Estimated reading time: 5 minutes
Every year the number of attacks that threaten the security of devices, computer systems, servers and network infrastructures is growing steadily. This is done by taking advantage of the vulnerabilities present in these systems. Among the many types of attacks, particular attention must be paid to the pass the ticket (PTT) attack.
With a pass the ticket attack it is possible to take advantage of the Kerberos network protocol, present in all major operating systems, to access a user’s session without having his login credentials. An attack of this type can be difficult to detect and is usually able to bypass the most common system access controls.
Pass The Ticket: what it is and how it works
Before understanding in detail what a PTT attack is and how it works, it is advisable to clarify the Kerberos network protocol since an attack of this type uses this protocol. Kerberos is a network protocol designed by MIT in the 1980s and became a standard IETF in 1993. It is used for strong authentication between different terminals through a symmetric key encryption system, without transmitting any passwords.
The advantage of using the Kerberos protocol lies in its strong authentication system between client and server. This makes it very effective against phishing and “ man in the middle ” attacks.
Kerberos is integrated into all major operating systems belonging to well-known companies such as Microsoft, Apple, Red Hat Linux and many more.
With a pass the ticket attack it is possible to exploit Kerberos authentication to gain access to a user account. The consequences that such an event could entail are not are to be underestimated. Among the many imaginable scenarios, for example, there could be the possibility that the compromised account enjoys high administrative privileges thus guaranteeing the hacker full access to resources.
A pass the ticket attack allows you to gain privileged access to network resources without having to use any user passwords . Here’s how: In Active Directory, a Ticket Granting Ticket (TGT) serves to prove that a user is just who he says to be. Through some tools and techniques, a hacker could collect these tickets and use them to request Ticket Granting Services (TGS) in order to access resources present in other parts of the network.
A PTT attack could involve risks even if the compromised account does not have particular administrative privileges since the hacker, through the Lateral Movement < / a>, may be able to gain access to other accounts and devices.
The difference between pass the ticket and an attack pass the hash lies in the fact that the former exploits TGT tickets that have an expiration of a few hours, while the latter uses NTLM hashes that change only in case a user decides to change his password. A TGT ticket must be used within its expiration time or renewed for a longer period of time.
How to Defend and Prevent a Pass The Ticket Attack
Keeping a network and the devices connected to it safe is a very important factor. You must always have protocols and software that are able to guarantee effective protection from all kinds of threats , with up-to-date systems that keep sensitive information safe. Enterprises can take advantage of endpoint detection and response technologies. Local detection of multiple tickets used for the same session will be possible.
Account case without-privileges
In the event of a pass the ticket attack, if the compressed account from which the TGT or TGS was stolen was a low-privilege account, the mitigation could be quite simple. Just reset the user’s Active Directory password. Such an action would invalidate the TGT or TGS, preventing the hacker from generating new tickets.
Case-account with privileges
Conversely, if the PTT attack compromised a privileged account, limiting the damage is much more difficult. In these cases, companies could respond to the attack by resetting the Kerberos TGT service to to generate a new signing key, making sure to delete the compromised key.
Next you need to drill down into Kerberos logs and Active Directory information to investigate and find out which network resources have been compromised. In this way it is also possible to understand which data may have been stolen. The technology SIEM allows organizations to assimilate, analyze and analyze this data.
Protection from attack
To ensure complete protection of an infrastructure, also preventing pass the ticket attacks, it is good to use valid detection technologies such as UEBA and SIEM. In fact, it is possible to prevent Pass The Ticket attacks by analyzing the behavior of users and entities. The solution UEBA , in these cases, would ensure the quick identification of any compromised account, blocking it in order to mitigate the damage.
Some software SIEM also allow not only to analyze traditional logs but are also able to provide an accurate analysis of security , analyzing the behavior of the network and users in order to detect promptly the presence of any threats to the infrastructure.
We have seen what a pass the ticket attack is and how companies can adopt specific solutions to intercept the dangers and anomalies of an entire IT infrastructure. This allows us to mitigate threats more effectively.
A complete solution, as we have seen, involves constant and granular communication monitoring . The solution we propose for this purpose is a SOCaaS .
If you want to know our dedicated security services, do not hesitate to contact us. You can use the button below, we will be happy to answer any of your questions.
Estimated reading time: 6 minutes
In the previous article we have seen the most common use cases of a SOCaaS , explaining how it can be useful for companies to use this tool to prevent cyber attacks and also explaining which are the most common Threat Models .
In this article, however, we will take a closer look at some of the more common indicators of compromise ( IOC ). First we will briefly look at the malware threat models that the use of a SOCaaS can prevent and block. As it works, a SOCaaS can be very flexible and analyze a lot of data at the same time, thus providing in-depth and accurate results.
Malware Threat Models
It is important to know how to distinguish and classify the different types of malware to understand how they can infect systems and devices, the level of threat they represent and how to protect against them. We at SOD recommend adopting the use of a SOCaaS in order to be able to classify the entire range of malware or potentially unwanted objects. Malware is categorized based on the activity they perform on infected systems.
Wannacry Malware Detection
Thanks to this threat model it is possible to detect the behavior of the well-known malware Wannacry < / a>.
Wannacry malware is a ransomware that attacks the system by encrypting files of particular importance to an organization in order to make them illegible.
Early detection of ransomware is probably the most effective action you can take to defend yourself. There are also services that are able to block the action of the malware and restore any files already encrypted with those of a backup, for example Acronis Cyber Protect Cloud .
Network anomaly followed by data infiltration
Identifies successful network data aggregation attempts, followed by signs of data infiltration. Below we see some of the anomalies and how the use of a SOCaaS can identify important clues to counter threats.
During a network scan you may notice enumerations of AD accounts and privileges, count of LDAP services outside the corporate network and a suspicious number of ticket requests to Kerberos protocol . In addition, other indicators can be a spike in LDAP traffic and the enumeration of SMB services.
As regards the anomalies of the network drive , the use of a SOCaaS is able to control access to the sharepoint in order to identify an unusual number of accesses to shared elements. This also in relation to users and their level of access.
In terms of Data Aggregation and data infiltration, the quantity of bytes downloaded from the server ports and via FTP protocols are monitored, as well as an unusual quantity of bytes transmitted to the external.
Petrwrap / Goldeneye / Amalware detection
This threat model aims to detect malware Petrwrap . The use of a SOCaaS can detect network scanning activity by monitoring the number of SMBv1 activities, as well as anomalies in these activities. Attempting to reach a never-before-reached host may also be an indicator.
Another way in which these threats can be detected with the use of SOCaaS is by auditing of suspicious privileged activity. For example, it is verified that there is no escaletion of privileges, unusual access to an admin zone or even tampering with log files.
Risk indicators in general
Risk indicators are metrics used to show that the organization is subject to or has a high probability of being subject to a risk.
These indicators are used to classify the type of behavior or threat for a policy and can be used in multiple policies for different functionality based on the data source. Risk indicators can be chained with threat models to identify sophisticated attacks across multiple data sources.
In essence, these are clues or alarm bells that indicate events that a company’s security operators should pay particular attention to. The use of a SOCaaS can help identify these clues by analyzing large amounts of data and logs in a short time.
Below is a non-exhaustive list of some of the most common threat indicators that are identifiable through the use of a SOCaaS. We will divide them into different areas, for clarity.
As for accounts, obviously, blocking an account is an alarm bell, as well as an unusual number of accounts created or a disproportionate number of failed authentication. Finally, the use of a SOCaaS could indicate an IOC as a suspicious number of accounts running concurrently .
The anomalies concerning the access or in any case the account include the detection of access to the anomalous administrative sherepoint but also the loading times of the anomalous applications. Applications that use an unusual amount of memory may also be indicators of compromise.
As for accounts, obviously, blocking an account is an alarm bell, as well as an unusual number of accounts created or a disproportionate number of failed authentication. Finally, the use of a SOCaaS could indicate an IOC as a suspicious number of accounts running concurrently .
Network alarm bells are, of course, the most common. Since networks are like “roads” of a corporate infrastructure, it is normal that anomalous behaviors in these are particularly relevant.
Common indicators are abnormal DNS zone transfers or failed requests to the firewall. But also an abnormal number of running hosts or ICMP connections. Traffic in general is also controlled through the use of SOCaaS, so that any suspicious data movement is analyzed or otherwise verified. Examples of this are packet movements to critical ports, RDP, SSH, or connection attempts to a DHCP server. These events often indicate abnormal attempts to connect to objects or network shares.
