If it hasn’t happened to you yet, it will: Attackers have breached your defenses and are stalking your network.
What are your next steps? This is a question I hear frequently and it’s one that will continue to be asked until we’ve perfectly learned how to detect and monitor east-west visibility within our organizations. If you’re not familiar, east-west describes network communication that moves laterally among servers and applications within the data center, as opposed to north-south traffic, which traverses between client and server.
To monitor east-west flows, you’ll rely on alerts, but you also need to have a plan in place. The repetition of threats will be your friend in this process. Repetition is the mother of all learning, and when you can apply a thought pattern toward defending your environment, it will give you a higher chance of success.
Diamonds are a SOC Analyst’s Best Friend
Common defense models will allow intrusion analysts inside a security operations center to act in a coordinated and repeatable fashion. One such framework is the so-called diamond model, which lets you get a better handle on how to defend against attackers. It involves better understanding the:
- Tactics, techniques and procedures (TTPs) used throughout the attack
Once you can fill in these questions, incident responders can more strongly profile the adversary that is currently targeting your organization. Understanding how – or more importantly, why – an adversary is attempting to breach your business is critical to resisting the attack and limiting your exposure.
As attackers pivot through your networks and systems there needs to be a firm understanding of these four areas within the diamond model to guide your hypothesis as to what might be motivating the intruder. Specifically, you can use to model to learn:
1) How are they attempting to accomplish the breach?
2) Which systems and users have been victimized?
3) What infrastructure are the foes using to move east-west?
4) What TTPs were used to deliver an exploit?
Go for the Kill
Answering these questions isn’t something that happens overnight, and it takes training and dedication to get a better idea of how to profile attackers using this method. It’s not always perfect, but the skills learned through this method prevent your SOC team from merely reacting to a threat actor.
When you can take this hypothesis of an attacker and apply it to the kill chain – yes, this phrase has been overused in recent years, but it’s still relevant – analysts are able to take a holistic view of an attack and not get lost in the details. When you start at who the “victim” is toward the end of the kill chain (the execute phase) and start filling in holes of unknown information about the attack, you can assist with piecing together information during the investigation. This allows analysts to discover what TTPs and infrastructure may have been used to mount the attack.
Combining the diamond model and kill chain gives analysts a strong working knowledge of where to focus time and investigation and become more effective as defenders. Of course, technology tools are necessary as well and can help reduce the time of detection and automate actions. Security orchestration, automation and response (SOAR) solutions, for example, use knowledge extracted from the diamond model and kill chain to bolster your security operation centers into becoming more effective.
They allows analysts to utilize the ability to detect, deny, disrupt, degrade and deceive attackers by automating these processes at scale and expedite workflow. It’s no longer enough to just block an attack, but analysts need to be prepared to understand why adversaries are targeting them and apply this learned knowledge into playbooks that can assist with providing faster insights into the who, what and when of an event.
Siemplify Blog contributor Matthew Pascucci is an infosec industry veteran whose experience includes roles as a senior security engineer, security architect and cybersecurity practice manager.