Cyber Security: quick guide to a good night sleep

Lets jump right in:

How do we fundamentally secure things?

1. Develop secure systems to limit possible attacks (industry jargon: SecDevOps)
2. Monitor, Detect and Respond (MDR) to thwart attacks (industry jargon: SecOps)

These methods can be seen at play in physical security. You develop a secure building (by being in a good neighborhood, installing locks, and using reinforced doors), then perform monitoring (via cameras), detection (via checking the cameras feed), and response (via a call to 911, or triggering a silent alarm) to thwart attacks.

I will focus primarily on how to Monitor, Detect and Respond (MDR) in this article, as this is where a lot of the 10 trillion dollars a year we lose to cyber criminals can be saved. It is also an exciting cat and mouse game where the defender has to be on point every day but the attacker has to be on point one day, with extremely high stakes (Wannacry causes more than 4 Billion dollars in damages or Equifax fined up to 700 Million dollars for breach ). Though, it is a compliance requirement for a lot of us, it really shouldn't be approached as a checklist item for compliance. It is a matter of business continuity, and livelihoods depend on it.

M = Monitoring

You have to be able to easily see everything that happens in you cyber space, with no blind spots. Enumerating what you own is a good place to start, but then deploying sensors to keep you alerted when something suspicious happens is very important. Storing these event feeds on a central logging solution (industry jargon: Security Event and Incident Management (SIEM)) can help you keep track of suspicious activites over time.

The main function of your monitoring is to look for signs of attack, and inspect activities to differentiate authorized from unwanted. A list of data feeds you need to monitor is here in a post I published 2 years ago (TLDR: Monitor your Endpoints, Network, User activity, Resource Access, Sensitive Data, Web, Mail, Logins, Applications, Vulnerabilities, and Cloud).

Non traditional devices

Pay close attention to non-traditional devices like?Internet of Things (IoT), smart sensors, building monitoring, manufacturing, industrial control systems, and operational technologies (OT). They are often under protected and led to many breaches.

D = Detection

When you achieve acceptable visibility, its time to make use of threat intelligence and content detonation. Threat Intelligence (TI) keeps you alerted of what new attacks are seen in the world, and provides with the ability to detect it (via rules) at the sensor level (mainly endpoint or network detection systems) or at the SIEM level. TI has strategic and tactical value make sure you use it wisely. Here is a github gist with some intel sources I gathered 2 years ago . Content detonation allows you to verify if a suspicious file or url is actually malicious by allowing you to execute and observe it in a sandbox. Use a ticketing system to keep track of your investigations, and take plenty of notes. Its important to know which alerts are part of the same attack campaign, and what is the campaign progression across lockheed martin cyber kill chain stages or Mitre ATT&CK tactics looks like.

False Positives

Note that you won't be able to investigate every detection, as many of them are likely to be false positives. You need to enrich, and contextualize logs then tune your alerts.

1. Prioritize based on Risk (Impact x Probability)
2. Prioritize based on maliciousness level
3. Prioritize based on actionability
4. Enrich with high quality regularly updated and specific threat intel
5. Enrich with geolocation
6. Use Configuration Management Database (CMDB) ernichment to identify alert seriousness
7. Tuning of alert thresholds, alert levels, and criticality is an ongoing effort.
8. Disable rules that are designed for systems you dont have
9. Reserve an alert level for alerts that need action to be taken immediately, only!

R = Response

Once we've detected an attack, figuring out what to do quickly is critical.

Luckily you have been preparing an incident response strategy using the NIST 800-61 to guide you.

In the heat of the moment, you need to think about evidence preservation, and service availability. Keep an eye on the campaign progression and focus your efforts towards blocking any advances towards the threat objective.

Make the time for a lessons learned roundtable. I cannot stress this enough. What shall be different the next time? Because there will be a next time, sooner than you think.

Share that threat intelligence with other people who might be targeted (commonly other organizations in your industry, or geolocation).

Main Incident Response Government Resources in North America

If you are a business operating in the United States you have to establish a relationship with the local FBI field office in your region , as they have the technical ability to help you with your cyber incidents and coordinate with the other departments like the Secret Service and Dept of Homeland Security. If money is lost within 72 hours, the IC3 can always get it back as they coordinate with financial fraud depts across the country. If you happen to be operating in a critical infrastructure sector, CISA would be your best resource and establishing a relationship with the regional office is of critical importance.

If you are a business in Canada (the sweet, sweet north) establish a relationship with the Canadian Centre for Cyber Security (CCCS) team in the Communications Security Establishment (CSE). Report incidents to RCMP NC3 and CAFC on ongoing basis, and if you use ICS technologies make use of Public Safety symposiums and resources.