Through the use of a SOCaaS it is also very simple to control the behavior of the accounts that often show alarm bells in themselves . For example, an account logging into a host for the first time, creating an account, or adding privileges.
Relying on luck to catch threats is madness , as demonstrated by SolarWinds attack .
Create your luck with our SOCaaS solution , making sure you spot threats before incidents happen and that you are “lucky” enough to counter them.
Contact us to find out how our services can strengthen your company’s defenses, we will be happy to answer any questions.
Estimated reading time: 6 minutes
Cyber Threat Analytics applications monitor security logs and the network to promptly detect any malware infections (for example, attacks zero day ei ransomware ), the compromise of the system, the activities of “ lateral movement ”, pass-the-hash , pass-the-ticket and other advanced intrusion techniques. The use of a SOCaaS allows to extrapolate data from sources such as firewalls, proxies, VPN, IDS, DNS, endpoints, and from all devices connected to the network with the aim of identifying harmful models such as “beaconing”, connections to generated domains digitally, actions performed by robots and all anomalous behaviors.
Our system SOCaaS is equipped with artificial intelligence that enriches and transforms events SIEM , so you identify threats across your entire IT environment, including business-critical applications.
What are the-advantages at the enterprise-level?
The use of a SOCaaS. Below is a list with only some of the advantages that the use of SOCaaS can entail rapid detection of violations, reducing the impact of these. Additionally, a SOCaaS provides comprehensive threat responses and investigations, decreases monitoring and management costs, as well as compliance costs.
The use of a SOCaaS also allows you to receive quantified and non-subjective reports on threats and risks.
SOCaaS use cases
After a general overview of the advantages that the use of SOCaaS could offer to the company, let’s see in what contexts it is normally used .
A SOCaaS consists of elements that are very suitable to be applied in case of abnormal execution of applications, as well as in the analysis of bot traffic to a malicious website.
In other cases, SOCaaS identifies unusual DNS queries, a possible remote command and control activity, analyzes the spikes in bytes to external destinations and then also checks the traffic, relating it in an application / port context.
Other scenarios in which the use of SOCaaS is ideal are the detections of exploits, sessions of unusual duration, but also connections to IPs or blacklisted domains and anomalous activity in general.
Finally, it can also detect targeted SPAM attacks and phishing attempts.
By analyzing threat indicators it is possible to detect correlated behaviors on multiple data sources, to also detect all those threats that usually go unnoticed. Multiple threat indicators occurring in a scheme and involving similar entities tend to present a greater risk of posing a real threat.
The Threat Models define these patterns and combine threat policies and indicators to detect related behaviors across multiple data sources, identifying threats that may go unnoticed. Below are some of the more common Threat Models that are included in the use of a SOCaaS
Lateral Movement Detection
This Threat Model detects the possible scenarios of “ lateral movement “, used by attackers to progressively spread across a network in search of key resources and data. The signs of such an attack can be varied and we can divide them into three categories: Abnormal authentication, suspicious privileges, abnormal process.
Abnormal authentication is usually detectable by some clues. For example if an account accesses a host that has never been reached before. Or if explicit credentials are used on multiple hosts, or if a suspicious authentication type / process is detected.
Concerning suspicious privileges, here are some indicators detectable with the use of a SOCaaS:
- abnormal provisioning activity
- suspicious escalation of privileges
- abnormal access to network share objects
An abnormal process is detected in this way through the use of a SOCaaS: an unusual process code, or the suspicious creation of scheduled tasks. Alternatively, suspicious changes to the registry settings may be detected.
Detection of compromised hosts
This model is employed in the use of SOCaaS to detect hosts showing signs of infection and compromise by relating host and network based anomalies to the same entity.
A possible alarm is given by anomalies in outgoing traffic . This occurs when traffic goes to random domains or known malicious hosts. In other cases, however, an abnormal number of domains contacted is another alarm bell detectable through the use of a SOCaaS.
anomalies in the endpoint are found when rare processes or suspicious use of ports or protocols by the process itself are found. One possibility is also to detect an unusual agent.
APT detection using a SOCaaS
Detection APT detects attacks on health care networks , where the attacker’s aim is usually to obtain a unauthorized access to a network with the intention of remaining undetected for an extended period.
This includes phishing attempts , detection of a network scan or circumvention of controls. In the delivery phase, however, traffic to random domains, an anomaly in DHCP traffic or traffic destined to known malicious hosts may be identified.
During an exploit , the indicators can be: the detection of activity from terminated accounts, anomalous DNS traffic, but also a suspicious authentication process. Another possible indicator identifiable with the use of SOCaaS is an anomaly in the speed of the network.
Through the use of a SOCaaS, cases of data exfiltration can also be detected. The signals in this case are l ‘Unauthorized upload of data over the network.
Detection model Phishing using SOCaaS
This model is able to detect possible phishing attempts towards users within the organization . We’ve talked about it in other articles as well, and here are some indicators of this type of attack. A wake-up call is definitely the detection of known phishing campaigns. It is also not uncommon for spear phishing attacks to be detected.
The use of a SOCaaS is also able to identify possible phishing attempts or persistent phishing campaigns, thanks to the comparison with emails from senders / domains / IP addresses known in the blacklists. As usual, beware of suspicious email attachments, but the use of a SOCaaS could automate, at least in part, the checks.
It is then possible to identify outbound traffic anomalies , for example that towards random domains, which is also a possible phishing signal. Classic traffic to malicious hosts, an abnormal number of rare domains accessed, can also be indicators.
Host / Account Enumeration on LDAP
Usually used to identify potential assets or account enumerations on the network by malicious entities.
Running suspicious processes
- Abnormal process / MD5 detected
- Use of possible sets of AD (Active Directory) enumeration tools
- Detected use of malicious tools and utilities
- Possible AD accounts / enumeration privileges
- LDAP or SMB service count
- Abnormal number of Kerberos service ticket requests
- Port scanning
- Accounts accessing a host for the first time
- Using never-before-seen accounts on the network
- Abnormal number of failed authentication requests
Reconnaissance followed by potential exploitation
This threat model aims to identify successful network reconnaissance attempts, followed by indicators of exploitation.
- Scanning ports from external hosts
- Enumerating hosts from external hosts
- Possible count of AD accounts / privileges
- Enumeration of LDAP services
- Unsolved number of Kerberos service ticket requests
- Spikes in traffic LDAP
- Enumeration of SMB services
Anomalies in processes
- Detection of abnormal processes or MD5
- Suspicious creation of scheduled tasks
- Suspicious changes to registry settings detected
We have seen what are the major SOCaaS use cases, taking a look at some of the most common threat models that it includes in its protection system. For information on malware threat patterns and threat identifiers visit this article.
Using a SOCaaS is a solid and highly valuable business solution, ask us what it can do for your business, we will be happy to answer any questions.
Estimated reading time: 7 minutes
When we talk about “left of boom” or “right of boom” we are referring to a concept that may appear superficial. Instead, it is a powerful tool that offers the ability to analyze security conflicts from both a offensive and a defensive perspective. In a hypothetical timeline of an attack, what is left of boom refers to what happens first. Similarly, what is on the right is what happens next.
In common parlance, the term “bang” is very often used instead of “boom”, but the meaning remains the same. In essence, it is the event itself around which the previous and subsequent period is analyzed.
So, “left of boom” is the set of events that occur before the attack . “Right of boom”, on the other hand, is the set of events following the “boom”. This is the essential difference between the two terms. If defensive stocks can detect events in the “left of boom” period, solutions can be found and adopted to predict when the “boom” will happen.
For an inexperienced person in cybersecurity, these concepts regarding the timeline of a cyber attack may not even be considered, for this reason many companies prefer to use a SOCaaS.
Left of Boom
A good penetration tester can detect some “left of boom” events, but they often miss out on gathering threat intelligence. Sometimes it is unable to distinguish concepts such as “security engineering, vulnerability discovery and remediation” from “automated prevention control”.
There is actually no real good prevention tool, more security checks are detection checks. Some of these controls integrate automated response mechanisms that prevent the succession of unpleasant events.
A web application that prevents XSS or SQLI attacks is really useful for detecting invalid inputs and responds by discarding the content before the injection can occur.
A firewall designed to block ports simply detects unwanted traffic in relation to the protocol used for the connection and the number of the port you want to access, interrupting and resetting the connection request.
These examples tie in well with the concept of “right of boom”. The prevention checks detect the “boom”, the event, and respond immediately, stemming the possible damage. “Left of boom” and “right of boom” are so close in the timeline that they are hardly distinguishable, until you do a careful analysis of the events.
This is one of the reasons why IT security professionals love prevention checks. They work quickly to fix errors before the hackers achieve their goals, limiting the damage.
A SOCaaS in these cases is one of the best solutions to adopt to protect the integrity of a computer system.
Right of Boom
Generally the shorter the distance between the “right of boom” and the response time to a threat, the lower the consequences of a possible cyber attack. Obviously this is only a logical consideration, it does not apply as an absolute rule.
For some breaches, the timeline between the event and the complete elimination of the threat is questionable, as detection occurred after the hacker achieved his goal. If the hackers they manage to infiltrate the system but are stopped in time, causing no damage to the infrastructure. In this second case, therefore, there is no “boom” we are talking about.
An example of right-of-boom
To better explain the concept of “right of boom” we could take a common “malware” as an example. Malware is generally developed to mass attack many devices, without much discretion. By “right of boom” we refer to that period of time that has passed since the malware infection occurred.
If you have read the other articles published by us you will have learned how hackers use these types of infections for the purpose of collect sensitive information , which is resold to a third party. If the “right of boom” is shorter than the time it takes the hacker to sell this information, the damage can be contained.
The best security systems manage to shorten the “right of boom” time by managing to gather information on attackers in the “left of boom”. This can be achieved by implementing countermeasures based on the threat model. These tools allow you to scan entire infrastructures, observing new threat indicators days or even weeks before attacks are deployed.
As we’ve seen in other articles, attacks don’t always happen quickly. In fact, the hackers involved are more likely to act in a slow first period just to gather the information needed to launch the attack. In the “right of boom” period, useful tools such as cyber threat intelligence and a threat hunting team come back < / a>.
Why “Right and Left of boom” concepts are important
If we put ourselves in the hacker’s perspective, the concept of “right of boom” and “left of boom” can help to decide which course of action is best to take.
Suppose a hacker has two methods of breaking into a computer system. If one of the two methods could be detected in the “left of boom” period, while the other one in the “right of boom”, it is obvious that the hacker will prefer the second. In fact, this would guarantee more probabilities successful attack.
Similarly, between two methods that can be detected “right of boom” we choose the one that has the most chance of being detected late . The longer it takes from boom to detection, the greater the chances of success. This kind of reasoning is important in determining which tactic has a broader timeline.
Thinking in this light is not easy at all, requires advanced knowledge from the security expert. It also requires having to consider all those hypotheses that could potentially determine the success of the hacker.
A hacker is able to predict whether, using certain tactics, he would be able to reach the goal faster than the expert trying to detect attacks. The “boom” is the first contact, in the set of intrusion tactics used to illegally access a computer system. The remaining tactics are placed before and after it.
Speed and stealth usually cancel each other out. In fact, very often you can be faster by sacrificing some stealth.
Speed and stealth don’t get along very well when it comes to cyber attacks. Being stealthy, avoiding leaving traces, requires more attention and therefore inevitably also more time. However, if the aim of a hacker is not a single goal but a series of multiple goals, to be fast can be effective.
To defend against attacks, Indicators of Compromise (IOCs) can be collected to remedy existing vulnerabilities and to introduce new detection controls, making the computer system more secure.
It is important to understand the timeline concept of attacks, and we have seen how the concepts of “left of boom” and “right of boom” affect the response mechanisms to intrusion threats.
The concepts we’ve seen in this article, while they don’t add anything concrete to a system’s defense or attack techniques, offer a point of view. In the constant struggle between hackers and security operators, having a winning strategy means not only having efficient tools, but also planning in detail every detail, before and after attacks.
To find out how a SOCaaS can help you monitor your business infrastructure and catch the “left of boom” clues, do not hesitate to contact us, we will be able to answer every question and offer you a solution for your company.
Estimated reading time: 4 minutes
Today, facing an attack in a corporate SOC is very similar to being under attack without knowing which direction the blow is coming from. The threat intelligence can keep you informed of security issues. However, in many cases, this information is only provided when you are already under attack, and is rarely very useful except in retrospect. It would take a different approach to data analysis, and that’s exactly what we propose with predictive cybersecurity .
In cybersecurity, threat intelligence is still relied upon as a fundamental defensive tool. Unfortunately, threat intelligence only covers a subset of threats that have already been found, while attackers constantly innovate . This means that new malware executables, phishing domains and attack strategies are created all the time.
Threat intelligence has a strong value for reactive incident response. It helps when pivoting through an investigation, identifying intent or other useful data, and providing additional investigative assistance. But it has limited value for detection, as threat actors avoid reusing their attack infrastructure from one target to another.
If the clues you see are different from those known from previous attacks, what can you do to move forward with effective detection? A legitimate question, for which predictive cybersecurity perhaps has an answer.
… what if you could know what is going to hit?
SOCaaS: predictive cybersecurity
Eyes on opponents rather than past attacks
The SOCaaS solution offered by SOD brings predictive cybersecurity capabilities to cybersecurity. The solution maps adversaries , instead of threats, and analyzes their actions to predict the behavior and the tools used in their attacks.
The analytical engine translates behavioral patterns into profiles of adversary attack infrastructures , which indicate as ( trojan, phishing or other forms of attack ) and where ( branches, customers, partners, peers, industry and geographies ) < strong> attackers are planning to target your company .
This provides a preemptive attack map, which identifies opponents based on their attack phase and current position within the extended business landscape . But not only that, in fact, information about the opponent, typical attack patterns and possible countermeasures that can be taken in advance are also identified. This way you can cancel the threat before it materializes .
Predictive cybersecurity: understand what’s going to happen first
Our SOCaaS provides predictive detection capabilities against internal and external threats with the combination of user, entity and adversary behavior analysis. Our Next-Gen SIEM uses an analytics-driven approach to threat detection. SOC provides visibility in the crucial early stages of an attack. That is when cyber actors are targeting, planning and preparing the infrastructure for an attack.
With this level of predictive visibility, the team can prevent attacks and systematically contain those in progress. Predictive cybersecurity allows defenders to tune their systems against the attack infrastructure. In fact, it is possible to build blacklists that include the IP addresses and the host names of the instances used for the attack . Other measures include fortifying corporate systems against the specific malware that is used to target them, rendering the attack powerless when it occurs.
Opponent Behavior Analysis extends the capabilities of Next-Gen SIEM by continuously providing updated analysis of opponent information and behavior . This encompasses the entire attack infrastructure for dynamic and proactive threat protection.
SOCaaS automatically translates the pre-attack behavior of opponents into actions or countermeasures that can be taken against phishing, compromise of corporate email, ransomware, fraud and many other common threats.
Correlate breaches from the same adversary / campaign into a cohesive threat, even if different pieces of attack infrastructure are used for each event.
Prevention and preventive defense
Preemptively blocking an opponent’s entire attack infrastructure, such as newly created phishing domains, for preemptive defense.
Strengthen vulnerable resources
Focus and secure the most vulnerable parts of your infrastructure based on information that identifies which areas are possible targets.
The information provided by SOCaaS is used to add more context to existing threats, as well as provide information on attacks that have not yet been implemented or are in the early stages, such as reconnaissance. This allows for direct action against evolving threats and a more robust defense.
Relying on luck to catch threats is madness, as the recent SolarWinds attack . Make your fortune with SOD’s SOCaaS solution, making sure you see threats before they happen and are “lucky” enough to counter them.
Estimated reading time: 5 minutes
Just like any other IT field, the cybersecurity market is driven by hype . Currently hype towards XDR, ie eXtended Detection and Response .
XDR is the latest in threat detection and response, a key element of a company’s infrastructure and data defense .
What exactly is XDR?
XDR is an alternative to traditional responsive approaches that only provide layer visibility on attacks . I refer to procedures such as detection and endpoint response (EDR), network traffic analysis (NTA) and SIEM , which we have talked about in many other articles.
