The cloud-native platform for centralized log management
Analytics, visualizations, and workflows purpose built for practitioners
Leading firms gaining more value from their machine data
Any source, any velocity – centralize logs, metrics, and traces for full visibility.
Close the gap between detection and response with an analyst-focused, cloud-native approach.
Understand complex environments with visual analysis and KPIs that matter most.
The most recent articles & research from Devo
Security frameworks are a must-have in modern SOCs faced with complex attacks. SOCs use cybersecurity frameworks to guide their approach to and understanding of attack and defense strategies and manage and reduce cyber risk to continuously improve operations. For example, many advanced SOCs integrate adversarial models, such as the MITRE ATT&CK framework, into analyst workflows to provide automation that informs investigations, placing the SOC one step ahead in stonewalling attacks.
The NIST Cybersecurity Framework (CSF) is a key reference point for standards, guidelines, and best practices for managing the threat lifecycle. The SOC can apply this framework to guide, assess, improve, and deliver on key security metrics and establish a mature approach to securing the enterprise. NIST CSF is a functional starting place to begin to build an enterprise cybersecurity strategy.
Gain a complete understanding of your people, physical and digital assets, risks and vulnerabilities, and defense systems.
Establish a layered and diverse approach to defending the business, while also being ready to respond to any attack.
Implement technologies and practices for quickly detecting true positive events across all security data.
React appropriately to an incident and keep it from becoming a serious breach.
Return the organization to its original state by planning for resilience, and implement new preventative measures to safeguard against a repeat attack.
The Cyber Kill Chain, one of many frameworks or models to consider in security operations, was created by computer scientists at Lockheed Martin. The model describes a phased approach to end-to-end cyber attack detection and prevention based on the choreographed movements of a standard threat actor. The kill chain is a foundational archetype; however, the first stage is difficult to detect, and it does not accommodate attacks that begin inside the perimeter.
The threat actor stealthily gathers intel on the organization to achieve its objective. This often includes a combination of tactics to determine the ideal target and identify vulnerabilities, from observing the building’s physical security measures to researching employees on social media.
In this stage, the actor develops an exploit, such as a new strain of malware hosted on a hijacked domain to attack an organization by targeting specific vulnerabilities.
Next, the threat actor packages and delivers the malware – be it a virus, spyware, or worm – to the victim through a method such as a website or email attachment. Delivery methods often include a social engineering aspect.
At this point, the malware “weapon” is triggered to exploit the target vulnerability of the system, network, application, or policy.
The malware is installed on the target device or system as a result, while the attacker takes steps to penetrate the organization’s defenses and maintain access.
The compromised system then communicates with Command and Control (C&C) to enable remote access to the network, officially letting the malicious actor gain control.
The threat actor has achieved its end goal and can now do its dirty work – from exfiltrating data or deleting proprietary information to shutting down the entire network.
The MITRE ATT&CK framework is a model of various observable adversarial behaviors used to intelligently identify “right of bang” tactics—tactics after an attack has begun. It addresses four key use cases: threat intelligence; detection and analytics; adversary emulation and red teaming; and assessment and engineering. The tactics are defined as the objective of the actor, and techniques are the method of getting there. The MITRE framework uses evidence from past attacks to get inside the head of the attacker with a detailed understanding of how these tactics manifest, techniques used, potential response steps, and useful data sources for in-depth analysis.
The 12 tactics addressed by MITRE include:
1) Initial accessis the act of sidling past the network’s defenses to get a foothold in the environment, using techniques such as whaling.
2) Executionof malicious code enables actors to penetrate deeper into the network and move towards their objective.
3) Persistenceenables an actor to linger in a system or network, buying time to execute their plan despite potential interruptions.
4) Privilege escalation provides the attacker with a greater range of motion and control in the network through admin level access Stealing a user’s credentials is a prime example of privilege escalation.
5) Defense evasion tactics, like masquerading, are an attempt to go undetected in the network.
6) Credential access allows bad actors to gain the access and control they need to achieve their objectives.
7) Discovery involves gaining an understanding of the operating system and network to inform the attack plan.
8) Lateral movement is the method of snaking through a system or network to get to the critical data or target objective.
9) Collection refers to the identification and collection of prized data, to then exfiltrate it.
10) Command & control or “C2”, the actor takes remote control of a network through an already-compromised system.
11) Exfiltrationis the ultimate goal of removing sensitive, highly-coveted data from a target network or system for malicious purposes, like re-sale on the black market.
12) Impacton the business is another key objective, disrupting the integrity and availability of data, services, and systems.
The Unified Kill Chain melds the MITRE ATT&CK framework and Cyber Kill Chain captures the advantages of each model to overcome common critiques of the kill chain. The comprehensive UKC expands the potential attack phases to eighteen, and breaks those phases into three fundamental steps: initial foothold, network propagation, and action on objectives. This revised model provides a more detailed, accurate, and time-oriented approach to end-to-end cybersecurity. The evolving nature of security frameworks is a testament to the industry’s need for adaptability in a constantly changing, high-stakes domain.
Gain Devo insights on threat hunting techniques for the modern SOC.
Leverage technologies, frameworks, and best practices to improve investigation.
Discover core incident processes for the modern SOC.