2021-08-23

Building the trust with detections: moving from static to pattern-based detections

Data Hygiene
Security Trends
Share:

As the cybersecurity product space continues to develop, organizations must understand how these product's capabilities can mature their SOC and improve threat detection. MITRE Engenuity evaluations provide an open resource into the capabilities of participating vendors and how their detections fare against the ATT&CK framework. Products are evaluated against known threat groups: Carbanak (2020), FIN7 (2020), APT29 (2019), and APT3 (2018) that are emulated with their Tactics, Techniques, and Procedures (TTPs)  executed in sequence. While MITRE attributes no "scoring" of product efficacy, it is abundantly clear that reliance on industry products such as Managed Detection and Response (MDR) OR Extended Detection and Response (XDR) alone is not sufficient in the detection nor protection space. It is true that most, if not all, products indeed detect those TTP’s. The challenge for an analyst is to prioritize that specific TTP for triage and investigation, ignoring all the other “noisy” alerts coming at them.

The sections the following include:

  • An observational view of the MITRE Engenuity participant results
  • Utilizing pattern-based detection
  • Importance of developing SOC maturity

MITRE Engenuity Observations

The evaluation structure measured participant detection capabilities through various detection types, most notably:

  • None
  • Telemetry
  • General Detection
  • Tactic
  • Specific Behavior
  • Technique

It is important to note that results gathered for the evaluation from participants would involve full detection policies to be enabled. Unfortunately, this provides more of a best-case assessment rather than a real-world test of a product's capabilities. Since when integrating security products into an organization, security controls often have to be modified to accommodate environmental baselines or simply disregarded due to legacy requirements. This is mentioned to help frame participant results since various product capabilities would vary greatly per organization.

Make Telemetry Data Actionable

The most frequent detection type from all participants is telemetry, meaning that while necessary data is being captured, it is not being leveraged. An abundance of valuable detection data for tactics: “Execution (TA0002)”, “Exfiltration (TA0010)”, “Valid Accounts (T1078)”, and others, are not being actively utilized for detection. Telemetry data becomes actionable when it is being used proactively and correlated with various activities together to build context into a particular event, thus an actionable alert. While results such as General Detection, Tactic, Specific Behavior, and Technique would be favored, given that they produce a warning signal, they alone aren’t dependable as they can often be static and not comprehensive enough. There is value in detecting specific IOCs; it is also simple for attackers to change hash values, IP addresses, and domains (reference “The Pyramid of Pain”). The focus of the detection should be on the underlying techniques and how known behaviors can tell a credible threat story when strung together. [caption id="attachment_8765" align="aligncenter" width="800"]

“The Pyramid of Pain”, first introduced in 2013 by security professional David J Bianco when he was focused on incident response and threat hunting for the purpose of improving the applicability of attack indicators.

Pattern-based Detection

Anvilogic’s Detection Automation Platform addresses these issues through a multitude of capabilities that drive the platform. The platform’s Threat Scenario Builder achieves scenario-based detection from combining multiple threat identifiers involving:

  • MITRE ATT&CK Framework
  • Kill Chain Phases
  • Specific Use Cases
  • Specific Data domains like authentication, cloud, endpoint, network, etc

The threat identifiers are paired with time to develop the pattern-based detection approach. This provides value for the abundance of telemetry data an organization generates from raw datasets and supporting MDR/XDR products to leverage these high-value contexts for various threat-driven scenarios. A technique, such as “Process Injection”, alone can be noisy for an organization given legitimate application needs. Over time it can be diluted with excessive tuning and a series of safe listed processes. However, when supplemented with additional threat activity, alert efficacy increases substantially. Customers can create custom threat scenarios and review scenario proposals identified by the Anvilogic platform to help produce high efficacy alerts.

The Threat Scenario builder is not just a step towards high fidelity detection but an approach towards a no-code SOC. Removing the coding layer allows threat analysts to focus on creating high confidence detections through the MITRE ATT&CK framework utilizing threat scenario-based detection that produces high fidelity alerts for their organization’s threat environment (Anvilogic “No-code in the SOC” blog: https://live-anvilogic-2021.pantheonsite.io/blog/no-code-in-the-soc/).

Anvilogic: Threat Scenario Builder

Analytics driving SOC Maturity

Content development and maintenance can be complex for an organization considering the needed research, development, and deployment of an alert can vary amongst organizations. Anvilogic supplies its own growing armory of use cases for detection and threat scenarios. While the platform also embraces the available customer analytics data to help mature the client’s organization by offering recommendations on warning signals (monitored threat events that are not firing on glass) through measured insights. Customers can identify what rules can be enabled in their environments for alerting based on how many alerts were generated over a period of time to understand the volume and confidence of the activity before it reaches production. Customers reviewing recommendations can also leverage Anvilogic’s community data to understand if other organizations in their industry have enabled an alert given shared threat vectors. This shared information can help establish an understanding of industry maturity on SOC operations and fosters richer community-driven collaboration.

Anvilogic strives to help organizations mature their SOC by providing guidelines focused on foundational pillars: Feed, Detection, and Productivity to provide a maturity score that seeks to drive positive change by prioritizing tasks that will improve their security posture.

This approach to collaborative alerting, threat detection through a no-code approach, and SOC maturity tracking helps separate Anvilogic from other security products. Our platform offers a comprehensive detection system with a focus on improving the foundations of an organization’s SOC so time can be focused on threat adversaries.

Making the Difference

At Anvilogic we are a team of former SOC practitioners who came together from a diverse background of security through Anvilogic because we are passionate about building a product for the SOC we wish we had. As the advancement of threats emphasizes the need for organizations and security products to meet and exceed the rapidly growing skills of the attackers, our team is committed to the continuous development of high confidence detection techniques and looking for ways to improve the product platform. We are a team dedicated to enabling our customers to mature their SOC, advance their detection capabilities, and strengthen the overall business.  

About Us

Anvilogic Threat Research and Detection Development team examines the cyber threat landscape to identify and observe adversarial trends that impact cybersecurity. The intelligence gathered is leveraged in the Anvilogic platform to predict threat scenarios that drive content development and advance threat detections. The Threat Research team with Anvilogic is committed to innovating cybersecurity for SOCs to proactively identify threats and ensure a safer environment for organizations to operate.

Resources

AttackIQ - “Pyramid of Pain”: https://attackiq.com/2019/06/26/emulating-attacker-activities-and-the-pyramid-of-pain/

Anvilogic “No-code in the SOC” blog: https://live-anvilogic-2021.pantheonsite.io/blog/no-code-in-the-soc/MITRE

Engenuity: https://attackevals.mitre-engenuity.org/enterprise/participants/

Chat with our team to receive a free maturity assessment

Get in Touch

Ready to learn more about Anvilogic?

Kickstart your security operations

Anvilogic provided the necessary threat detection automation for our small SOC, adding a significant force-multiplier advantage for my team.