Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More

Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Knowing your Enemy: Situational Awareness in Cyber Defenses

Most homeowners know that a lock is a good idea as a basic defense against invaders, and leaving the front door unlocked is simply unwise.

Unfortunately, when it comes to creating a strong cyber defense it’s not that simple. Attackers have been evolving their intrusion techniques over decades, focused on one goal, relentlessly probing for weaknesses to enter your domain. As such, cyber defenders must perform regular research to ‘know their enemy’ and deploy defenses to protect their enterprise.

Let’s make our task a bit easier by breaking cyber threats into “situations.” Doing so provides a focused approach to understanding attacks and defending against them. This article will discuss different approaches in situational awareness methods to understand specific threat groups and defend against their known attack methods.

To start, let’s break the topic of Situational Awareness - or just SA - into 3 parts: Research, Awareness, and Evolve.

 

Part 1: Research: Who wants my stuff?

The process of researching your adversaries can start with a few basic questions:

  • Who would want to attack my organization?
  • What techniques will they use to attack me?
  • What defenses can I put in place to prevent their attacks?

There are innumerable resources for researching these questions, but a very popular starting point is att&ck.MITRE.org. Additionally, this site offers a very comprehensive walkthrough for performing MITRE for situational awareness research, but there’s an even simpler approach:

MITRE Att&ck Threat Research Example

1. Go to https://att&ck.MITRE.org/groups. Choose one of the CTI (cyber threat intelligence) categories. For this example, choose the ‘Groups’ menu. This will bring you to the ‘Overview’ tab which lists all the attack groups by their Gnnnn Identifier and their Group Name.

Image 1 attack.MITRE.org Cyber Threat Intelligence Menu
Image 1: attack.MITRE.org Cyber Threat Intelligence Menu

2. Read the Description for each group – it usually provides a list of industries that this attack group are focused on. Start with a list of groups that match your industry.

Image 2 The Attack Group Description field contains a list of industries that the group is focused on.
 Image 2: The Attack Group Description field contains a list of industries that the group is focused on.

3. Drill into the name column and review the techniques used for each attacker group. From there if you drill into each technique there will be ‘mitigations’ which recommend methods to defend against each specific technique.

4. A less precise but much faster way to get a list of mitigations is to use ChatGPT by simply asking for a table, e.g.:

“List the techniques associated with admin@338 and the recommended mitigations. Output in table format”

Image 3 Using ChatGPT to speed up MITRE ATT&CK Research
Image 3: Using ChatGPT to speed up MITRE ATT&CK Research

Using NIST for Threat Research

NIST is another great resource to find examples of:

  • Up-to-date notifications of attacker activity
  • All updates are described in terms of MITRE Att&ck tactics and techniques
  • A description of the full attack kill chain is often provided.

Here’s a simple approach to using the NIST resource:

1. Go to Cybersecurity Alerts & Advisories | CISA and find a notification of interest.

2. Copy the entire body of the notification and paste it into ChatGPT with a prompt like:

“Read the details below and recommend security detections that can be used to detect this exploit. Describe the kill chain path in terms of: recon, compromise, lateral movement, escalate, persistence, C&C, and exfiltration. Include detections that can be used for each step in the kill chain. Then output in table format.”


Here’s the output for a recent NIST notification:


Output for a recent NIST notification

Copy json into the STIX Viewer. Use 'Legend' menu to filter: STIX Viewer (oasis-open.github.io)

 

Part 2: Awareness: How Can I Detect Threat Actors?

MITRE and the NIST research sites provide recommendations on how to defend against adversarial techniques, and here’s a short methodology on how to put this information into good practice:

  • Tools: understand the detection methods your attackers use as recommended in the MITRE and NIST research shown above. Spend time implementing the appropriate security tools and testing your detections using attack simulations and Red Team engagements.

  • Reports: visualize your log analytics with dashboards and reports. A good graph can sometimes help you see anomalies that the most expensive security tools can’t. Dashboards are especially useful for situational awareness tracking of traffic coming from a location well known by country (e.g. North Korea, Russia) or a threat intelligence list of bad IP addresses.

  • Automations: use SOAR-type tools to automate well-understood SOC workflows. For example, Microsoft provides an “AIR” feature (Automated Investigation and Response) with their Defender EDR solution. This can reduce the amount of effort needed by the SOC to keep up with the volume of alerts being processed.

 

Part 3: Evolve: How Do I Keep Up With the Joneses, I Mean Attackers?

Keeping ahead of your attackers will be a life-long challenge. Having a mature SOC workflow is the best way to solve this task. Some relevant topics from a SOC workflow include:

  • Process & Procedures Performing regular threat intel research is an example of a process that should be given a timeslot and performed daily.

  • Red Teams Budget for Red Team events to get an outside perspective on the strength of your security defenses.

  • Updates to Current Defenses Updating software, improving SIEM correlations, and adding new reporting and dashboards – are all good examples of updating current defenses. Perform these tasks weekly or monthly as needed.

  • Attack SimulationsThis could be part of a Red Team, but attack simulations should be performed more often – as a method of validating your security defenses.

 

Summary

It’s not necessary to fear your enemy if you understand their motives and you’re prepared to defend your domain if they choose to attack. Effective research, a good strategy and well-placed defenses will provide a proactive solution that allows you to maintain control and mitigate potential threats.

References

 

About This Blog Series

Follow the full series here: Building Defenses with Modern Security Solutions

This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.

 

Labs

For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.

 

Compliance

All topics mentioned in this series have been mapped to several compliance controls here.

About the Author

David Broggy is Senior Solutions Architect, Implementation Services at Trustwave with over 21 years of experience. He holds multiple security certifications and won Microsoft's Most Valuable Professional (MVP) Award for Azure Security. Follow David on LinkedIn.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo