Left of boom cover

Estimated reading time: 7 minutes

When we talk about “left of boom” or “right of boom” we are referring to a concept that may appear superficial. Instead, it is a powerful tool that offers the ability to analyze security conflicts from both a offensive and a defensive perspective. In a hypothetical timeline of an attack, what is left of boom refers to what happens first. Similarly, what is on the right is what happens next.

In common parlance, the term “bang” is very often used instead of “boom”, but the meaning remains the same. In essence, it is the event itself around which the previous and subsequent period is analyzed.

So, “left of boom” is the set of events that occur before the attack . “Right of boom”, on the other hand, is the set of events following the “boom”. This is the essential difference between the two terms. If defensive stocks can detect events in the “left of boom” period, solutions can be found and adopted to predict when the “boom” will happen.

left and right boom timeline
Visual representation of the timeline , the event (Boom) and the actions or tools to the right and left of it.

For an inexperienced person in cybersecurity, these concepts regarding the timeline of a cyber attack may not even be considered, for this reason many companies prefer to use a SOCaaS.

Left of Boom

A good penetration tester can detect some “left of boom” events, but they often miss out on gathering threat intelligence. Sometimes it is unable to distinguish concepts such as “security engineering, vulnerability discovery and remediation” from “automated prevention control”.

There is actually no real good prevention tool, more security checks are detection checks. Some of these controls integrate automated response mechanisms that prevent the succession of unpleasant events.

A web application that prevents XSS or SQLI attacks is really useful for detecting invalid inputs and responds by discarding the content before the injection can occur.

A firewall designed to block ports simply detects unwanted traffic in relation to the protocol used for the connection and the number of the port you want to access, interrupting and resetting the connection request.

These examples tie in well with the concept of “right of boom”. The prevention checks detect the “boom”, the event, and respond immediately, stemming the possible damage. “Left of boom” and “right of boom” are so close in the timeline that they are hardly distinguishable, until you do a careful analysis of the events.

This is one of the reasons why IT security professionals love prevention checks. They work quickly to fix errors before the hackers achieve their goals, limiting the damage.

A SOCaaS in these cases is one of the best solutions to adopt to protect the integrity of a computer system.

Right of Boom

Generally the shorter the distance between the “right of boom” and the response time to a threat, the lower the consequences of a possible cyber attack. Obviously this is only a logical consideration, it does not apply as an absolute rule.

For some breaches, the timeline between the event and the complete elimination of the threat is questionable, as detection occurred after the hacker achieved his goal. If the hackers they manage to infiltrate the system but are stopped in time, causing no damage to the infrastructure. In this second case, therefore, there is no “boom” we are talking about.

An example of right-of-boom

To better explain the concept of “right of boom” we could take a common “malware” as an example. Malware is generally developed to mass attack many devices, without much discretion. By “right of boom” we refer to that period of time that has passed since the malware infection occurred.

If you have read the other articles published by us you will have learned how hackers use these types of infections for the purpose of collect sensitive information , which is resold to a third party. If the “right of boom” is shorter than the time it takes the hacker to sell this information, the damage can be contained.

The best security systems manage to shorten the “right of boom” time by managing to gather information on attackers in the “left of boom”. This can be achieved by implementing countermeasures based on the threat model. These tools allow you to scan entire infrastructures, observing new threat indicators days or even weeks before attacks are deployed.

As we’ve seen in other articles, attacks don’t always happen quickly. In fact, the hackers involved are more likely to act in a slow first period just to gather the information needed to launch the attack. In the “right of boom” period, useful tools such as cyber threat intelligence and a threat hunting team come back < / a>.

Left of boom strategy
A strategy that also takes into account what happens before an attack is much more effective.

Why “Right and Left of boom” concepts are important

If we put ourselves in the hacker’s perspective, the concept of “right of boom” and “left of boom” can help to decide which course of action is best to take.