MDR Metrics

Keep track of them on a dashboard somewhere. These are your Key Performance Indicators (KPIs).

Mean Time To Detect (MTTD), Mean Time To Respond (MTTR), and your Network and Endpoints visibility MITRE ATT&CK matrix.

Open Source MDR Stack

SIEM = Elastic Logstash Kibana (ELK) or Greylog

SIEM Rules: Sigma

Detection Scaled Platforms: Binary Alert, Assemblyline, Streamalert

Dashboards = Grafana

Endpoint = Comodo or Clam AV or Wazuh (Closed source but recommended is Microsoft ATA)

Network = Suricata or Zeek

Deception: Honeynet

Attack Simulation: = Atomic Red Team, MITRE Caldera, Infection monkey

Vulnerability Scanner = OpenVAS

Misc = OSQuery, Fleet, Velociraptor, OpenSCAP, SecurityOnion, MozDef, Apache Metron, CyberChef,

Bonus: Password Manager= Keepass

Frameworks

The most common frameworks used by SOCs are MITRE ATT&CK and NIST CSF.

MITRE ATT&CK is good for assessing visibility, detection, investigations, response and hunting. NIST CSF is an extensive framework.

I recommend walking through MITRE ATT&CK visibility analysis exercise to see what coverage do you currently have, and what is your detection level.

MDR Staffing & Outsourcing

Most MDR functions are the responsibility of a team called the Security Operations Centre (SOC). These teams are mostly 2-10 people. Common positions include IT support, Threat Intel Analysts, Incident Responses, Triaging or Monitoring Analysts, General Security Analysts, and Interns.

Most SOCs outsource red teaming, purple teaming, forensics, threat intelligence attribution and production. They also sometimes utilize security service providers for MDR to achieve 24/7 coverage via a hybrid internal and external SOC.

Main Challenges

The main 2 challenges that face SOCs are lack of skilled staff and lack of automation technologies.

You likely wont have enough skilled staff for the next 10 years, as cyber security skills are still not easy to acquire, and the SOC role is often tedious and stressful. Help juniors acquire the skill by hiring and mentoring them, make the job less tedious and stressful by automating most of it.

You also have to invest in automating as much processes as you can, since attackers automate most of their attacks.

"What if only a machine could defeat another machine?" - Alan Turing

Imitation Game (Movie)

Currently MDR automation technologies come in the form of playbooks that implement if-else-then logic. The industry jargon for this is Robotic process Automation, and in cyber security it became Security Automation Orchestration and Response (like Demisto, Palo Alto Cortex, and IBM Resilient). This is a good investment to augment certain existing manual workflows with automation. Without having a comprehensive set of workflows as well as a competent builder SOAR solutions won't bring much value out of the box.

Artificial Intelligence (AI) can bring various automation use cases to MDR and alleviate many of the challenges. Namingly, with event enrichment, threat actor attribution and event correlation at SOC level. This is an area my teams at ezSec and Cypienta have pioneered and are working on with Oak Ridge National Lab, Univ of Victoria, Univ of Windsor, and Nvidia.

Over the past few years, AI proved useful at intrusion detection level whether in user behavior, endpoint or network use cases (notable mentions are DarkTrace, Sentinel One, Vectra, Cylance, and Carbon Black). AI will continue to bring many use cases to the MDR function, hopefully saving a little bit of the 6 Trillion dollar we lost to cyber crime in 2021 alone.

Lastly: Cyber Security Behavioral Tips

0- Use multi factor authentication. Use the One Time Password (OTP) generator app or the push notification app. If not use the SMS or email OTP. Make sure your staff does too.

1- Never reuse passwords (not even partially!). Use a password manager that generates them. Make sure your staff does too.

2- Check the legitimacy of communications and report suspicions (Phishing, Vishing, Smishing) . Do this especially if its urgent, unexpected, too good, or after your info. Make sure your staff does too.

3- Backup data regularly. Test your backups occasionally. This is critical for business continuity. Story time: Colonial Pipeline had a backup and a disaster recovery plan but still paid ransom (more than 4 million dollars) to ransomware cyber criminals, due to a lack of confidence in their backups.

4- Update systems regularly and quickly. Pretty much every update patches a vulnerability. Zero days are very expensive. Most criminals rely on systems not getting updated quickly.

IMPORTANT NOTE: If you are doing staff awareness

These past few years people have seen enough covid patients, economical losses and war victims. Lets not show them anymore hackers in hoodies. Cyber criminals look like the teenager next door, anyways. Don't scare your staff but rather make them feel empowered and encouraged to become better, become heroes that save their organizations and communities.