Knowing your Enemy: Situational Awareness in Cyber Defenses

Most homeowners know that a lock is a good idea as a basic defense against invaders, and leaving the front door unlocked is simply unwise. Unfortunately, when it comes to creating a strong cyber defense it’s not that simple. Attackers have been evolving their intrusion techniques over decades, focused on one goal, relentlessly probing for weaknesses to enter your domain. As such, cyber defenders must perform regular research to ‘know their enemy’ and deploy defenses to protect their enterprise.

Let’s make our task a bit easier by breaking cyber threats into “situations.” Doing so provides a focused approach to understanding attacks and defending against them. This article will discuss different approaches in situational awareness methods to understand specific threat groups and defend against their known attack methods.

To start, let’s break the topic of Situational Awareness - or just SA - into 3 parts: Research, Awareness, and Evolve.

Part 1: Research: Who wants my stuff?

The process of researching your adversaries can start with a few basic questions:

• Who would want to attack my organization?
• What techniques will they use to attack me?
• What defenses can I put in place to prevent their attacks?

There are innumerable resources for researching these questions, but a very popular starting point is att&ck.MITRE.org. Additionally, this site offers a very comprehensive walkthrough for performing MITRE for situational awareness research, but there’s an even simpler approach:

MITRE Att&ck Threat Research Example

Image 1: attack.MITRE.org Cyber Threat Intelligence Menu

 Image 2: The Attack Group Description field contains a list of industries that the group is focused on.

3. Drill into the name column and review the techniques used for each attacker group. From there if you drill into each technique there will be ‘mitigations’ which recommend methods to defend against each specific technique.

4. A less precise but much faster way to get a list of mitigations is to use ChatGPT by simply asking for a table, e.g.:

“List the techniques associated with admin@338 and the recommended mitigations. Output in table format”

Image 3: Using ChatGPT to speed up MITRE ATT&CK Research

Using NIST for Threat Research

NIST is another great resource to find examples of:

• Up-to-date notifications of attacker activity
• All updates are described in terms of MITRE Att&ck tactics and techniques
• A description of the full attack kill chain is often provided.

Here’s a simple approach to using the NIST resource:

1. Go to Cybersecurity Alerts & Advisories | CISA and find a notification of interest.

2. Copy the entire body of the notification and paste it into ChatGPT with a prompt like:

“Read the details below and recommend security detections that can be used to detect this exploit. Describe the kill chain path in terms of: recon, compromise, lateral movement, escalate, persistence, C&C, and exfiltration. Include detections that can be used for each step in the kill chain. Then output in table format.”

Here’s the output for a recent NIST notification:


Copy json into the STIX Viewer. Use 'Legend' menu to filter: STIX Viewer (oasis-open.github.io)

Part 2: Awareness: How Can I Detect Threat Actors?

MITRE and the NIST research sites provide recommendations on how to defend against adversarial techniques, and here’s a short methodology on how to put this information into good practice:

• Tools: understand the detection methods your attackers use as recommended in the MITRE and NIST research shown above. Spend time implementing the appropriate security tools and testing your detections using attack simulations and Red Team engagements.
  
  
• Reports: visualize your log analytics with dashboards and reports. A good graph can sometimes help you see anomalies that the most expensive security tools can’t. Dashboards are especially useful for situational awareness tracking of traffic coming from a location well known by country (e.g. North Korea, Russia) or a threat intelligence list of bad IP addresses.
  
  
• Automations: use SOAR-type tools to automate well-understood SOC workflows. For example, Microsoft provides an “AIR” feature (Automated Investigation and Response) with their Defender EDR solution. This can reduce the amount of effort needed by the SOC to keep up with the volume of alerts being processed.

Part 3: Evolve: How Do I Keep Up With the Joneses, I Mean Attackers?

Keeping ahead of your attackers will be a life-long challenge. Having a mature SOC workflow is the best way to solve this task. Some relevant topics from a SOC workflow include:

• Process & Procedures — Performing regular threat intel research is an example of a process that should be given a timeslot and performed daily.
  
  
• Red Teams — Budget for Red Team events to get an outside perspective on the strength of your security defenses.
  
  
• Updates to Current Defenses — Updating software, improving SIEM correlations, and adding new reporting and dashboards – are all good examples of updating current defenses. Perform these tasks weekly or monthly as needed.
  
  
• Attack Simulations—This could be part of a Red Team, but attack simulations should be performed more often – as a method of validating your security defenses.

Summary

It’s not necessary to fear your enemy if you understand their motives and you’re prepared to defend your domain if they choose to attack. Effective research, a good strategy and well-placed defenses will provide a proactive solution that allows you to maintain control and mitigate potential threats.

References

• Know your enemy
• Gaps and Opportunities in SA
• Best Practices for Mapping to MITRE ATT&CK (cisa.gov)
• STIX Viewer (oasis-open.github.io) - this can be used with the NIST notifications!

About This Blog Series

Follow the full series here: Building Defenses with Modern Security Solutions

This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.

Labs

For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.

Compliance

All topics mentioned in this series have been mapped to several compliance controls here.

David Broggy, Trustwave’s Senior Solutions Architect, Implementation Services, was selected last year for Microsoft's Most Valuable Professional (MVP) Award.