The layer visibility implies that various services are adopted, stratified (layers), which each keep under control a specific entity in the infrastructure. This can be problematic. In fact, you need to make sure that layers don’t end up isolated, making it difficult, or nearly impossible to manage and view data. layer visibility provides important information, but can also lead to problems, including :
Collecting too many incomplete and contextless alerts. EDR detects only 26% of initial attack vectors and due to the high volume of security alerts, 54% of professionals security ignores warnings that should be investigated .
Complex and time-consuming investigations requiring specialist expertise . With EDR, the median time to identify a breach has increased to 197 days, and the median time to contain a breach has increased to 69 days.
Tools focused on technology rather than user or business . EDR focuses on technology gaps rather than the operational needs of users and companies. With more than 40 tools used in an average Security Operations Center (SOC), 23% of security teams spend their time maintaining and managing security tools rather than investigating . ( Source )
For already overloaded security teams, the result can be an endless stream of events , too many tools and information to switch between, longer time frames for detection and security expenses that are beyond budget and are not even fully effective .
What’s new in eXtended Detection Response
XDR implements a proactive approach to threat detection and response . It offers visibility into data across networks, clouds and endpoints, while applying analytics and automation to address today’s increasingly sophisticated threats. The benefits of the XDR approach for security teams are manifold:
Identify hidden, stealth and sophisticated threats proactively and quickly.
Track threats across any source or location within your organization. < br> Increase the productivity of people working with technology.
Get more from their security investments .
Conclude investigations in a way more efficient .
From a business perspective, XDR enables companies to detect cyber threats and stop attacks, as well as simplify and strengthen security processes. As a result, it enables companies to better serve users and accelerate digital transformation initiatives. When users, data and applications are protected, companies can focus on strategic priorities.
Why consider it for your company
The two main reasons why this approach is beneficial are: endpoints do not have visibility into threats in places like cloud services , and it may not be possible to put a < em> software agent on all company endpoints .
But there are other reasons to consider too. The addition of other data sources can provide more context in the EDR results, improving triage and investigation of alerts . Providers are moving not only to provide more and better organized data, but also by delivering analytics platforms to lighten the analytical load on operators. This translates into ease of use and reduced operating costs.
XDR can seem very attractive as a product: Tight integration of parts, highly tuned content (as the provider has total control over the events from the data sources), use of analytics and response automation.
What to pay attention to before adoption
Some providers are positioning their XDR as the ultimate threat detection solution . However, many vendors are unable to offer all the tools needed to get the advantage sold. Some providers offer endpoint and cloud monitoring in the package, others endpoint and network monitoring, but when looking at the comprehensive needs of most organizations, there are often missing details in the overall picture.
And if, once the company engages with a provider and notices a lack in one of the monitored sectors, what are the possible solutions? A situation of vendor lock-in from which to break free means to sever a contract and then open another one, with all the consequent costs.
XDR as an approach, not as a product
Before entering into a contract with a provider that sells a solution as final, it is always good to weigh the benefits and implications analytically.
Tight, two-way integration of multiple threat detection and response capabilities is the first distinguishing feature. But it is not necessary to buy two technology components from the same vendor to achieve good integration. Indeed, many products have the ability to integrate with some solutions from other vendors as one of their main strengths.
The XDR approach must provide a platform that allows the necessary data collection and storage , but also strong analytical skills, to orchestrate and automate response actions provided by the other parts of the solution. A cloud based Next Generation SIEM is a perfect solution.
How to move then?
The interest in XDR products is a clear signal that excessive fragmentation was leading to excessive complexity. A little consolidation is good, but it must be done while protecting flexibility and the ability to follow the best solutions.
In our opinion, a SOCaaS is an optimal solution. Provides next generation SIEM , with strong analytical capabilities. In addition, it also integrates artificial intelligence that helps in time to recognize threats through behavior analysis. A SOCaaS is the future of security operating platforms.
To find out with our services they can help you protect the data of your company and your customers, contact us, we will gladly answer all your questions.
Estimated reading time: 5 minutes
threat intelligence data provides companies with relevant and timely insights they need to understand, predict, detect and respond to cybersecurity threats . Threat intelligence solutions collect, filter and analyze large volumes of raw data related to existing or emerging sources of threats. The result is threat intelligence feeds and management reports. Data scientists and security teams use these feeds and reports to develop a targeted incident response program for specific attacks .
Everyone from fraud prevention to security operations to risk analysis benefits from threat intelligence . Threat intelligence software provides interactive, real-time views of threat and vulnerability data.
The advantage offered to security analysts and experts is obvious and serves to easily and quickly identify threat actor patterns . Understanding the source and target of attacks helps business leaders put in place effective defenses to mitigate risks and protect themselves from activities that could negatively impact the business.
cyber threat intelligence can be classified as strategic, tactical or operational. Strategic concerns the capabilities and general intent of cyber attacks . Consequently also the development of informed strategies associated with the fight against long-term threats. That Tactic is about the techniques and procedures that attackers might use in day-to-day operations. Finally, threat intelligence Operational provides highly technical forensic information regarding a specific attack campaign.
The threat intelligence cycle
Threat Intelligence Solutions collect raw data on actors and threats from various sources. This data is then analyzed and filtered to produce feed and management reports that contain information that can be used in automated security control solutions . The main purpose of this type of security is to keep organizations informed about the risks of advanced persistent threats, zero- day and exploits, and how to protect yourself from them.
The Cyber Threat Intelligence Cycle consists of the following stages.
Planning: The data requirements must first be defined.
Collection: Collect large amounts of raw data from internal and external threat intelligence sources.
Processing: Raw data is filtered, categorized and organized.
Analytics: This process transforms raw data into streams of threat intelligence using structured analytics techniques in real time and helps analysts identify Indicators of Compromise (IOC). < / p>
Dissemination: Analysis results are immediately shared with cybersecurity professionals and threat intelligence analysts.
Feedback: If all questions are answered, the cycle is over. If there are new requirements, the cycle starts over from the planning phase.
Common indicators of impairment
Enterprises are under increasing pressure to manage security vulnerabilities, and the threat landscape is ever-changing. threat intelligence feeds can help with this process identifying common indicators of compromise (IOC) . Not only that, they can also recommend the necessary steps to prevent attacks and infections. Some of the more common indicators of compromise include:
IP addresses, URLs and domain names: An example would be malware targeting an internal host that is communicating with a known threat actor.
Email addresses, email subject, links and attachments: An example would be a phishing attempt which relies on an unsuspecting user clicking on a link or attachment and initiating a malicious command.
Registry keys, file names and hashes of files and DLLs: An example would be an attack from an external host that has already been reported for nefarious behavior or is already infected.
Which tools for threat intelligence
The growing increase in malware and cyber threats has led to an abundance of threat intelligence tools that provide valuable information to protect businesses.
These tools come in the form of both open source and proprietary platforms. These provide a variety of cyber threat defense capabilities, such as automated risk analysis , private data collection , threat intelligence quick search tools, reporting and sharing this information among multiple users, curated alerts, vulnerability risk analysis, dark web monitoring, automated risk mitigation, threat hunting and much more.
We talked about one of these tools in a other article : the Miter Att & amp; ck . This is a very useful tool for learning about hacker attack techniques and behaviors. This is thanks to the information gathered by threat intelligence and the consequent sharing. A framework like this is very efficient for creating defensive mechanisms that make it possible to secure corporate infrastructures.
Artificial intelligence and threat intelligence
As we saw earlier, gathering information from various sources is just one of the steps. These must then be analyzed and subsequently processed into control protocols, to be really useful for security.
For this type of work of analysis, definition of baseline behaviors and data control, we are increasingly relying on artificial intelligence and deep learning. A Next Generation SIEM , flanked by a UEBA solution are perfect for this type of protection.
The control of the behavior of entities within the perimeter carried out by the UEBA is able to identify any suspicious behavior, based on the information collected and analyzed by the SIEM.
The defenses we have named are the primary value of a corporate security plan. Adopting specific solutions, implementing threat intelligence and therefore an active search for threat indicators, offers a strategic advantage. The company can take a step ahead of criminals, who can only leverage the surprise effect against their victims. Precisely for this general situation, every company should be in a position not to be caught by the off guard. Implementing proactive solutions is now necessary.
The threat intelligence is therefore a defense weapon behind which to protect the most important resources in order to work in peace.
If you want to know how we can help you with our security services, do not hesitate to contact us, we will be happy to answer any questions.
Estimated reading time: 8 minutes
The term shoulder surfing might conjure up images of a little surfer on his shirt collar, but the reality is much more mundane. shoulder surfing is a criminal practice in which thieves steal your personal data by spying on you while using a laptop, ATM, public terminal or other electronic device among other people . This social engineering technique is a security risk that can cause disaster, especially if the stolen credentials are corporate.
The practice long predates smartphones and laptops and dates back to when criminals spied on pay phone users as they entered their calling card numbers to make calls . Many years have passed, but the technique has not been lost. Thieves have evolved to observe their victims typing their ATM PINs, paying at self-service petrol pumps, or even making a purchase in a store.
A similar technique for ATM theft involves a card cloning device superimposed on the card insertion hole and a micro camera to spy on the code. The micro camera performs an act of shoulder surfing . Card cloning is essential because without a physical device the pin is useless, but in the case of account credentials on the network, all you need is user and password.
When does Shoulder Surfing take place?
shoulder surfing can happen whenever you share personal information in a public place. This includes not only ATMs, coffee shops and POS devices in general, but virtually any place where you use a laptop, tablet or smartphone to enter personal data.
Long-time shoulder surfers did not usually loom behind their victims to scrutinize information. Instead, they stood at a safe distance and interpreted finger movements as people typed numbers on the keyboard . Similarly, today’s social engineers often escape attention as they quietly observe others in public places such as airport lounges and shopping malls, bars and restaurants, on trains or subways, or wherever there are people, to tell the truth.
Indeed, today’s most sophisticated criminals are watching from further away, hidden from view. They could use binoculars, micro cameras, or the camera of their phone or tablet to scan your screen or keyboard. Not only that, they may eavesdrop as you read credit card numbers on the phone or provide other sensitive information. Criminals could also take pictures, make a video or audio record of the information and then interpret it later.
Whatever the methodology, it is clear that technology has not only helped us to be more connected and be able to afford to pay for a frappuccino with our mobile phone, but it has also exposed us to security risks. When it comes to sensitive data, especially if there is a corporate account involved that could access other people’s sensitive data, you should never let your guard down , consequences could be very serious .
As shoulder surfing commonly happens
Before suggesting some methods to prevent shoulder surfing to be put into practice immediately, let’s take a closer look at how credential theft could happen with this technique.
At the bar or in the cafeteria
You’re in a busy restaurant bar waiting for a friend. To pass the time, you connect to Instagram. Unfortunately, you don’t notice that the person stuck in line next to you is looking at your password, which happens to be the same one you use for your email and bank account.
At the ATM
You’re taking cash at an ATM. You feel safe because the man after you in line is at least 10 feet away and is even looking at his phone. In fact, he is recording your finger movements on his phone and will later decrypt them to get your PIN number.
To the airport
Your flight is delayed, so grab your laptop and kill your time by reading a couple of work emails to keep up to date. Log in to the company website to read your mail and enter your username and password. You are so calm that you don’t see the woman a few places away as she stares at the screen while you enter data.
What are the consequences of shoulder surfing?
Using your credit card information to make fraudulent purchases is just one example of the damage you could suffer if you fall victim to shoulder surfing . The more personal information a criminal captures about you, the more serious the consequences can be for your bank account and financial health.
A serious case of shoulder surfing can expose you to identity theft . A criminal could use your personal information, such as your social security number, to open new bank accounts, apply for loans, rent apartments, or apply for a job under your name. An identity thief could get their hands on your tax refund, use your name to get medical treatment, or even apply for government benefits in your name. They could also commit a crime and provide your personal information when questioned by the police, leaving you with a dirty record or arrest warrant.
Of course, if you suspect this has happened, you’ll need to go to the police immediately, block your checking accounts and notify the bank. If fraudulent actions have already been carried out in your name, you may need to prove that you are not involved.
Things get dangerous if the stolen data is from a corporate account. In fact, with the use of valid credentials, anyone could enter the company’s system and perform all kinds of actions, such as collecting additional data, placing malware, running a ransomware , steal customer data and then sell it online.
How to defend yourself from shoulder surfing
Two levels of protection can be identified, the first is proactive and is aimed at preventing credentials from being exposed to malicious people, the second is active and provides software to detect attempts to use stolen credentials.
Defend yourself proactively
If you really can’t avoid entering sensitive data on your laptop, tablet or smartphone in a public place, you should follow the countermeasures listed below.
Tip 1: Before entering any sensitive data, find a safe place . Make sure you sit with your back to the wall. This is the best way to protect yourself from prying eyes. Avoid public transport, the central armchairs of a waiting room and places where there is a lot of people coming and going.
Tip 2: Use a privacy filter. This hardware device is a simple polarized translucent sheet that is placed over the screen. It will make your screen look black to anyone looking at it from any unnatural angle . This will make it much more difficult for unauthorized people to see your information.
Tip 3: Two-factor authentication requires a user to prove their identity using two different authentication components that are independent of each other. Since this type of authentication only passes when both factors are used correctly in combination, the security measure is particularly effective. For example, this method is often used a lot in online banking. There are many services that allow you to use your mobile phone as a second authentication factor . This is done through special apps.
Tip 4: Another solution is to use a password manager . By doing so, you no longer have to enter each password individually on your computer. The password manager will do this for you after you enter your master password . This prevents unauthorized people from using your keyboard to determine the real password, provided that you properly protect your master password .
Actively defend yourself with a SOC and behavior analysis
Now let’s imagine that the corporate account credentials have been stolen. At this point only a behavior control system can trigger an alarm and therefore block the user before there is any damage.
In fact, using correct credentials, a normal traditional SIEM would not trigger any alarms. For an older generation SIEM, access would be legitimate, because the credentials are correct. The attacker would have free undisturbed access to the system and could continue with his attack plan.
With SOD’s SOCaaS service, however, abnormal access would trigger an alarm. The SOC provided is equipped with a Next Generation SIEM and a system UEBA control behavior . This means that any deviation from the user’s usual behavior would be reported.
In the case of credential theft, as happens with shoulder surfing, the access made by the attacker would therefore trigger an alarm because something is wrong . For example, the login could take place at anomalous times, in another country / IP, from a different operating system, etc.
shoulder surfing is a social engineering technique that focuses on user carelessness while entering sensitive data into a system. In the event that a user’s corporate credentials are stolen, the only really efficient thing is to have a system that analyzes user behavior and reports whenever suspicious actions are detected.
If you want to know in detail how a SOC and UEBA system can help your company defend against social engineering attacks, do not hesitate to contact us, we will be happy to answer any questions.
Estimated reading time: 6 minutes
The cost of cybercrime has now outstripped the ability to keep up. Gartner, a multinational security and analytics company in the field of technology, predicted that world spending on cybersecurity will be 16 times lower than damage caused. To address this challenge, organizations are now turning to machine learning and artificial intelligence for cybersecurity, trying to fill in the gaps.
The vast majority of malware targets known vulnerabilities, but botnets often go unnoticed within the victim organizations for around 12 days. The problem in many cases is the scarcity of resources a arrangement.
The attack surface has expanded in recent years with the adoption of IoT devices and the spread of BYOD (Bring Your Own Device) work environments. This, combined with the increasing sophistication of the attacks and increasing the security skills gap, has overwhelmed many teams.
In response, service providers MSSP are increasingly implementing a machine learning system in their cybersecurity solutions. This is certainly an interesting field and many security chiefs are looking for a permanent solution in the fight against cybercriminals. But the question is whether the machine learning offered by artificial intelligence can add new value to the realm of security.
Threat detection and prevention
Most companies are operating with a standard security kit. Their rooms are filled with devices that claim they can detect and prevent the latest threats through signature-based detection, predefined policies or custom configurations. Sensors in this category include firewall , DLP ( Data Loss Prevention ), IPS ( Intrusion Prevention System ) and WCF ( Web Content Filter ) . An alarming consideration, as these sensors continue to be adopted in large numbers, many of them may not be configured correctly .
Furthermore, many of these devices operate in complete isolation , unable to share or correlate information or respond to threats with any kind of coordinated strategy. Consequently, controlling these devices also requires an extra layer of sensors , along with additional members of the security team. Of course, more sensors and more data require more people and given the current security skills shortage, this strategy is unsustainable in the long run.