Suppose a hacker has two methods of breaking into a computer system. If one of the two methods could be detected in the “left of boom” period, while the other one in the “right of boom”, it is obvious that the hacker will prefer the second. In fact, this would guarantee more probabilities successful attack.

Similarly, between two methods that can be detected “right of boom” we choose the one that has the most chance of being detected late . The longer it takes from boom to detection, the greater the chances of success. This kind of reasoning is important in determining which tactic has a broader timeline.

Thinking in this light is not easy at all, requires advanced knowledge from the security expert. It also requires having to consider all those hypotheses that could potentially determine the success of the hacker.

Speed

A hacker is able to predict whether, using certain tactics, he would be able to reach the goal faster than the expert trying to detect attacks. The “boom” is the first contact, in the set of intrusion tactics used to illegally access a computer system. The remaining tactics are placed before and after it.

Speed and stealth usually cancel each other out. In fact, very often you can be faster by sacrificing some stealth.

Speed and stealth don’t get along very well when it comes to cyber attacks. Being stealthy, avoiding leaving traces, requires more attention and therefore inevitably also more time. However, if the aim of a hacker is not a single goal but a series of multiple goals, to be fast can be effective.

To defend against attacks, Indicators of Compromise (IOCs) can be collected to remedy existing vulnerabilities and to introduce new detection controls, making the computer system more secure.

Conclusions

It is important to understand the timeline concept of attacks, and we have seen how the concepts of “left of boom” and “right of boom” affect the response mechanisms to intrusion threats.

The concepts we’ve seen in this article, while they don’t add anything concrete to a system’s defense or attack techniques, offer a point of view. In the constant struggle between hackers and security operators, having a winning strategy means not only having efficient tools, but also planning in detail every detail, before and after attacks.

To find out how a SOCaaS can help you monitor your business infrastructure and catch the “left of boom” clues, do not hesitate to contact us, we will be able to answer every question and offer you a solution for your company.

Useful links:

Useful links:

importanza cyber threat intelligence cover

Estimated reading time: 5 minutes

In another article we have already talked about Cyber Threat Intelligence explaining what it is, how it works and its various types. Today, however, we will focus more on the importance of Cyber Threat Intelligence , deepening how it can be useful for companies to provide answers in the security field, containing risks and providing information that support incident response. & nbsp;

The importance of Cyber Threat Intelligence

In a world where technologies and cyber threats are constantly evolving, a company cannot afford to overlook the importance of Cyber Threat Intelligence. Every day on the web there are countless cyber attacks and data thefts to the detriment of companies and individuals. These large amounts of information are then cataloged and sold illegally on the Dark Web.

Hackers usually sell information on this part of the web because it guarantees them anonymity. In fact, unlike the traditional web, in order to access these virtual places, you must use a browser that masks your IP address. This complicates the authorities’ tracking of criminals and makes the dark web a completely anonymous place.

One of the objectives of the CTI is to monitor the information present in this large part of the web for analytical purposes. The aim is to prevent and limit the damage that this data could cause.

Monitoring the Dark Web and the Deep Web

importance cyber threat intelligence iceberg

Often, when we talk about the Deep Web and the Dark Web, we think that there are only and exclusively illegal activities, but that is not correct. There are also forums, blogs and websites that aim to disseminate information that is difficult to find on the traditional web.

Unfortunately, it is also true that criminals use this section of the network to sell all kinds of information . These include telephone numbers, email addresses, bank details, documents, passports, administrative login credentials for websites. There is practically everything.

This kind of information, in the hands of an attacker (or a competitor), could compromise the integrity of an entire company, its employees and its customers. The consequences of a data breach could also manifest themselves in the form of damage to the company’s reputation.

When a customer provides his personal data to a company, he expects them to be treated with the utmost respect. Customers may feel “betrayed” by the company that should have guaranteed them the security of their personal information.

