Blog

Latest News From Blog

Image SEIM Technology

Top 'Windows' SOC Use Cases

The use cases are critical to identifying any of the early, middle, and end-stage operations of the adversary. A small abnormal event can be a clue to a larger attack. There also needs to be a Playbook on how to respond.What are Use CasesA use case can be technical rules or conditions applied on logs that are ingested into the SIEM. Eg –  malicious traffic is seen hitting critical servers of the infra, too many login attempts in the last 1 min, etcThe use cases could be categorized into various types based on source logs.A SOC use case, in turn, is a specific approach you employ to detect, report, and mitigate various anomalies. Essentially, you create a registry of known business risks and then develop cybersecurity incident management processes for mitigating, eliminating and preventing them.Top 'Windows' SOC Use Cases : Some of the windows based use cases you can build.1.    Server Shutdown/ Reboot2.     Removable media detected3.     Windows abnormal shutdown4.     Login attempts with the same account from different source desktops5.     Detection of Server shutdown-reboot after office hours6.     Administrative Group Membership Changed7.     Unauthorized Default Account Logins8.     Interactive use of service account9.     Remote access login – success & failure10.  Windows Service Stop-Restart11.  ACL Set on Admin Group members12.  Windows Account Enabled Disabled13.  Multiple Windows Accounts are Locked out14.  Multiple Windows Logins by Same User15.  Brute force attempt from the same source16.  Logins outside normal business hours17.  Logins to multiple users accounts from the same source.18.  Brute force attempt from the same source with a successful login19.  Windows Account Created Deleted20.  Windows Hardware Failure21.  Failed Login to Multiple Destination from Same Source22.  Administrative Accounts- Multiple Login failure23.  Detection of user account added/removed in the admin group24.  Detection of system time changes (Boot time)25.  Detection of the use of default product vendor accounts26.  User Deleted Within 24hrs of Being Created27.  Critical service stopped on Windows Servers28.  Windows Security Log is full29.  Multiple Password Changes in a Short time period30.  Windows group type was changed.31.  Audit Policy change32.  Audit Log cleared33.  Windows Security Log is full34.  Detection of user account added35.  Logon Failure-A logon attempt was made using an expired account36.  High number of users created/ removed within a short period of time37.  Outbound Traffic observed from Severs to the Internet.38.  Failed Logins/Attempt with Disabled/Ex-Employee/Expired Accounts39.  Windows File-Folder Delete40.  Windows-File Folder Permission Changes41.  High number of users created/removed within a short period of timeConclusionsAt present, the average time to fix cybersecurity vulnerabilities sits at 205 days. The current frequency of attacks leaves unprotected businesses exposed to multiple risks. SOC adoption used to be “reserved” for larger organizations with multi-million security budgets. However, that is no longer the case today.Competitive SOC service models such as SOC as a Service and managed SOC, paired with advanced SOAR solutions like Azure Sentinel, make this function more accessible to businesses of different sizes and industries. Moreover, you can always start with a “test-run” of SOC use cases and progressively expand coverage to new business systems as your risk radar evolves.