Through a complete system such as a SOC , however, this does not happen. The collection, correlation and analysis take place in a coordinated way in a SOAR (Security Orchestration, Automation and Response) designed to be a unique workflow. Part of these tasks is done by artificial intelligence and machine learning mess and in the service of cybersecurity . The aim is to analyze user behavior and identify anomalies, as well as learn from past analyzes.
Machine learning for cybersecurity
Machine Learning (ML) is a subset of AI (Artificial Intelligence). AI and ML can enhance our human capabilities by allowing us to dig through large datasets and locate patterns behavior or signals that would be nearly impossible for humans to find. This force multiplier allows technicians at their disposal to identify unusual behaviors. Then the behavioral analysis with UEBA (User Entity Behavior Analytics) tools for safety will do the rest. Mundane and repetitive tasks can also be automated with machine learning, allowing scarce cybersecurity staff resources to focus on higher-value tasks.
UEBA and security
Machine learning and artificial intelligence are based on so-called “big data”. Their efficiency and accuracy improve with the amount of data passed to them . The important thing, however, is to collect the right data. This is where UEBA security systems come in. . The combination of accurate and essential behavioral data with machine learning is the strength of this cybersecurity system. This combination allows you to accurately monitor users, providing deep visibility into what they do on a regular basis .
Once a behavior routine has been established, when a user takes actions that the system considers abnormal , a notification is generated. The operations team is thus notified of any action outside the routines defined . If the detected activity is legitimate, analysts can simply label the activity as part of the routine . Machine learning integrates that data into subsequent data analysis for corporate cybersecurity . The crucial step is normalizing behavior , which ensures that that precise action will no longer generate notifications.
Obviously, in the early stages of system installation, the notifications will be numerous . As AI reduces these false positives by “learning”, whenever moves away from normal behavior, l and notifications become more urgent for safety.
The benefits of combining UEBA, machine learning and security
The use of machine learning together with user behavior data provides a level of proactivity to cybersecurity that is not possible when relying on traditional sign-based detection and prevention systems . This is because you are able to detect subtle changes in behavior that are difficult to detect with traditional systems. It is simply not possible to configure a system with every single permutation of rules to detect all attacks.
Detecting low-level reconnaissance activities using UEBA and machine learning is far more likely to trigger your spider senses than other methods. This provides a huge advantage, making it much more difficult for attackers to evade control by flying under any rules-based radar.
The added value
The advantages of using a UEBA security solution built on a machine learning platform for cybersecurity are many. Because their ability to manage network activity routines is refined, not only they can detect abnormal changes in behavior, but this information can become part of a proactive process , identifying and preventing certain behaviors before they occur.
But perhaps most importantly, machine learning is entering the scene at a very sensitive time for cybersecurity. The number of analysts needed to sift through the data by hand and identify threats is exceeding the number of professionals available. Removing the man from a task for which he is not particularly suitable , is free to focus on areas where it can add value, such as further developing cybersecurity protocols.
So, does machine learning add value to cybersecurity? We really believe so.
Costs and proposed solutions
In terms of costs in general, with a UEBA system maintenance is reduced and does not require the hiring of new professionals, especially if you consider the use of the service in SaaS solution.
We at SOD offer the machine learning and UEBA system, together with a SIEM Next Gen in an ideal solution for those who do not want to invest in the installation of dedicated hardware . Our SOC as a Service is designed to optimize your investment and maximize the return in terms of quality of security procedures.
To find out more, visit the service page or contact us to find out how this solution can be useful for your business. We will answer all your doubts.
Estimated reading time: 6 minutes
Despite some seasonal declines, ransomware is still a serious security threat, especially for those who underestimate it . It is often thought that to protect yourself from ransomware it is enough to have a backup copy of your data. This point of view does not take into consideration various aspects. One of them is the relationship between ransomware and NAS ( Network Access Storage ), where you often store a backup copy of the server, thinking it is enough.
Ransomware attacks are capable of rendering entire disks unusable by encrypting the file system . Network disks are at risk, which can also be encrypted, reducing the effectiveness of a backup stored on a NAS.
Definition of Ransomware
Ransomware, as we have seen in other articles, is a form of malware that encrypts the victim’s files. The attacker then demands a ransom from the victim to restore access to data against payment .
Users are shown instructions on how to pay a fee to obtain the decryption key. Costs can range from a few hundred euros to thousands, payable to cybercriminals in Bitcoin.
Once the malware gets executed, it’s almost always too late. In fact, often the victim does not notice until the ransom demand is made or when the entire disk has been completely encrypted.
How ransomware works
There are several ways that ransomware can take to access a server. One of the most common delivery systems is phishing . Some attachments arrive at the victim’s computer in an e-mail message, masked from a harmless file.
Once executed, these software masquerading as harmless files can take control of the victim’s computer, especially if they have social engineering tools built in which trick users into allowing administrative access . Tracing back to the server isn’t as complicated as it might seem.
Some other more aggressive forms of ransomware, such as NotPetya , exploit security holes to infect computers without the need to trick users.
There are several things malware could do once it has taken over the victim’s computer, but by far the most common action is to encrypt some or all of the files it has access to. If you want to get into the technical, here’s more information on how encryption takes place.
The most important thing to know is that at the end of the process, files cannot be decrypted without a mathematical key known only to the attacker . The victim is presented with a ransom note and explained that without a payment, the files will remain inaccessible.
Regardless of the requests and how the ransomware is unleashed in the first place, the thing to note is that there is no data that can be saved. So, if your customers’ data is on a server, they can be involved in such an attack.
If the ransomware encrypts file systems and not just individual files, the problems could multiply.
Ransomware, NAS and backups
One of the ways to mitigate the risk is to have a backup available with which to restore the data without having to surrender to payment. The best practices for management backups do not want there to be backups on the same machine, so it is possible that they are kept on network disks, always accessible from servers. But in fact those disks are part of the machine, as they are accessible.
These disks, called NAS (Network Access Storage), are great solutions for managing files on a network, but they can become as useless as the server in the event of a ransomware attack. If the attack encrypts the file systems, it is possible that finding the remote folders on the NAS encrypts those as well, rendering the backup unusable.
The targets of a ransomware
There are several ways attackers choose which organizations they target with ransomware attacks. Sometimes it’s a matter of opportunity – for example, attackers might target universities because they tend to have smaller security teams and a disparate user base that share many files, making it easier to penetrate their defenses.
On the other hand, some organizations are tempting targets because they seem more likely to pay a ransom quickly. For example, government agencies or medical facilities often need immediate access to their files. .
Law firms and other organizations with sensitive data may be willing to pay to keep news of a compromise hidden , and these organizations are often particularly sensitive to a data exfiltration threat.
However, it has been noted that some ransomware is capable of spreading itself on the network . In fact, no one is completely safe, especially if the data stored on the servers is sensitive.
Ransomware and NAS: how to manage backups
As we have seen, ransomware is no small threat to the data stored on corporate servers. Now let’s see what precautions you can take to protect your data and servers.
Do not use NAS for backups
Se il ransomware arriva a un NAS, quasi certamente lo cifrerà rendendo il backup inaccessibile. Evitare questo problema è facile: usare il cloud!
The server provider should offer the ability to store machine backups on the cloud . This means that the backups are not always reachable by the server and therefore the software is unable to encrypt them.
This is the standard of our VPS service . In case of compromise, in fact, it is sufficient to restore the virtual machine to an earlier state through one of the backups stored in the cloud .
Alternatively, you can backup on premise , ie locally, physically in the company. Using the Acronis Backup service you can perform a backup on an external disk not connected to the network.
Another solution, hybrid of the previous ones, is to create a backup through Acronis and store it in the cloud and not locally. You maintain the advantage of having a remote backup that is not connected to the server constantly.
Finally, it is correct to mention that there is another solution, the precautionary solution. With the use of our service SOC and thanks to the use of latest generation analysis systems, it is possible to immediately identify a malware or an attack ransowmare and block it before it does damage.
Whether it is adopting best practices for backup and storing them remotely, or adopting a SOC to protect this aspect and many others in the field of IT security , SOD is available to discuss the situation and find a solution tailored to the needs of your company.
Contact us to ask for information, we will be happy to answer any questions.
Estimated reading time: 6 minutes
As the cybersecurity threat landscape becomes increasingly sophisticated, service providers, such as SOD, need to take additional precautions to protect their customers’ networks. An information management system and monitoring SIEM is an excellent choice in this respect.
