As we work with our enterprise customers in helping them develop new detection content and improve existing content for post-breach detection activity, we are observing a few, common patterns driving development of new detection content in the SOC.
I have a well-developed security program. Do I need detection content in the SOC?
Most enterprises have an anti-malware detection program spanning email, endpoint, and, in some cases, network. Most attacks targeting endpoints are delivered over email, and therefore, the Secure Email Gateway(SEG) has first cracks at detection. SEG’s use a mix of static signature based analysis and dynamic analysis using sandboxes. Next up, is the endpoint protection platform (EPP) which can observe the behavior of the payload and do a more detailed analysis, and has multiple cracks at the payload as it moves through its kill chain cycle. Finally, network security has another crack at detecting malicious traffic including Command and Control. This set of technologies work really well to block a significant volume of incoming attacks particularly the known attacks.But attacks get through - we all know that. Why? For a number of reasons
- Prevention products are very sensitive of false positives and therefore may let a marginally suspicious behavior through;
- There is a lag between when an exploit is delivered and when it is known, a detection developed and rolled out by the security product vendors.
- New generation of malware that use Living off the Land(LotL) techniques tend to appear similar to legitimate software resulting in potentially higher false positives if the product is aggressive or false negatives if it is not.
- Supply chain attacks. When trusted vendor of yours is compromised and the safe-listed executable acts maliciously.
The SOC As The Last Layer Of Defense
The purpose of the SOC is to catch these attacks that get through these layers of protection and become breaches. How are SOC’s prioritizing their efforts towards detecting breach activity? These are the drivers we have observed amongst our customers for developing detection use cases in the SOC.
Detection Use Cases Identified by Red Teams
Mature SOC’s have red teams that are constantly testing their protections and trying to break through them. They are often very specific, and precise sources of identifying which behaviors are getting through the layers of protection. Often the TTP’s are described in terms of the Mitre ATT&CK framework, along with the specific procedures (the P in TTP) that got through. The SOC in turn will perform threat hunting tasks to verify if an actual adversary got through using these procedures, and develop detection content based on their log sources collected in their SIEM. Making sure you have the right program in place for collecting logs, parsing and normalizing is critical. See: https://anvilogic.blogspot.com/2020/03/getting-back-to-basics.html). Further, collaboration between the red team/threat item and content team is critical for this purpose as described here: https://anvilogic.blogspot.com/2020/02/patterns-of-collaboration-in-enterprise.html
Detection of Newly Emerging Exploits and Adversaries
Another source of SOC detection use cases, is threat research that indicates new adversary tactics targeting that industry vertical, geography or the specific company. Often security product vendors have a lag where they identify the exploit, develop a detection, verify for FP’s and FN’s, and roll out the detection in their products. Mature SOC’s choose to be pro-active and roll out the detection content for these newly emerging exploits in their SOC’s using the log feeds they are collecting in their SIEM. We have helped our customer SOC's rapidly develop detections for targeted attacks involving anti-phishing and business email compromise(BEC) exploits.
Detection of Malicious Usage of Existing System Tools For LotL attacks
A third set of use cases is around technologies and behaviors that are known to be used by adversaries, but also by legitimate software. For example, in recent years we have frequently observed file-less attacks using existing system tools running on endpoints such as WMI, VBScript and PowerShell. Endpoint protection products struggle to distinguish between legitimate use and malicious exploits that use these technologies. Therefore SOC’s develop and deploy detection content for malicious behaviors that use these Living off the Land techniques. For example, detection content for suspicious Powershell behaviors are a common category of use cases that are SOC's deploy. These detections also have the problem of being noisy; mature SOC’s are finding ways to generate high fidelity detections by combining an array of these low fidelity detections in specific sequences.Are there other drivers in your SOC for creating detection content for post-breach activity? We would like to know!At Anvilogic, we are helping address SOC’s develop content for all of the above use cases using our SOC Content Platform (https://anvilogic.blogspot.com/2020/04/the-future-state-of-siems-part-1-what.html). Let us know if we can help you.