Read More
Image SEIM Technology

How to Build a Security Operations Center for Small Companies

Until recently, having a security operations center (SOC) was a privilege of large organizations. Now, with the help of next-generation security platforms and solutions, small companies can benefit from centralized security operations using minimal time and less resources.So how can smaller businesses build a security operations center on a budget? With the right tools and the tips we mention in this article, you can build an effective SOC for your company.In this post:What is a SOCKey aspects of a security operations centerToolsHow to build a security operations center using best practicesan effective SOC for your company.What Is a SOC?A security operations center (SOC) is the base from which the information security team operates within an organization. The term SOC applies both to the physical facility and to the security team, which detects, analyzes and responds to security incidents.SOC teams typically consist of management, security analysts and engineers. While having a SOC was once something only large organizations could afford, these days many medium- and small-sized companies are assembling lighter SOCs, with the help of technological solutions.Key Aspects of a Security Operations CenterThere are two foundations a SOC is built on—the staff and the tools. First, a staff with the right skill set means they will make the most of the security tools available. Many organizations assign in-house IT staff to security-only functions, providing training and hiring new talent to fill empty roles.Second, the right tools give your analysts the most visibility into active and emerging threats. The ideal system would be one that takes on the time-consuming work, such as collecting and sorting data from all feeds and prioritizing alerts. The security team uses these tools to identify and respond to incoming alerts, although security automation tools can help deal with low-level threats without the need to involve any staff.Security operations center roles and responsibilitiesA security operations center typically encompasses three or four defined roles. A SOC will assign analysts to three tiers, according to their expertise. In addition, it designates an incident response manager, in charge of implementing the response plan in the event of an attack.The basic roles in a security operations center are:Security analystSecurity engineerSOC managerChief Information Security Officer (CISO)Smaller organizations often set-up functional arrangements, with the more traditional IT head, the chief information officer (CIO) taking on the responsibilities of a CISO, or a top-tier analyst functioning as an incident response manager.Security operations center processes and proceduresWithout a SOC, security tasks are often assigned ad-hoc with no streamlined procedures. One best practice is for organizations to create a plan to optimize operations so everybody is in line with the security strategy. The key processes a SOC should implement are:Step 1. Triage—search for indicators of compromise (IoCs), classifying events according to their severity. Include periodical vulnerability assessments to identify gaps attackers can exploit.Step 2. Analysis—prioritize alerts focusing on events with the potential for the most impact to operations.Step 3. Response and recovery—early response is the key to containing an event successfully, involving containment and elimination measures. After the threat is eliminated, you need to recover the systems with actions such as restoring backups, re-configuring systems and network accesses.Step 4. Lessons learned—involves assessing what worked and what didn’t, evaluating the reports generated while dealing with the incident. The SOC team can use the resulting information to adjust the incident response plan.Roles are assigned for every step, keeping in mind who is accountable for every process. Teams should document at every stage of the processes to help review and adjust the plan.Most security strategies are based on a layered protection model. Since each vendor specializes in a specific layer, organizations need to integrate all these different tools to detect and respond to threats.ToolsWhile this works for large organizations with many security analysts at their disposal, it is a challenge for smaller organizations with limited resources. Smaller businesses can benefit from a new approach, integrating the capabilities of new technology solutions into a process that small teams can use with ease. These technologies will have the following capabilities:Asset discovery—helps you know what systems and tools you have running in your environment. Determines what are the organization’s critical systems to prioritize the protection.Vulnerability assessment—detects the gaps an attacker can use to infiltrate your systems is critical to protect your environment. Security teams must search the systems for vulnerabilities to spot these cracks and act accordingly. In addition, regulatory mandates require periodic vulnerability assessments to prove compliance.Behavioral monitoring—the use of a user and event behavioral analytics (UEBA) tool helps security teams create a behavioral baseline, making it easier to apply behavior modeling and machine learning to surface security risks. UEBA tools generate alerts only for events that exceed the predetermined threshold, reducing false positives and conserving analyst resources.Intrusion detection—intrusion detection systems (IDS) are one of the basic tools for SOCs to detect attacks at the point of entry. They work by detecting known patterns of attack using intrusion signatures.SIEM—tools that provide a foundation to SOC given their ability to correlate rules against large amounts of disparate data to find threats. Integrating threat intelligence adds value to the SIEM activity by giving context to the alerts and prioritizing them.Threat IntelligenceSecurity analysts monitor the environment looking for clues for malicious behavior. Adversaries usually leave traces of their activities in the form of IP addresses, host and domain names or filenames. SOC teams use threat intelligence to recognize these clues and attribute them to specific adversaries. They then build countermeasures for the attackers to prevent further attacks.Threat intelligence core elements of context, attribution, and action, help security teams identify the attacker and respond quickly:Context—gives you an idea of the urgency, relevance, and priority of a threat. Threat intelligence tools provide context to alerts and define the type of attack.Attribution—threat intelligence solutions use the context to attribute indicators to specific attackers. The system helps SOC teams build a profile of the adversaries, helping identify who is behind the attack.Action—attackers change their methods and tools all the time, so it is important to respond to an attack immediately, while the data is relevant. Threat intelligence tools assist the SOC to act promptly by alerting of a threat urgency.How to Build a Security Operations Center Using Best PracticesProvide the right toolsIt is wise to invest in tools and technology solutions that will help your team detect and act more quickly in the event of an attack. You can look for automation and orchestration security solutions that can take the load of time-consuming tasks, such as sifting through alerts.Keep your incident response plan up-to-dateHaving a detailed and updated action plan can help your team respond swiftly to an attack. The security team benefits from an action plan with defined roles, knowing what should be done and who should do it.Building a SOC on a limited budgetHow can small organizations implement all these practices when dealing with budget constraints? It’s simple—have a security strategy in place and invest in the tools that can simplify your SOC team’s work.Develop a security strategyThe starting point to build a SOC is to develop a security strategy. For that, consider these steps:Assess your current SOC resources and capabilities—you could refashion your IT staff into a SOC, adapt existing processes or optimize your tools.Define the business objectives for the SOC—consider which systems are critical to support operations so the security team can reinforce their protection.Choose a SOC model—such as hybrid, virtual or in house.Choose the right technology solution—this can be the difference between productive and overwhelmed staff.Building a modern security operations center (SOC) is much more than assembling the latest equipment and then hiring a team of analysts. It’s an ongoing effort to stay on top of threats, be current with emerging technology and trends, and hire and keep the right talent.

Read More
Image Other

What is a Blue Team?

During cyber security testing engagements, blue teams evaluate organizational security environments and defend these environments from red teams. These red teams play the role of attackers by identifying security vulnerabilities and launching attacks within a controlled environment. Both teams combine to help illuminate the true state of an organization’s security.During cyber security testing engagements, blue teams evaluate organizational security environments and defend these environments from red teams. These red teams play the role of attackers by identifying security vulnerabilities and launching attacks within a controlled environment. Both teams combine to help illuminate the true state of an organization’s security.BLUE TEAM DEFINITION:The idea that you can better understand your defenses by attacking them in a controlled environment is a long-established military principle. This idea is most commonly expressed in the practice of “red teaming,” where an outside group of independent actors tests the systems or defenses of a target organization to identify any existing vulnerabilities.In the world of information security, the practice of red teaming is now well established. Red teams, who act as “ethical hackers,” methodically study an organization’s structure and defenses and then launch attacks to exploit any weaknesses.Yet red teams are only part of the equation. On the other side stand “blue teams” — security professionals who are tasked with defending an organization’s systems and assets against attacks, both real and simulated.RED TEAM VS. BLUE TEAM EXERCISES: HOW THEY WORKBlue teams conduct operational network security evaluations and provide relevant mitigation tools and techniques for organizations seeking to gauge their defenses or prepare for red team attacks.Blue teams are often composed of the security personnel within an organization, or that organization may select certain team members to create a dedicated blue team within the department. Blue teams may also be independent consultants hired for specific engagements who use their expertise to help audit the state of an organization’s defenses.When an organization schedules red team vs. blue team exercises, red teams may attempt a range of techniques to launch a successful attack. These techniques are very open-ended and not always confined to the digital realm.Red team attacks may include scenarios such as a red team member posing as a vendor to infiltrate the target organization. This person may slip into the room undetected and quietly install malware, gaining network access.Before getting started, red teams typically engage in digital reconnaissance to evaluate organizational defenses, then deploy various sophisticated attack techniques to compromise the target’s security while avoiding detection.Blue teams are tasked with rebuffing these attacks and exposing red team activity. This often begins with a detailed risk assessment of the organization’s current security posture. Blue teams then may deploy a combination of human intelligence activity and technical tools to detect and rebuff red team incursions.Ultimately, a blue team is expected to analyze log data, perform traffic analysis, execute audits, perform digital footprint and risk intelligence analysis, and take other similar steps to prevent any breaches — and then rectify any uncovered vulnerabilities.A skilled cyber security blue team can play a critical role in helping to develop a comprehensive plan for organizational defense using the latest tools and techniques — a “blue team security stack,” in other words. Often, it’s best to think of them as the most active contingent of a security team.Not all security team personnel specialize in tasks that are considered to be high-level or relevant enough for testing. Blue teams are focused on high-level threats and are dedicated to continuous improvement in detection and response techniques.THE VALUE OF BLUE TEAM TESTINGTo succeed, blue teams must be rigorously thorough; after all, red teams can launch 99 unsuccessful attacks and still win on the 100th attempt. Blue teams must be right all the time. In addition to attention to detail, blue teams must also think creatively and have the ability to adapt on the fly. This is because many of the most effective red teamers (and black hat hackers) are remarkably adept at formulating novel and hard-to-predict attack techniques.By evaluating the work of both red and blue teams, organizations can develop a holistic picture of the state of their security — and make any changes that may be required to ensure a robust overall defense.

Read More
Image SEIM Technology

What is SIEM? Security information and event management explained

SIEM is now a $2 Billion industry, but only 21.9% of those companies are getting value from their SIEM, according to a recent survey.SIEM tools are an important part of the data security ecosystem: they aggregate data from multiple systems and analyze that data to catch abnormal behavior or potential cyberattacks. SIEM tools provide a central place to collect events and alerts – but can be expensive, resource intensive, and customers report that it is often difficult to resolve problems with SIEM data.How does SIEM work?Logs and other data need to be exported from all your security systems into the SIEM platform. This can be achieved by SIEM agents—programs running on your various systems that analyze and export the data into the SIEM; alternately, most security systems have built-in capabilities to export log data to a central server, and your SIEM platform can import it from there.Which option you take will depend on your network topography and bandwidth capabilities, as well as the types of systems you need to get logs from. The amount of data transmitted and processing power necessary at the end points can degrade the performance of your systems or network if you don't implement things carefully; SIEM agents at the edge can relieve some of that burden by automatically parsing out some data before even sending it over the network. At any rate, you'll want to ensure that your entire infrastructure is instrumented for SIEM, both on-prem and in the cloud.Obviously the amount of data generated by this SIEM instrumentation is huge, more than your staff could possibly parse through. The primary value delivered by SIEM suites is that they apply data analysis to make sure that only useful information gets delivered to your security operations center. These platforms use correlation engines to attempt to connect disparate log entries or other signals that don't seem worrisome on their own but taken together can spell trouble. These engines, combined with the specific artificial intelligence and machine learning techniques used to sniff out attacks, are what various SIEM vendors use to differentiate their offerings from one another.SIEM tools also draw information from threat intelligence feeds—basically, updated feeds of data about new forms of malware and the latest advanced persistent threats. Some of these feeds are maintained by the SIEM vendors, but others are open source or internally maintained by security teams at large organizations, and some SIEM platforms allow you to use your favorites. Other customization options include the ability to tightly integrate your SIEM platform with specific security tools.Top SIEM tools and vendorsWe noted above that SIEM was initially embraced for its ability to aid regulatory compliance; that's still an important role for these tools, and many platforms have built-in capabilities that are focused on ensuring and documenting your compliance with various laws and standards. And finally, some SIEM platforms also incorporate SOAR capabilities, which can partially or fully automate responses to the threats they detect.Ferrill's list also looks at some of the top SIEM vendors, which make for a good guide through the landscape of this market segment:ExabeamIBMLogRythmMicrosoftRapid7RSASecuronixSplunkFireEyeAll these different vendors have their own strengths and weaknesses. For instance, Microsoft's Azure Sentinel offering is only available on Microsoft's cloud, but easily integrates with Microsoft 365 and Windows Defender. RSA's platform is built with massive data volume in mind, while Securonix has an open architecture that makes it possible to add a wide variety of third-party analytics plug-ins.We should take a moment to spotlight Splunk, since it was one of the first software vendors to discover gold in log file analysis. Splunk Enterprise Security draws on the company’s mature data analytics and visualization capabilities to deliver a SIEM solution integrated with threat intelligence and available in the cloud or on prem. IDC maintains that Splunk has the largest SIEM market share.At this point, you should have a good sense of what SIEM should do for your company. But these platforms aren't cheap, and that means you need to do all you can to prepare before you roll one out. For instance, SIEM software requires high-quality data for maximum yield. And SIEM technologies are resource intensive and require experienced staff to implement, maintain and fine-tune them—staff that not all organizations have fully invested in yet.More on SIEM:Why Need SIEM Your Company Company ?All About SIEM Technology

Read More
Image Network Security

Is Malware Analysis Right for Your Business?

