00:00
and system time discovery
00:00
were selected because we decided that they
00:00
were used by relevant threat actors
00:00
that might be likely to target your network.
00:00
These two were highlighted
00:00
because potentially they are more
00:00
public-facing and they could have
00:00
a significant impact to
00:00
operations for the organization we're working with.
00:00
Lastly, these three were selected
00:00
because the SOC we're working with has
00:00
the existing logs in place where they can start
00:00
quickly writing analytics to detect these techniques.
00:00
A couple of tips for technique prioritization.
00:00
Number 1, small list of
00:00
techniques are great for short-term wins.
00:00
It's easy to want to recommend the SOC do everything but
00:00
by providing a small focus list of say 5-10 techniques,
00:00
you can really help the SOC both improve,
00:00
but also measure their improvement.
00:00
When recommending techniques, always pick
00:00
a strategy for how you want to
00:00
recommend them based on coverage.
00:00
For a SOC that hasn't yet integrated attack,
00:00
focus on recommending techniques that
00:00
specifically have low coverage.
00:00
For SOCs that have already
00:00
integrated attack in some way,
00:00
recommend techniques that have low or
00:00
some coverage depending on
00:00
the specific way you're recommending them.
00:00
Then always focus on
00:00
techniques that are immediately relevant.
00:00
Number 1, are they used by relevant threat actors?
00:00
These techniques are the ones that the SOC might be
00:00
most likely to see occurring on their network.
00:00
Are they popular or frequently occurring?
00:00
This is a great way to look at the
00:00
previous cut-off in a way
00:00
that's not as focus
00:00
on the threat actors but more generic.
00:00
By focusing on the popular techniques,
00:00
you might be more likely to get a bigger ROI.
00:00
Are they easy to execute and
00:00
do they enable more techniques?
00:00
This one's a little bit harder to gauge.
00:00
But depending on the SOC you're working with,
00:00
they might be able to identify the techniques that are
00:00
used most commonly during the red team engagement,
00:00
and the red team might identify
00:00
techniques that they think are
00:00
the key stepping stones
00:00
were an adversary to target their network.
00:00
Then lastly, are the unnecessary logs readily accessible?
00:00
This is really important for a technique prioritization,
00:00
particularly for the short term.
00:00
By focusing on techniques where you
00:00
have the necessary logs,
00:00
you can quickly start rolling out
00:00
analytics to get those short-term wins.
00:00
Then lastly, try to provide the SOC
00:00
with your methodology as well as pointers
00:00
so that they can build their own lists when
00:00
you're done running the attack-based SOC assessment.
00:00
We'll now close out this lesson with an exercise.
00:00
Here, we're taking a heatmap.
00:00
Again, it's a subset of the full attack matrix.
00:00
But we have this heatmap that we're delivering
00:00
as part of an attack-based SOC assessment
00:00
and we're trying to figure out
00:00
which techniques should we tell this SOC to focus on.
00:00
During this assessment, we've identified that the SOC
00:00
specifically cares about APT32,
00:00
OilRig, Turla,
00:00
and APT28, and they want to
00:00
focus on techniques where they have low coverage.
00:00
We also know that this SOC has
00:00
a SIEM platform that ingests API monitoring,
00:00
authentication logs, antivirus, SSL/TLS inspection,
00:00
and Windows error reporting.
00:00
Given those pieces of information,
00:00
our task is to highlight the five or
00:00
>> six techniques that
00:00
>> we think are of immediate concern for
00:00
the SOC to work on remediating.
00:00
We're going to walk through our solution.
00:00
But if you want to try it on your own,
00:00
feel free to pause the video and then when we come back,
00:00
we'll go through how we look
00:00
at this problem and how we think
00:00
a good solution might look.
00:00
Welcome back. We're now going to walk
00:00
through how we're going to approach this problem,
00:00
and really we're going to have a three-pronged approach.
00:00
We're going to first overlay
00:00
the threat actor techniques,
00:00
we're then going to look at which of
00:00
those threat actor techniques are indeed
00:00
detectable given the data sources the SOC is ingesting,
00:00
and then we're going to select
00:00
the techniques with low confidence.
00:00
We're not necessarily going to go strictly in that order,
00:00
but these are the three main
00:00
points we're going to follow.
00:00
To kick that off, we're going to start with
00:00
overlaying threat actor techniques.
00:00
Here we've come up with a heatmap.
