Working with Data Sources Part 2
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
3 hours 16 minutes
Difficulty
Intermediate
CEU/CPE
2
Video Transcription
00:00
>> Welcome to Lesson 3,
00:00
Module 2 within
00:00
the attack-based SOC assessments training course.
00:00
In this lesson, we're going to close out
00:00
the previous lesson by providing a couple of
00:00
walkthrough examples of how to
00:00
analyze different data source strategies,
00:00
to determine what potential
00:00
attack coverage they might have.
00:00
To kick off this lesson,
00:00
we're going to start with the following exercise.
00:00
We're giving you informal free-form paragraph
00:00
describing a SOC that's deploying
00:00
a defensive strategy and your task is to try to figure
00:00
out what data sources this SOC might be keying off of.
00:00
Feel free to pause the video,
00:00
get out a piece of paper and a pen.
00:00
Try to think about what data sources
00:00
this SOC might be looking at.
00:00
When you come back and unpause the video,
00:00
we'll walk through how
00:00
we look at this and what data sources
00:00
we think the SOC might be able to pick up on.
00:00
We're now going to walk through our solution,
00:00
and this is going to follow
00:00
a similar process as the walk-through
00:00
example in Lesson 2.2.
00:00
We're basically going to take each sentence
00:00
in the strategy and
00:00
decompose it to look at those sentences and figure out
00:00
what data sources they might be keying off of.
00:00
To kick it off, the first sentence is that the SOC is
00:00
implementing a multi-tiered defensive architecture.
00:00
They're going to have DMZs galore,
00:00
and this is interesting,
00:00
but from an attack perspective,
00:00
there's no real relevant information there.
00:00
The next statement is short and simple,
00:00
anti-virus on each endpoint.
00:00
This one's pretty clear.
00:00
It says it in just right there antivirus,
00:00
that's the attack data source,
00:00
and so we can immediately add that one to the list.
00:00
Now, there is, of course,
00:00
some nuance between whether or not
00:00
they're deploying antivirus,
00:00
or whether or not they're
00:00
collecting logs from their antivirus.
00:00
But for this very informal example,
00:00
we're going to give the SOC the benefit of the doubt,
00:00
and assume that they are indeed collecting
00:00
those logs as well.
00:00
This next sentence is pretty interesting.
00:00
A perimeter firewall that's
00:00
guaranteed to block zero-days,
00:00
a web proxy to do deep packet SSL inspection,
00:00
and a next-gen detonation
00:00
chamber that will throw everything into them.
00:00
There's a lot to unpack there,
00:00
and when you get to it,
00:00
there's two big things that stick out.
00:00
SSL/TLS inspection and then detonation chamber.
00:00
Want to a bypass or firewall and email us?
00:00
No way. We're deploying
00:00
the latest and email gateway protection software.
00:00
This one's a little bit less
00:00
common from a data source perspective,
00:00
but if you go through it,
00:00
you'll see email gateway
00:00
is a pretty good attack data source.
00:00
This is a fun one. One of our engineers is going to be
00:00
even Dockerize PowerShell to prevent crypto mining.
00:00
Let's say a very fun statement.
00:00
[LAUGHTER] In PowerShell, certainly,
00:00
relevant from an attack perspective,
00:00
but from a data source strategy perspective,
00:00
there's nothing really relevant to key off of there.
00:00
Don't forget our SIEM platform.
00:00
We're forwarding logs from all of our defenses,
00:00
as well as every single packet,
00:00
yeah, all of them into our SIEM.
00:00
Our analytics are top-notch.
00:00
There's no way anyone is getting in here.
00:00
There's a lot in this statement, of course,
00:00
it's got a little bit of flavor to it.
00:00
But really the key thing is that they're
00:00
forwarding all of the packets,
00:00
which says to us, hey,
00:00
that's probably going to tie into packet capture.
00:00
Then the last one, our analytics are top-notch.
