The primary function of the Security Operations Center is to detect security threats. Security tools, such as extended detection and response and SIEM, help identify suspicious or malicious activity and present it to SOC analysts, who then determine the effectiveness and severity of the activity and define the appropriate response action. The effectiveness of these tasks determines a key safety indicator: the average detection time.
Responding to threats is a secondary function of the SOC. The response is usually measured by the average time required to fix after an event, or MTTR. The link between MTTD and MTTR is clear: the faster you identify a threat, the faster you can respond to it.
Threat detection and response plans should initially focus on detecting threats in monitored systems and networks. This step provides comprehensive visibility, advanced analytics, and an analysis engine that scales large amounts of data and therefore improves MTTD metrics.
However, a sophisticated threat detection and response plan goes beyond simply identifying threats, but tracks metrics specific to the actors behind the threat.
Here are some of the factors that SOC teams should consider when tracking threat actors.
How to understand threats
The following can be considered threats:
Exploits: such as Log4Shell, SQL injection, and CVE;
Tactics: e.g. reconnaissance, lateral movement and command and control;
Targets: ransomware, data breaches, and commercial email breaches.
Threats can be used by any participant, and multiple participants rely on the same threat.
SOC teams should trigger detection of the above threats as they can affect an organization’s operations and often have no legitimate use. Once trigger detections are established, threat detectors can begin to look beyond threats to understand the surrounding characteristics and behaviors of the participants who use those threats.
Cybersecurity professionals use intrusion analysis diamond models to demonstrate how attackers can exploit features in the infrastructure to target victims.
How to understand threat actors
Understanding threat actors is complex, but can yield huge rewards in terms of threat detection and response. Diamond models for intrusion analysis can be used to track and understand participant-specific metrics.
It records four different vertices: adversaries, capabilities, infrastructure, and victims.
The word opponent is used to describe the unique characteristics of an attacker. Examples include crypto wallet addresses or trademarks in scripts and malware. By understanding these metrics, security responders can detect and respond to threats more effectively. Metrics need to be appropriately weighted because most are low-fidelity survey triggers that are not suitable for automatic detection. However, when applied intelligently, they can help with analysis.
Abilities are used to describe tactics, techniques, and procedures (TTPs) favored by an adversary. By understanding the favored TTP, the SOC knows where to go next for detection and what the attacker’s next action might be, enabling the SOC to disrupt the attack with targeted mitigation or containment response actions.
Ability Apex also focuses on the opponent’s goals. By understanding the intended end goal of the compromise, an attacker can be defeated — for example, by focusing on the lateral movement of ransomware participants or by censoring database access if a data breach is the target.
Comprehensive response action ensures that compromises are resolved as a whole, not just as a symptom of compromise.
Infrastructure describes what is used to deliver TTP, such as IP addresses, email addresses, or domains. By understanding the infrastructure, SOCs can monitor connections and catch previously unknown zero-day vulnerabilities or scripts. While analysts performing threat hunting regularly and manually review captured packets, the monitoring infrastructure has provided early warning of zero-day vulnerabilities and emerging vulnerabilities.
A victim is a target object or object. By understanding the type of organization or system an attacker is targeting, SOC members can take appropriate precautions to prepare them.
Tracking the actors behind a threat is a daunting job that can only be performed by mature SOCs that want to enhance their threat detection and response capabilities. If done correctly, SOC can significantly reduce key MTTD and MTTR metrics and even prevent compromises from occurring from the start.
Come to an end