00:00
Again, it's a smaller focused heatmap.
00:00
We're going to put in various colors: orange, pink, red,
00:00
and dark red how many groups use the techniques.
00:00
Here we've put APT32 on there.
00:00
You can see we've got a variety
00:00
of techniques highlighted in orange.
00:00
We're then going to add an OilRig.
00:00
A couple of techniques, upgrade to pink,
00:00
showing that there are in use by both APT32 and OilRig,
00:00
and then a lot more colored in orange.
00:00
We're adding Turla, again, a couple of more pink,
00:00
a couple of more orange,
00:00
and then we add an APT28.
00:00
Interestingly here, you can
00:00
see we've really only got pink and orange,
00:00
which means we've only got
00:00
actually a decent number of techniques that are used
00:00
by either one or two of
00:00
the threat actor groups we specifically care about.
00:00
Using this heatmap, what we're going to
00:00
do is overlay it on
00:00
top of the coverage heatmap
00:00
we produced as part of the assessment.
00:00
The idea is for all the techniques that
00:00
are currently low competence of detection,
00:00
we're going to put in whether one group or
00:00
two groups use that technique.
00:00
When you go through it, you end up with this chart.
00:00
Here you get a nice overlay
00:00
showing you the techniques that have low confidence of
00:00
detection that are used by
00:00
either one or two threat actor groups
00:00
that the SOC specifically cares about.
00:00
From here, you could technically
00:00
deliver this meeting a bit of
00:00
the mail on what
00:00
the SOC is looking for for prioritization list.
00:00
However, we haven't gotten
00:00
into the data sources question yet.
00:00
Sure, that looks like we're going to focus on
00:00
these two techniques on the left;
00:00
command and scripting interpreter and
00:00
exploitation for client execution.
00:00
When you look at the attack website,
00:00
you can dive into these in
00:00
a little more detail and see that,
00:00
and we have a variety of data sources
00:00
for command and scripting interpreter,
00:00
PowerShell logs, process command line parameters,
00:00
process monitoring, and Windows event logs.
00:00
Then for the exploitation technique,
00:00
we have antivirus,
00:00
process monitoring, and system calls.
00:00
When you overlay that on the bottom against
00:00
the data sources that SOC is already ingesting,
00:00
you can see one stick out, antivirus,
00:00
which can potentially detect or can be used to
00:00
detect exploitation for client execution.
00:00
Command and scripting interpreter,
00:00
by contrast, doesn't have any relevant data sources.
00:00
With that in mind, we bucket now exploitation for
00:00
client execution into
00:00
the prioritized technique for focus category,
00:00
highlighting it in purple,
00:00
and then we go back to low confidence
00:00
for command and scripting interpreter.
00:00
Then we can walk through the rest of these techniques
00:00
with exploitation for privilege escalation,
00:00
brute force, exploitation of remote services.
00:00
All three of these having data sources
00:00
that are currently being adjusted.
00:00
Skipping archive collected data because it
00:00
doesn't match the data source strategy,
00:00
putting in screen capture,
00:00
putting in proxy, and then
00:00
ignoring exfiltration over C2 control.
00:00
When we walked through this process,
00:00
we now have this focus set of
00:00
six techniques that are used by relevant threat actors,
00:00
currently low confidence of detection,
00:00
and they have data sources
00:00
currently being ingested by the SOC.
00:00
A few summary notes and takeaways
00:00
to close out the lesson.
00:00
Number 1, always make sure to follow
00:00
up an assessment with recommendations.
00:00
This is critical to running
00:00
a successful attack-based SOC assessment
00:00
and you really get the biggest return
00:00
on investment when you do so.
00:00
Prioritization plans make daunting coverage charts
00:00
easier to digest,
00:00
this is also super-helpful.
00:00
A coverage chart by itself,
00:00
it can be a bit overwhelming sometimes.
00:00
But putting up a prioritization plan with
00:00
the coverage chart could really make it
00:00
easier for the SOC to internalize.
00:00
When crafting a prioritization plan,
00:00
you should focus on techniques that meet
00:00
at least one of the three following categories.
00:00
Number 1, relevant based on a measure
00:00
of cyber threat intelligence, 2,
00:00
defensible based on your understanding
00:00
of the current defenses of the SOC has,
00:00
and 3, gaps based on your assessment
00:00
and how you want to structure the recommendations.
Up Next
Similar Content