This system, in fact, helps mitigate cybersecurity threats from two different angles, all from a single interface . The SIEM monitoring system collects information from multiple sources: network data, threat information feeds, compliance regulations, firewalls, etc. Next, uses that data to power features designed to help IT administrators respond to threat events in real time.
Advantages of SIEM monitoring
In contrast to individual security control systems such as asset management or network intrusion detection, SIEM allows you to dig deeper into security vulnerabilities by unifying information from various systems – even very and offering unprecedented visibility into events occurring in the system.
SIEM is not a threat detection system in and of itself, but enhances the security tools already in use by providing real-time insights to work from . In particular, SOD uses a Next Gen SIEM in a SOAR ( Security Orchestration, Automation and Response ) which also includes advanced behavioral analysis tools ( UEBA ).
If you put high-quality log files into a SIEM tool, you receive high-quality insights into network security . This information can help improve network security protocols.
Unfortunately, many administrators treat SIEM implementation as a solution to be set up and then forgotten. To experience the full benefits of managing information and security events , you need to implement a set of best practices to optimize your solution, starting with security logging.
The logs of a SIEM
How does security monitoring fit into SIEM implementation best practices ? If you look at the SIEM in its main components, it is a log management system .
All the information that a SIEM tool collects is in the form of logs, or records of events occurring within an organization’s IT infrastructure and network.
Examples of logs collected by SIEM include, but are not limited to: Firewalls, routers, wireless access points, vulnerability reports, partner information, antivirus and antimalware.
However, as SIEM tools have a very broad reach and constantly collect log data from all parts of the system, can be a bit complicated and impractical to implement . SIEM best practices help avoid pain points along the line of operation. This way you use SIEM as effectively as possible right from the start.
1. Start calmly
The most common mistake made in implementing SIEM monitoring is trying to do too much too soon . Before you even start looking for a SIEM solution, in fact, it is best to define the scope of your SIEM implementation and think about what you want SIEM to do for your network and infrastructure.
We start by isolating the objectives , taking stock of existing security protocols and brainstorming how these protocols fit into the future SIEM implementation. You can also segment anything you want to monitor into groups and define how you want to monitor them. This helps ensure that you have a clear plan for logging.
Once an initial planning has taken place, the SIEM system does not yet have to be implemented across the entire IT infrastructure. It is better to proceed piecemeal.
You should then test the SIEM monitoring solution on a small section of the system to see how it works. Only then are key security vulnerabilities identified that should be addressed immediately and proceed with implementation in subsequent segments.
Setting up SIEM monitoring step by step, rather than running everything right away, will help ensure that logging works in harmony with the rest of the IT section .
2. Think about the requirements
SIEM monitoring can help the company demonstrate compliance with security regulations and audits, but only by knowing what these standards are in advance . Before committing to a SIEM system, you create a list of HIPAA, GDPR, HITECH and any other IT regulations that you need to comply with. The list is then used to compare the required regulations with the solutions that are put into practice.
Not only does this narrow down the list of standards, it will force you to consider how much log data you actually need. Keeping the correct amount to be compliant, also aligns with best practices of SIEM logging and monitoring .
Obviously, the solutions and protocols to follow are not the same for everyone and need to be adapted according to the position of the individual company. For this particular aspect, SOD can help your company both in gathering the information necessary to identify which standards to follow, and in the standards verification once implemented.
3. Fix the correlations
SIEM correlation streamlines its implementation, allowing you to configure the system according to the specific needs of their customers. SIEM works by collecting data from multiple sources and then filtering, analyzing and correlating it to determine if it deserves to be reported as a security alert.
For this it is essential to correlate the rules and set alarm thresholds based on the type of data and their origin . It is important to remember, in fact, that SIEM is designed to find connections between events that would not otherwise be related to each other.
Setting up a SIEM monitoring system is a delicate but fundamental operation to improve the security system for a particular company.
4. Collect data efficiently
Through a SIEM monitoring system it is possible to collect such an amount of data that it could become complicated to manage. It becomes important to choose in a balanced way which data to use in order to optimize the right amount without losing the advantage of having the entire system under control .
Among the data that it is better not to leave out are: Successful permissions and failed attempts, changes to user privileges, application errors and performance problems, opt-in and in general all the actions made by users with administrative privileges.
The following are excluded: information whose collection is illegal, banking information or credit card data, encryption keys, passwords and personal data .
5. Have a plan in case of a detected threat
Choosing the right SIEM solution and employing logging best practices is only part of the job. You need to have an action plan in case of cyber threat .
For the company that relies on a MSSP as SOD, this means making sure that monitoring is only the first part of the service provided. Ideally, SIEM monitoring is the first piece of a well-designed SOAR that puts in place professional operators, alert notifications and a recovery plan in accordance with the type of data put at risk .
In this respect, the SOC as a Service we offer covers most of the eventualities.
Monitoring is a fundamental part of the corporate security system and a SIEM is one of the ways to put it into practice. However, we must not stop at the collection of information, we must know how to treat, enrich and analyze it.
SOD offers comprehensive services that implement SIEM monitoring systems. The implementation obviously implies a “calibration” of the systems and of the correlations between the data in order to always offer the most suitable solution.
If you would like more information about our products, do not hesitate to contact us, we will be happy to answer your questions.
Estimated reading time: 5 minutes
Cyber Threat Hunting is a proactive security search across networks, endpoints and datasets to hunt down malicious, suspicious or risky activities that have escaped detection by existing tools.
There is a distinction between malware detection and cyber threat hunting . Threat detection is a passive approach to monitoring data and systems to identify potential security problems. However, it is a necessity and can help a threat hunter . Instead, proactive threat hunting tactics have evolved to use new threat intelligence on previously collected data to identify and classify potential risks before the attack .
Security personnel cannot afford to believe that their security system is impenetrable. Must always remain vigilant for the next threat or vulnerability . Rather than sitting around and waiting for threats to strike, cyber threat hunting develops hypotheses based on knowing the behaviors of threat actors and validating those hypotheses through active research in the environment .
With threat hunting, an expert doesn’t start with an alarm or indicators of compromise (IOC), but with deeper reasoning. In many cases the threat hunter’s efforts create and concretize the alarm or the IOC.
This aggressively assumes that a breach has occurred or will occur at the company. Security officers hunt down threats in their environment rather than rely on automatisms.
Threat hunting practice
For companies that are ready to take a more proactive approach to cybersecurity , which tries to stop attacks before they get too deep, adding threat hunting protocols to their security program is the next logical step.
After consolidating endpoint security and incident response strategies to mitigate the now unavoidable known malware attacks, companies can begin to take the offensive . This means digging deep and finding what hasn’t been detected yet. This is precisely the purpose of cyber threat hunting.
As mentioned earlier, threat hunting is an aggressive tactic that starts from the premise of the “assumption of violation”. Attackers are already inside an organization’s network and are secretly monitoring and moving into it.
This may sound far-fetched, but in reality, attackers can be inside a network for days, weeks, and even months . In the meantime, they prepare and execute attacks as advanced persistent threats, with no automatic defense detecting their presence . Cyber threat hunting stops these attacks by looking for covert indicators of compromise (IOCs) so they can be mitigated before the attacks reach their goals.
The key elements of a threat hunting
The goal of the threat hunt is to monitor daily activities and traffic across the network and investigate possible anomalies to find any undiscovered malicious activity that could lead to a complete breach . To achieve this level of proactive detection, threat hunting incorporates four equally important components.
To be successful in hunt for threats, companies must commit to a proactive, full-time approach that is continuous and evolving. Instead, a responsive, ad hoc implementation, “ when we have time “, will be self-defeating and will only lead to minimal results.
Most companies already have comprehensive endpoint security solutions with automatic detection. Threat hunting works in addition to these and adds advanced technologies . The aim is to find anomalies, unusual patterns, and other traces of attackers that shouldn’t be in systems and files.
The new cloud-native endpoint protection (EPP) platforms that leverage big data analytics can capture and analyze large volumes of non-data filtered on endpoints, while behavioral analytics and artificial intelligence can provide broad, high-speed visibility into malicious behaviors that seem normal at first.
3. Highly qualified and dedicated staff
The threat hunters are a race of their own. These experts know how to use the security technology deployed by companies. In addition, also combine the aspiration to go on the offensive with intuitive problem-solving skills to uncover and mitigate hidden threats.
