E-Book, Englisch, 328 Seiten
Roddie / Deyalsingh / Katz Practical Threat Detection Engineering
1. Auflage 2023
ISBN: 978-1-80107-364-6
Verlag: De Gruyter
Format: EPUB
Kopierschutz: 0 - No protection
A hands-on guide to planning, developing, and validating detection capabilities
E-Book, Englisch, 328 Seiten
ISBN: 978-1-80107-364-6
Verlag: De Gruyter
Format: EPUB
Kopierschutz: 0 - No protection
No detailed description available for "Practical Threat Detection Engineering".
Autoren/Hrsg.
Fachgebiete
- Mathematik | Informatik EDV | Informatik Technische Informatik Computersicherheit Schadprogramme (Viren, Trojaner etc.)
- Mathematik | Informatik EDV | Informatik Technische Informatik Computersicherheit Datensicherheit, Datenschutz
- Mathematik | Informatik EDV | Informatik Technische Informatik Systemverwaltung & Management
Weitere Infos & Material
Table of Contents - Fundamentals of Detection Engineering
- The Detection Engineering Life Cycle
- Building a Detection Engineering Test Lab
- Detection Data Sources
- Investigating Detection Requirements
- Developing Detections Using Indicators of Compromise
- Developing Detections Using Behavioral Indicators
- Documentation and Detection Pipelines
- Detection Validation
- Leveraging Threat Intelligence
- Performance Management
- Career Guidance for Detection Engineers
1
Fundamentals of Detection Engineering
Across nearly every industry, a top concern for executives and board members is the security of their digital assets. It’s an understandable concern, given that companies are now more interconnected and reliant on technology than ever before. Digital assets and their supporting infrastructure comprise ever-increasing portions of a typical organization’s inventory. Additionally, more processes are becoming reliant on robust communication technologies. In most cases, these technologies enable companies to operate more effectively. The management and defense of this new digital landscape, however, can be challenging for organizations of any size. Additionally, where sophisticated attacks used to be limited to nation-state adversaries, the increased interconnectedness of technology, coupled with the emergence of cryptocurrencies, creates a near-perfect environment for cyber criminals to operate in. The addition of sophisticated threat actors motivated by financial gain rather than those limited to nation-state motivations has dramatically broadened the number of organizations that must be able to identify and respond to such threats. Stopping these attacks requires increased agility by an organization to combat the adversary. A detection engineering program provides that agility, improving an organization’s ops tempo to operationalize intelligence about new threats. The primary goal of detection engineering is to develop the rules or algorithmic models to automatically identify the presence of threat actors, or malicious activity in general, promptly so that the relevant teams can take mitigative action. In this chapter, we will discuss several topics that will provide you with knowledge that will be relevant throughout this book: Foundational concepts, such as attack frameworks, common attack types, and the definition of detection engineering The value of a detection engineering program An overview of this book Foundational concepts
The foundation of how we can track and categorize an adversary’s actions allows us to prioritize and understand the scope or coverage of our detections. The following subsection covers common frameworks and models that will be referenced throughout this book. They provide a starting model for framing cyberattacks, their granular sub-components, and how to defend against them. The Unified Kill Chain
Cyberattacks tend to follow a predictable pattern that should be understood by defenders. This pattern was initially documented as the now famous Lockheed Martin Cyber Kill Chain. This model has been adapted and modernized over time by multiple vendors. The Unified Kill Chain is a notable modernization of the model. This model defines 18 broad tactics across three generalized goals, which provides defenders with a reasonable framework for designing appropriate defenses according to attackers’ objectives. Let’s look at these goals: In: The attacker’s goal at this phase is to research the potential victim, discover possible attack vectors, and gain and maintain reliable access to a target environment. Through: Having gained access to a target environment, the threat actor needs to orient themselves and gather supplemental resources required for the remainder of the attack, such as privileged credentials. Out: These tactics are focused on completing the objective of the cyberattack. In the case of double extortion ransomware, this would include staging files for exfiltration, copying those files to attacker infrastructure, and, finally, the large-scale deployment of ransomware. Figure 1.1, based on the Unified Kill Chain whitepaper by Paul Pols, shows the individual tactics in each phase of the kill chain: Figure 1.1 – The Unified Kill Chain To better understand how the Unified Kill Chain applies to cyberattacks, let’s look at how it maps to a well-known attack. We are specifically going to look at an Emotet attack campaign. Emotet is a malicious payload often distributed via email and used to deliver additional payloads that will carry out the attacker’s final objectives. The specific campaign we will analyze is one reported on by The DFIR Report in November 2022: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/. Table 1.1 lists the stages of the attack, as reported in the article, and how they map to the Unified Kill Chain: Attack Event Unified Kill Chain Phase Group Unified Kill Chain Phase Emotet executed via LNK malspam attachment In Delivery Emotet sends outbound SMTP spam email Network propagation Pivoting Domain enumeration via Cobalt Strike Through Discovery Lateral movement to user workstation Through Pivoting SMB share enumeration Through Discovery Zerologon exploit attempt In Exploitation Remote Management Agent installed In Command and control/persistence Exfiltration via Rclone to Mega Out Exfiltration Ransomware execution Out Impact Table 1.1 – Unified Kill Chain mapping for Emotet attack chain As can be seen from Table 1.1, not all phases will take place in every attack and may not occur in a linear order. To read the full Unified Kill Chain whitepaper, visit this link: https://www.unifiedkillchain.com/assets/The-Unified-Kill-Chain.pdf. While this follows the progression of a typical cyberattack, as the paper outlines and as our example shots show, it is not uncommon for the attacker to execute some tactics outside this expected order. While the Unified Kill Chain provides a model for how threat actors carry out attacks, it does not dive into the detailed techniques that can be used to achieve the goals of each phase in the kill chain. The MITRE ATT&CK framework provides more granular insight into the tactics, techniques, and procedures leveraged by threat actors. The MITRE ATT&CK framework
The MITRE ATT&CK framework is a knowledge base developed by the MITRE Corporation. The framework classifies threat actor objectives and catalogs the granular tools and activities related to achieving those objectives. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. The MITRE ATT&CK framework groups adversarial techniques into high-level categories called tactics. Each tactic represents a smaller immediate goal within the overall cyberattack. This framework will be referenced frequently throughout this book, providing an effective model for designing and validating detections. The following points detail the high-level tactics included as part of the Enterprise ATT&CK framework: Reconnaissance: This tactic falls within the initial foothold phase of the Unified Kill Chain. Here, the threat actor gathers information about their target. At this stage, the attacker may use tools to passively collect technical details about the target, such as any publicly accessible infrastructure, emails, vulnerable associate...