00:00
There's no way anyone is getting in here.
00:00
This one is, of course, great.
00:00
It's good to have analytics,
00:00
but from a data source perspective,
00:00
we're not really looking at the analytics side yet.
00:00
Now having identified these five data sources,
00:00
what we can do is put them
00:00
together and come up with the following heatmap,
00:00
showing all the different techniques that
00:00
this SOC might be able to detect.
00:00
Here you can see it's a little bit
00:00
of coverage throughout the framework,
00:00
mainly just strong under command and control,
00:00
and maybe a little bit of strength under exfiltration.
00:00
Now, we're going to move on to the next exercise.
00:00
This one is a little bit shorter.
00:00
It's a little bit maybe more direct.
00:00
The same thing as before,
00:00
feel free to pause the video,
00:00
see what you think, and then when you come back,
00:00
we'll walk through how we look at this strategy.
00:00
Welcome back. We're now going to walk through it.
00:00
Again, it's going to be the same process as before.
00:00
We'll start out with the first statement.
00:00
We're going to be looking at all the standard stuff,
00:00
net flows, packet capture,
00:00
intel feeds, you name it.
00:00
This is a good statement,
00:00
and right away you can see netflow/enclave netflow,
00:00
and packet capture those stick out.
00:00
What's interesting is that we'd really
00:00
like to see what the other standard stuff is,
00:00
just because they're doing,
00:00
etc., here by saying you name it.
00:00
There could be more there, but just from this statement,
00:00
we can really only get those two.
00:00
Our big value add is our endpoint and SIEM deployment.
00:00
This is a good thing to have,
00:00
great to have endpoint monitoring,
00:00
great to have SIEM deployment,
00:00
but there's no real data sources highlighted there.
00:00
Each endpoint is going to be running in Sysmon,
00:00
pulling in event IDs 4688,
00:00
4657, 4732, and 5142.
00:00
This is a great statement.
00:00
It's a little confusing just
00:00
because they do reference like
00:00
Sysmon as well as Windows event IDs.
00:00
Of course, there's different numbering there,
00:00
but we can give them the benefit of the doubt,
00:00
and what we can do is say, okay,
00:00
these are looking at Windows event logs just because we
00:00
noticed the event log numbers there,
00:00
and then when you look up those four-event logs,
00:00
you can find that they match to process
00:00
monitoring and Windows registry.
00:00
Then lastly, in case we are breached,
00:00
we'll also have some disk forensics capabilities,
00:00
and we've got a crack reverse engineering team to
00:00
handle any of that tough APT malware.
00:00
This is perhaps
00:00
the most flavorful statement of this strategy.
00:00
When you look through it, you'll find
00:00
that really two things stick out.
00:00
Disk forensics actually maps to an attack data source and
00:00
then malware reverse engineering
00:00
is another potential one.
00:00
What's cool is that, these data sources now
00:00
map to much more coverage.
00:00
Now, of course, the SOC isn't
00:00
necessarily going to detect all of these techniques,
00:00
but these are the ones that might be
00:00
visible given what they're pulling in.
00:00
I'd add that a big part of
00:00
this heatmap is really
00:00
the process monitoring that they're doing.
00:00
Just because they're ingesting
00:00
all those different process events,
00:00
they have the potential to detect a lot, but of course,
00:00
there's always nuance and what they will
00:00
detect, in that,
00:00
it's really the analytics that they deploy to pick
00:00
up on the anomalous process events.
00:00
Just to close out this Lesson
00:00
1 primary summary and takeaway,
00:00
analyzing data source strategies can
00:00
provide insight into SOC coverage.
00:00
That's really the main lesson learned here.
00:00
We're closing out the previous lesson as well.
00:00
The big thing to take away is that
00:00
even just a paragraph of
00:00
an informal description of what the SOC is doing,
00:00
can be enough to help you
00:00
understand what potential coverage the SOC might have.
Up Next
Similar Content