A striking example was the data theft that occurred in 2019 against Facebook Inc. ( Source )
533 million personal data belonging to users of the platform are been stolen, divided by 106 countries and distributed for free on the web, bringing the company back to the center of controversy.

importance cyber threat intelligence facebook

Companies looking to protect their customer, supplier and employee data invest in analytics and monitoring tools.

By relying on professionals, it is possible to promptly receive a notice whenever sensitive information is published on a forum or website on the Dark Web. For this reason the importance of Cyber Threat Intelligence plays a key role in the business cybersecurity branch.

Monitoring the Dark Web therefore means having the possibility of being able to promptly detect any sensitive information before it can cause problems for companies.

Tools for monitoring the Dark Web

Being a portion of the internet that is difficult to access and not indexed by search engines, analyzing and monitoring resources on the Deep Web becomes more complicated. For this reason, we are helped by various tools designed with the aim of simplifying the investigation and analysis process.

One piece of software that could help you during an investigation is Onionscan, a completely free Open Source program.

The Onionscan project and the CTI

The Onionscan project has two objectives:

– Helping operators find and solve operational security problems
– Help researchers monitor and track sites on the Deep Web

The software can be downloaded from the dedicated Github page, which also contains an installation guide and a list of dependencies required to run the software.

Once installed, to use it, simply type in the command line:

onionscan websitename.onion

Of course, just accessing a tool like this isn’t enough to provide effective coverage. In fact, the importance of Cyber Threat Intelligence lies largely in knowing how to perform searches and interpret data.

Conclusions

We have seen what a Dark Web monitoring activity is and how it works and above all we have begun to understand the importance of Cyber Threat Intelligence.

Investing in these solutions guarantees additional security for the company. Securing the data of its customers and employees cannot be optional, every company should be sensitive to these issues and invest their resources to prevent unpleasant situations.

SOD offers a dedicated service which aims to provide valuable CTI information for proactive defense and resolution of critical issues before they become real problems.

If you need further information, do not hesitate to contact us, we are ready to answer all your questions.

Useful links:

Threat Intelligence Virtual

Estimated reading time: 5 minutes

threat intelligence data provides companies with relevant and timely insights they need to understand, predict, detect and respond to cybersecurity threats . Threat intelligence solutions collect, filter and analyze large volumes of raw data related to existing or emerging sources of threats. The result is threat intelligence feeds and management reports. Data scientists and security teams use these feeds and reports to develop a targeted incident response program for specific attacks .

Everyone from fraud prevention to security operations to risk analysis benefits from threat intelligence . Threat intelligence software provides interactive, real-time views of threat and vulnerability data.

The advantage offered to security analysts and experts is obvious and serves to easily and quickly identify threat actor patterns . Understanding the source and target of attacks helps business leaders put in place effective defenses to mitigate risks and protect themselves from activities that could negatively impact the business.

cyber threat intelligence can be classified as strategic, tactical or operational. Strategic concerns the capabilities and general intent of cyber attacks . Consequently also the development of informed strategies associated with the fight against long-term threats. That Tactic is about the techniques and procedures that attackers might use in day-to-day operations. Finally, threat intelligence Operational provides highly technical forensic information regarding a specific attack campaign.

Threat Intelligence Virtual

The threat intelligence cycle

Threat Intelligence Solutions collect raw data on actors and threats from various sources. This data is then analyzed and filtered to produce feed and management reports that contain information that can be used in automated security control solutions . The main purpose of this type of security is to keep organizations informed about the risks of advanced persistent threats, zero- day and exploits, and how to protect yourself from them.

The Cyber Threat Intelligence Cycle consists of the following stages.

Planning: The data requirements must first be defined.

Collection: Collect large amounts of raw data from internal and external threat intelligence sources.

Processing: Raw data is filtered, categorized and organized.

Analytics: This process transforms raw data into streams of threat intelligence using structured analytics techniques in real time and helps analysts identify Indicators of Compromise (IOC). < / p>

Dissemination: Analysis results are immediately shared with cybersecurity professionals and threat intelligence analysts.

Feedback: If all questions are answered, the cycle is over. If there are new requirements, the cycle starts over from the planning phase.

Common indicators of impairment

Enterprises are under increasing pressure to manage security vulnerabilities, and the threat landscape is ever-changing. threat intelligence feeds can help with this process identifying common indicators of compromise (IOC) . Not only that, they can also recommend the necessary steps to prevent attacks and infections. Some of the more common indicators of compromise include:

IP addresses, URLs and domain names: An example would be malware targeting an internal host that is communicating with a known threat actor.

Email addresses, email subject, links and attachments: An example would be a phishing attempt which relies on an unsuspecting user clicking on a link or attachment and initiating a malicious command.

Registry keys, file names and hashes of files and DLLs: An example would be an attack from an external host that has already been reported for nefarious behavior or is already infected.

threat intelligence hacker

Which tools for threat intelligence

The growing increase in malware and cyber threats has led to an abundance of threat intelligence tools that provide valuable information to protect businesses.

These tools come in the form of both open source and proprietary platforms. These provide a variety of cyber threat defense capabilities, such as automated risk analysis , private data collection , threat intelligence quick search tools, reporting and sharing this information among multiple users, curated alerts, vulnerability risk analysis, dark web monitoring, automated risk mitigation, threat hunting and much more.

We talked about one of these tools in a other article : the Miter Att & amp; ck . This is a very useful tool for learning about hacker attack techniques and behaviors. This is thanks to the information gathered by threat intelligence and the consequent sharing. A framework like this is very efficient for creating defensive mechanisms that make it possible to secure corporate infrastructures.

Artificial intelligence and threat intelligence

As we saw earlier, gathering information from various sources is just one of the steps. These must then be analyzed and subsequently processed into control protocols, to be really useful for security.

For this type of work of analysis, definition of baseline behaviors and data control, we are increasingly relying on artificial intelligence and deep learning. A Next Generation SIEM , flanked by a UEBA solution are perfect for this type of protection.

The control of the behavior of entities within the perimeter carried out by the UEBA is able to identify any suspicious behavior, based on the information collected and analyzed by the SIEM.

Conclusions

The defenses we have named are the primary value of a corporate security plan. Adopting specific solutions, implementing threat intelligence and therefore an active search for threat indicators, offers a strategic advantage. The company can take a step ahead of criminals, who can only leverage the surprise effect against their victims. Precisely for this general situation, every company should be in a position not to be caught by the off guard. Implementing proactive solutions is now necessary.

The threat intelligence is therefore a defense weapon behind which to protect the most important resources in order to work in peace.

If you want to know how we can help you with our security services, do not hesitate to contact us, we will be happy to answer any questions.

Useful links:

Useful links:

Cyber Threat Intelligence (CTI) – greater effectiveness for IT security

SOAR: coordination for cyber security

cyber threat hunting IT specialist

Estimated reading time: 5 minutes

Cyber Threat Hunting is a proactive security search across networks, endpoints and datasets to hunt down malicious, suspicious or risky activities that have escaped detection by existing tools.

Definition

There is a distinction between malware detection and cyber threat hunting . Threat detection is a passive approach to monitoring data and systems to identify potential security problems. However, it is a necessity and can help a threat hunter . Instead, proactive threat hunting tactics have evolved to use new threat intelligence on previously collected data to identify and classify potential risks before the attack .

Security personnel cannot afford to believe that their security system is impenetrable. Must always remain vigilant for the next threat or vulnerability . Rather than sitting around and waiting for threats to strike, cyber threat hunting develops hypotheses based on knowing the behaviors of threat actors and validating those hypotheses through active research in the environment .

With threat hunting, an expert doesn’t start with an alarm or indicators of compromise (IOC), but with deeper reasoning. In many cases the threat hunter’s efforts create and concretize the alarm or the IOC.

