Breaking down a successful cyber attack into its simplest form; Hackers use computers as they were designed which involves performing hundreds of millions of operations per second based on dark but creative instructions. Ok, so somewhere on the internet there must be a disgruntled Microsoft employee, right?
Armed with an idea, like targeting disgruntled employees, hackers are able to use a combination of training videos, open-source tools and high-speed Internet to harvest a user name and an entry point into the target network, by scraping the Internet for the desired human behavior in text form. Asking the average computer to scan an entire website for a particular model can be done in minutes on any device, including a smartphone with one line of code, like this: Cewl – e-email_file emaillist.txt https://yourcompanieswebsite. com/.
A web forum where someone uses capital letters or follows sentences with more than one exclamation mark? Unhappy user identified! The username found on a forum can allow a threat actor to pivot to other threat vectors such as email addresses, Facebook or LinkedIn accounts. We all use similar usernames on web services, right? Additional behaviors about the target can be profiled by the threat actor inducing darker but creative potential exploits that focus on harvesting more potential entry points. Then befriend that user across multiple platforms and learn more about them and how they communicate with their peers. Private message them for the necessary credentials so as not to arouse suspicion. Target network access reached.
Human vulnerabilities can be turned into real vulnerabilities, and we all know that humans are an unpredictable species, which is why the attack surface of the human psyche is limitless.
This is how Cyber threat actors continue to demonstrate that they can execute successful cyber attacks seemingly anywhere, including attacks against large organizations, such as Microsoft, that operate the most advanced cybersecurity defense systems.
Cybersecurity artifacts – Artifacts are traces left behind.
When looking at the details of new cyber threats from afar, the most important question to ask is how did analysts obtain this artifact? Action movie fans like me imagine a tactical situation where a “high-speed” SWAT team enters the pirates’ location from the roof using ropes and helicopters before smashing windows and to stop the hacker. During an intense interrogation, the hacker ends up revealing his secrets and showing the agents the source code. All vulnerabilities are fixed this way, right? Kidding aside, the response is much less action-packed.
The most basic networks, including home networks, are littered with millions of artifacts or small digital footprints found inside every device. Analysts gain attack details by logging into devices, extracting artifacts, and eventually solve the puzzle by recreating history by correlating artifacts from different devices.
Cyber Security Compliance
In my experience, artifact collection is driven by cybersecurity compliance. Cybersecurity compliance involves adhering to various controls typically enacted by a regulatory authority, law, or industry group to protect the confidentiality, integrity, and availability of data. The number of controls to meet varies by industry, and the number of controls increases depending on the sensitivity of the data they intend to protect.
Enforcement of asset identification and subsequent storage of asset artifacts in the form of system and event logs are common controls penetrating compliance standards in many industries.
The two control requirements work together by requiring organizations, through the process, to identify and document all of their assets, and then ensuring that asset artifacts are recorded in an information event management system. security, or (SIEM) for short. Yes, even that dusty old network printer that no one uses has to send its device logs to SIEM.
In short, the goal of Combined Controls is to push organizations to collect and store as many artifacts from as many devices as possible so that in the event of an incident, analysts have the best chance of identify the breach.
Incident response and behavior modeling
Incident Response (IR) is a set of information security policies and procedures that identify, contain, and eliminate cyberattacks. A good IR plan typically includes notifying authorities when a new incident is suspected. Organizations like the Federal Bureau of Investigations (FBI) send in forensic analysts who immediately gain access to an organization’s SIEM dataset and begin to identify artifacts of interest. Interesting artifacts are buried alongside billions of ordinary artifacts, but include firewall connection logs, application-connected IP addresses, extended detection and response (EDR) events, and user account activity. users.
The combination of interesting artifacts from each device ultimately leads analysts to identify Indicators of Compromise (IoCs). Flash number: CU-000163-MW RagnarLocker Ransomware Indicators of Compromise is a recent example of the work of analysts in the field.
IoCs mined from the field are digitally shared with a multinational community of Cyber Warriors. Sharing includes documenting behavioral patterns of new attacks in knowledge bases such as TAB AT&CT then create and upload a STIX 2.0 statement to the community which can be downloaded and used by defense cybersecurity platforms.
Choose a cybersecurity platform that will maximize your investment for years to come
A platform that will perform best and provide the most value for years to come will act like a virtual field analyst working at the speed of a computer analyzing streams of device artifacts. It will ingest artifacts from applications, network devices, and cloud sources from any location into its own SIEM dataset, effectively centralizing intelligence within an open architecture. It will work alongside existing and new security layers, not in place of them. Like an analyst, he will correlate artifacts from perimeter security infrastructure and other security telemetry. It will be up-to-date with the latest threat intelligence data by regularly retrieving STIX 2.0 statements and will analyze every artifact entering the system for a detail that correlates to something bad. The platform should push its SIEM dataset through an integrated machine learning system so that known behaviors of the technology environment can be understood. Artificial intelligence (AI), a tool that most threat actors cannot use, should be used to identify and report suspicious or abnormal behavior. AI should create stories referencing industry standards such as ATT&CK Miter Frame to present to human analysts, when a series of malicious actions are identified in the network. Like AI is getting better it will just be pushed as a future system update.
The end result should be a platform that can consistently identify all dark creative exploits launched by threat actors. A creative dark feat like; Find accounts of disgruntled employees logging into the network for the first time, outside of their normal business hours from another continent and from an IP address currently flagged by an intelligence agency.
Platform classification as described is generally referred to as Extended Detection & Response (xDR) and should not be confused with Endpoint Detection and Response (EDR). Aside from the confusing naming convention, more due diligence around platform log retention period is required when an xDR platform is identified. Most xDR platforms have a non-compliant artifact retention period around their built-in SIEM datasets. The shortened period is due to the fact that there are performance issues with ML and AI when asked to look beyond 3 months of data, so many platforms analyze data from artifact well within regulatory data retention periods. So while these xDR platforms are affordable, a traditional SIEM solution would also need to be implemented to meet regulatory data retention periods. Fortunately, some xDR vendors can extend the log retention period up to 7 years and thus become truly complete next-gen solutions.