Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Most homeowners know that a lock is a good idea as a basic defense against invaders, and leaving the front door unlocked is simply unwise.
Unfortunately, when it comes to creating a strong cyber defense it’s not that simple. Attackers have been evolving their intrusion techniques over decades, focused on one goal, relentlessly probing for weaknesses to enter your domain. As such, cyber defenders must perform regular research to ‘know their enemy’ and deploy defenses to protect their enterprise.
Let’s make our task a bit easier by breaking cyber threats into “situations.” Doing so provides a focused approach to understanding attacks and defending against them. This article will discuss different approaches in situational awareness methods to understand specific threat groups and defend against their known attack methods.
To start, let’s break the topic of Situational Awareness - or just SA - into 3 parts: Research, Awareness, and Evolve.
The process of researching your adversaries can start with a few basic questions:
There are innumerable resources for researching these questions, but a very popular starting point is att&ck.MITRE.org. Additionally, this site offers a very comprehensive walkthrough for performing MITRE for situational awareness research, but there’s an even simpler approach:
MITRE Att&ck Threat Research Example
1. Go to https://att&ck.MITRE.org/groups. Choose one of the CTI (cyber threat intelligence) categories. For this example, choose the ‘Groups’ menu. This will bring you to the ‘Overview’ tab which lists all the attack groups by their Gnnnn Identifier and their Group Name.
Image 1: attack.MITRE.org Cyber Threat Intelligence Menu
Image 2: The Attack Group Description field contains a list of industries that the group is focused on.
3. Drill into the name column and review the techniques used for each attacker group. From there if you drill into each technique there will be ‘mitigations’ which recommend methods to defend against each specific technique.
4. A less precise but much faster way to get a list of mitigations is to use ChatGPT by simply asking for a table, e.g.:
“List the techniques associated with admin@338 and the recommended mitigations. Output in table format”
Image 3: Using ChatGPT to speed up MITRE ATT&CK Research
Using NIST for Threat Research
NIST is another great resource to find examples of:
Here’s a simple approach to using the NIST resource:
1. Go to Cybersecurity Alerts & Advisories | CISA and find a notification of interest.
2. Copy the entire body of the notification and paste it into ChatGPT with a prompt like:
“Read the details below and recommend security detections that can be used to detect this exploit. Describe the kill chain path in terms of: recon, compromise, lateral movement, escalate, persistence, C&C, and exfiltration. Include detections that can be used for each step in the kill chain. Then output in table format.”
Here’s the output for a recent NIST notification:
Copy json into the STIX Viewer. Use 'Legend' menu to filter: STIX Viewer (oasis-open.github.io)
MITRE and the NIST research sites provide recommendations on how to defend against adversarial techniques, and here’s a short methodology on how to put this information into good practice:
Keeping ahead of your attackers will be a life-long challenge. Having a mature SOC workflow is the best way to solve this task. Some relevant topics from a SOC workflow include:
It’s not necessary to fear your enemy if you understand their motives and you’re prepared to defend your domain if they choose to attack. Effective research, a good strategy and well-placed defenses will provide a proactive solution that allows you to maintain control and mitigate potential threats.
References
About This Blog Series
Follow the full series here: Building Defenses with Modern Security Solutions
This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.
Labs
For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.
Compliance
All topics mentioned in this series have been mapped to several compliance controls here.
David Broggy is Senior Solutions Architect, Implementation Services at Trustwave with over 21 years of experience. He holds multiple security certifications and won Microsoft's Most Valuable Professional (MVP) Award for Azure Security. Follow David on LinkedIn.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.