This aggressively assumes that a breach has occurred or will occur at the company. Security officers hunt down threats in their environment rather than rely on automatisms.

cyber threat hunting hardware

Threat hunting practice

For companies that are ready to take a more proactive approach to cybersecurity , which tries to stop attacks before they get too deep, adding threat hunting protocols to their security program is the next logical step.

After consolidating endpoint security and incident response strategies to mitigate the now unavoidable known malware attacks, companies can begin to take the offensive . This means digging deep and finding what hasn’t been detected yet. This is precisely the purpose of cyber threat hunting.

As mentioned earlier, threat hunting is an aggressive tactic that starts from the premise of the “assumption of violation”. Attackers are already inside an organization’s network and are secretly monitoring and moving into it.

This may sound far-fetched, but in reality, attackers can be inside a network for days, weeks, and even months . In the meantime, they prepare and execute attacks as advanced persistent threats, with no automatic defense detecting their presence . Cyber threat hunting stops these attacks by looking for covert indicators of compromise (IOCs) so they can be mitigated before the attacks reach their goals.

cyber threat hunting Monitor

The key elements of a threat hunting

The goal of the threat hunt is to monitor daily activities and traffic across the network and investigate possible anomalies to find any undiscovered malicious activity that could lead to a complete breach . To achieve this level of proactive detection, threat hunting incorporates four equally important components.

1. Methodology

To be successful in hunt for threats, companies must commit to a proactive, full-time approach that is continuous and evolving. Instead, a responsive, ad hoc implementation, “ when we have time “, will be self-defeating and will only lead to minimal results.

2. Technology

Most companies already have comprehensive endpoint security solutions with automatic detection. Threat hunting works in addition to these and adds advanced technologies . The aim is to find anomalies, unusual patterns, and other traces of attackers that shouldn’t be in systems and files.

The new cloud-native endpoint protection (EPP) platforms that leverage big data analytics can capture and analyze large volumes of non-data filtered on endpoints, while behavioral analytics and artificial intelligence can provide broad, high-speed visibility into malicious behaviors that seem normal at first.

3. Highly qualified and dedicated staff

The threat hunters are a race of their own. These experts know how to use the security technology deployed by companies. In addition, also combine the aspiration to go on the offensive with intuitive problem-solving skills to uncover and mitigate hidden threats.

4. Threat intelligence

Having access to evidence-based global intelligence from experts from around the world (e.g. Miter Att & amp; ck ) further improves and accelerates hunting for existing threats. Hunters are aided by information such as attack classifications for identifying malware and threat groups , as well as advanced threat indicators.

cyber threat hunting hacker manifesto

The abilities of a threat hunter

The Threat Hunting Report from Crowd Research Partners confirms the importance of certain capabilities for threat hunting. When asked to rank the most important skill, the survey found that:

69% chose threat intelligence
57% chose behavior analysis
56% chose automatic detection
54% chose machine learning and automated analysis

ITC analyst on the phone

The profile of a threat hunter

Threat hunters look for attackers who manage to break through vulnerabilities that a company might not even know exist . These attackers spend a considerable amount of time planning and performing the reconnaissance, acting only when they know they can successfully penetrate the network without warning. They also inject and build malware that has not yet been recognized or use techniques that do not rely on malware at all, to provide a persistent base from which to attack.

What does it take to outsmart even the smartest attackers?

A cyber threat hunter is relentless and can find even the smallest trace of what attackers have left behind. In general, threat hunters use their skills to undo the small changes that occur when attackers make their moves within a system or file.

The best threat hunters rely on their instincts to sniff out the stealth moves of the most dangerous attacker.

Are you a threat hunter? Contact us!

SOD is looking for a SOC / ICT analyst to add to the team. If you think you’re the right person, visit this page to view the detailed job posting.

Useful links:

Cyber Threat Intelligence (CTI) – greater effectiveness for IT security

Long-term search: what’s new in the SOCaaS service

Acronis Cyber Protect Cloud

Customers

Newsletter