Your SIEM is only as valuable as you have time to ask it questions.
Do you have time to identify and ask the right questions? And most importantly, do you have time to sift through the results to find answers?
August 22, 2024
Your SIEM is only as valuable as you have time to ask it questions.
Do you have time to identify and ask the right questions? And most importantly, do you have time to sift through the results to find answers?
August 22, 2024
Prevention is just detection with an action at the end.
-Casey Smith (subTee)
In security operations, or any harm prevention discipline, speed is really important. The faster you can find the bad thing, the better your chances of rolling over a proverbial speed bump vs. hitting a brick wall.
But speed can work against you: Move too fast, and you run a very real risk of responding decisively to the wrong things. False positives are never ideal, but can be made far worse when you take disruptive action on them.
A couple of the concepts I’d take away from this article:
I’ve made 100 variations of Sounil Yu’s venerable Cyber Defense Matrix for workshops, presentations, and planning over the years. Here’s the Google Slides template that I use to save time. May it save you time as well.
On traditional platforms—such as Windows, macOS, or Linux—knowing who is performing a given activity is useful. However, we can identify an overwhelming percentage of suspicious or malicious activity in the absence of this context.
For example, some software, behaviors, command lines, and changes should be investigated irrespective of identity. We can find a lot of bad things with no identity context at all.
On modern platforms—such as SaaS, IaaS, and PaaS—identity plays a critical role in threat detection and response, thus we describe it as identity threat detection and response, or ITDR. Nothing happens outside of the context of an identity. We can find some bad things without identity context, but virtually all behaviors or changes must be contextualized, baselined, and ultimately investigated in the context of an identity.
To make a weak analogy: On traditional platforms, the process is the data source upon which most detections can be built. On modern platforms, the construct of a process does not exist. On modern platforms, a given identity’s session is the process.
And if you believe that identity is indeed foundational to threat detection on all modern platforms, there are a handful of things that are probably also true:
In reviewing security firms’ 2023 threat data, a subset of these include insight into the initial access vectors leveraged most frequently in successful intrusions. This is a summarization of findings based on their reporting.
Rank | MITRE ATT&CK Technique ID | Vector | Percentage |
---|---|---|---|
1 | T1566 | Phishing | 31.4% |
2 | T1078 | Valid Accounts | 24.3% |
3 | T1190 | Exploit Public-Facing Application | 22.9% |
4 | T1133 | External Remote Services | 12.9% |
5 | T1189 | Drive-By Compromise | 5.7% |
6 | T1091 | Replication Through Removable Media | 2.9% |
To determine the most prevalent initial access techniques leveraged by adversaries in 2023, I relied on data from the following reports:
Because most, but not all of these reports use a standard taxonomy, reported vectors were mapped to the corresponding MITRE ATT&CK Initial Access parent technique.
As with all threat reports, the findings and prevalence are subject to each firms’ visibility and methodology.
Vendors in general are shifting away from annual reporting in favor of periodic reporting, with quarterly reports becoming the most common. This complicates data aggregation a bit (e.g., see the link required to find and aggregate Secureworks reports), but may be more useful to practitioners, as trends at a quarterly level are probably based on enough data to be meaningful, while also being timely.
Fewer vendors are reporting initial access observations. Fortunately, there are some industry mainstays that continue to report high quality data in this area based on large samples year-over-year.
I was disappointed to see that NCC Group, which generally provides excellent public domain research and reporting, not only stopped reporting initial access data this year, but also didn’t make mention of a single MITRE ATT&CK technique or provide standardized data anywhere in their annual report.
From my earlier thoughts on this matter:
A good use case for these types of lists–and a way to make them actionable–is to look at tactics starting with initial access and progressing through the intrusion lifecycle. For each tactic, look for common vectors and MITRE ATT&CK techniques (some of this is readily available in the source reports below). The goal is to see whether we can glean good enough insights and do it quickly, assess risks, and take preventative measures.