In the world of technology, things are constantly moving and changing — and cybersecurity is not an exception. As the good guys get smarter, the bad guys get sneakier and stealthier. This is especially true of malware, which has evolved dramatically in the last couple of years.We’re now seeing malware with artificial intelligence (AI) that is capable of mutating and even automatically detecting whether it is being run inside a sandbox. Due to this challenge, adoption of malware analysis has been on the rise in recent years. Does this mean that every company should start analyzing malware? The short answer is no.How to Know If Malware Analysis Is Right for You?There are two main reasons why it may not be the right time for a company to invest in a malware analysis team. First, many enterprises don’t have the resources to build and maintain such a team. Second, there are a lot of companies out there that specialize in malware analysis, many of which provide an on-demand service that generates indicators of compromise (IoCs) and makes them available to the public for free.For some companies, it may not make sense to have a team dedicated to analyzing malicious code because the business does not specialize in that area. It would be difficult to imagine an energy company investing in a malware analysis team, for example, but that doesn’t mean it shouldn’t use threat intelligence gathered by malware specialists. Even though most organizations don’t have to worry about malware analysis, they all need to worry about their security. Integrating a system that can alert security teams based on IoCs generated by specialized companies is a great way to enhance security on a budget.Enhance Enterprise Security on a BudgetPublicly shared IoCs are a great resource and can help businesses identify the presence of malware in their infrastructure, despite their inability to analyze malicious code. Ingesting these types of IoCs can help security teams detect malware without analyzing the code itself.For companies that want to have more visibility into network activity but lack the ability to analyze malware, using what is publicly available and developed by specialized companies around the world could be the difference between a malware infection and a crisis.

Read More
Image IOT Security

INTERNET OF THINGS TESTING

The number of connected devices has rocketed in the past few years and, as Nettitude documented in our 2016 threat intelligence report, the Internet of Things (IoT) has become a significant target for threat actors aiming to build botnets. Such botnets are then often employed to launch some of the largest Distributed Denial of Service (DDoS) attacks ever seen. For example, the Mirai malware discovered in 2016 infected hundreds of thousands of IoT devices and then utilized them to launch high profile, high bandwidth DDoS attacks against high profile websites.Nettitude routinely work closely with the creators of smart devices in order to provide assurance around the security posture of their devices. Internet of Things testing services provide a valuable way to assess the security levels associated with a given connected device.Nettitude has extensive experience in IoT testing and assuring:Smart devices for domestic usageSmart devices for industrial usageSmart meteringConnections for utilitiesSmart devices aimed at the automotive and transport sectorWhen Is IoT Testing Applicable?Nettitude recommend an Internet of Things security test is performed for any device that will be connected to a network under normal use. From cameras to toothbrushes, connected devices are actively being targeted by threat actors aiming to:Serve malicious or illegally obtained softwareCompromise individual and corporate privacyDetails of the motivations and goals for the relevant threatsIn particular, devices that are designed to be ‘plug and play‘ should be subject to an Internet of Things penetration test; their low barrier to setup often means that they are deployed in suboptimal security configurations. For organizations that produce Internet of Things devices and are concerned about their security posture, Nettitude offer a world class penetration testing service.What’s The Output Of An IoT Security Test?Any organization that works with Nettitude on Internet of Things security testing can expect two fully quality-assured reports per engagement. The first is a management report, which is designed to be consumed by a non-technical audience and relays the overall security posture of the target device in terms of risk.The second is a technical report, which provides in-depth technical detail for each finding, including relevant and actionable remedial advice. Of course, the engagement doesn’t stop there. Nettitude always encourage a debrief to ensure full comprehension has been achieved. It’s an opportunity to ask absolutely any questions at all. After the debrief, the organization is welcome to stay in touch with Nettitude and receive top-quality security advice.

Read More