4. Threat intelligence
Having access to evidence-based global intelligence from experts from around the world (e.g. Miter Att & amp; ck ) further improves and accelerates hunting for existing threats. Hunters are aided by information such as attack classifications for identifying malware and threat groups , as well as advanced threat indicators.
The abilities of a threat hunter
The Threat Hunting Report from Crowd Research Partners confirms the importance of certain capabilities for threat hunting. When asked to rank the most important skill, the survey found that:
69% chose threat intelligence
57% chose behavior analysis
56% chose automatic detection
54% chose machine learning and automated analysis
The profile of a threat hunter
Threat hunters look for attackers who manage to break through vulnerabilities that a company might not even know exist . These attackers spend a considerable amount of time planning and performing the reconnaissance, acting only when they know they can successfully penetrate the network without warning. They also inject and build malware that has not yet been recognized or use techniques that do not rely on malware at all, to provide a persistent base from which to attack.
What does it take to outsmart even the smartest attackers?
A cyber threat hunter is relentless and can find even the smallest trace of what attackers have left behind. In general, threat hunters use their skills to undo the small changes that occur when attackers make their moves within a system or file.
The best threat hunters rely on their instincts to sniff out the stealth moves of the most dangerous attacker.
Are you a threat hunter? Contact us!
SOD is looking for a SOC / ICT analyst to add to the team. If you think you’re the right person, visit this page to view the detailed job posting.
Estimated reading time: 6 minutes
Cyber Security is the practice of defending computers, servers, mobile devices, electronic systems, networks and data from malicious attacks. It is also known as Information Technology Security and Electronic Information Security . The term applies in a wide variety of contexts, from business to mobile computing and can be divided into a few common categories.
We can divide cyber security into several areas of interest which I list briefly below. In almost every situation listed, SOD has a dedicated service.
Cyber Security areas of interest
network security is the practice of protecting a computer network from intruders, whether it is targeted attacks or generic malware .
application security focuses on keeping software and devices free from threats. A hacked application may be providing access to data that it was designed to protect. Robust security begins in the design phase , well before a program or device is deployed. This is why analyzing the code of an app is essential before it is released.
operational security includes processes and decisions in the management and protection of resources and data. The permissions that users have when accessing a network and the procedures that determine how and where data can be stored or shared all fall within this scope.
Disaster recovery and business continuity define how an organization is able to respond to a cyber security incident or any other event that causes data loss . Disaster recovery policies dictate how the organization restores its operations and information to return to the same operational capacity as before the event. business continuity is the plan the organization resorts to as it tries to operate without certain resources.
The human part of cyber security
End User Education addresses the most unpredictable factor in cybersecurity: people . Anyone can accidentally introduce a virus into an otherwise secure system by not following security best practices. For example, teaching users to delete suspicious email attachments and not insert unidentified USB drives is vital to the security of any organization .
In this area, particular importance should be given to scams, phishing and in general social engineering, which relies on the element usually more weak computer system: the operator.
The scope of cyber threats
The global cyber threat continues to evolve at a rapid pace, with a increasing number of data breaches every year . A report from RiskBased Security revealed that 7.9 billion documents were exposed to data breaches in the first nine months of 2019. This figure is more than double (112%) of the number of documents exposed in the same period the previous year.
I medical services , retailers and government agencies have experienced the most breaches , with malicious criminals responsible for most accidents. Some of these industries are more attractive to cybercriminals because they collect financial and medical data, but all companies using networks can be targeted for their customers’ data, corporate espionage, or to attack customers .
What governments do
With the scale of the cyber threat set to continue to grow, the International Data Corporation predicts global spending on cyber security solutions will reach a record $ 133.7 billion by 2022 . Governments around the world have responded to the growing cyber threat with guidance to help organizations implement effective cybersecurity practices.
In the United States, the National Institute of Standards and Technology (NIST) has created a cyber security framework , to combat the proliferation of malware code and aid early detection. The framework recommends continuous, real-time monitoring of all electronic assets .
The importance of system monitoring is resumed in the “ 10 steps to cybersecurity “, a guide provided by the UK government’s National Cyber Security Center . In Australia, the Australian Cyber Security Center (ACSC) regularly publishes guidance on how organizations can counter the latest cybersecurity threats.
In Italy we have the national framework for cyber security which provides tutorials, guides and European standards on cyber security .
MSSP and cyber security services
A Managed Security Service Provider (MSSP) provides monitoring and management in outsourcing for security devices and systems. In practice it takes care of all cyber security measures for the company requesting the services.
SOD is an MSSP and the services offered include protection and monitoring of various sectors of the corporate IT department.
Our verification services include vulnerability and penetration testing , as well as the analysis of safety procedures . With the SOC as a Service service we provide the potential of a Security Operation Center , relieving the company of installation and management costs. The SOC adopts latest generation technologies such as SIEM Next Gen and UEBA , which introduce analysis by an AI for motoring logs and users .
SOD uses security operations centers to provide 24/7 services designed to reduce the number of operational personnel that a company must manage, while still guaranteeing levels of cyber security excellent.
But defense fronts don’t stop at software and machines, must also include the most unpredictable element: the end user . That’s why our offer for companies also includes people-oriented services, as we will see shortly.
End user protection
End user protection is a crucial aspect of cyber security . After all, it is often the end user who accidentally loads a malware or other form of malware on their device .
As suggested earlier, the security protocols set up by SOD analyze software in real time. Through behavioral analysis systems we can monitor both the behavior of a software and the user . In the case of an attack based on lateral movement , for example, abnormal accesses and requests by a user can be indicators of an attack in progress.
But we don’t stop there, we can test the company against techniques of social engineering , phishing and physical tampering. Thanks to the ethical hacking services and consequent report, we are able to identify the company’s weak points and suggest effective strategies to mitigate the risks. In the case of phishing, we also organize ad hoc training based on the weaknesses highlighted in the report.
Through the physical security service, in addition to the IT vulnerability testing services, we put ourselves in the play the bad guys and try to carry out physical attacks . For example, we try to enter corporate buildings that should be protected, we try to reach network infrastructures and install potentially harmful hardware, etc.
Thanks to a team of ethical hackers and trained and trained operators, we test every aspect of cyber security before a risk becomes a problem .
If you want more information about our services or have any questions, don’t hesitate to contact us.
Estimated reading time: 9 minutes
Spam seems to reach every single email account we use , no matter how careful we are or what the address provider is. How do spammers get all of our email addresses? Can we do something to hide our email address from common spammer techniques?
Unfortunately, there’s not much you can do to stop spammers from bombarding you with emails. There are some tips that will help protect you, but spammers will probably find your email address anyway .
The problem is not so much the unwanted advertisement message, but rather what it means that you received a message. How did you react? Did you delete it? Did you click on any links? Have you flagged it as spam? Any action could bring useful information to attackers without you noticing.
Let’s face it more clearly and start with a question: where do spammers find our e-mails?
Spammer techniques for retrieving e-mail addresses
Nobody gives their email to a website and expects it to end up in the hands of a scammer. Yet it’s not uncommon for someone to find their inbox full of unsolicited spam emails.
The simplest of the techniques spammers use to collect large lists of active email addresses is through stolen account databases. These password thefts happen with frightening regularity. Companies like Adobe, LinkedIn, eHarmony, Gawker, Last.fm, Yahoo !, Snapchat and Sony have all been compromised in recent years .
Leaked databases are normally considered a security threat because they often display account names and passwords. However, generally show email addresses as well. Spammers can download these leaked databases and add the millions of email addresses to their lists . Spammers know that most of these email addresses should be active , so these databases are excellent for them.
This is probably how most spammers are finding email addresses to send spam. There really isn’t much you can do to protect yourself from a spammer who gets your address this way.
A site like Have I been pwned? can tell you if the information of your account may have been spread .
You can protect yourself from password theft by using different ones, unfortunately, you must always use the same email address everywhere , it would be unthinkable to have an address for each service used.
Link in mail messages
If you receive spam emails, you should avoid clicking on the links in the email . If you find an “Unsubscribe” link in an email from a legitimate company, it’s probably safe to click it. A real company doesn’t want to spam and potentially run into anti-spam laws, so they will simply remove you from their list.
However, if you see an “Unsubscribe” link (or, even worse, a “Buy Now!” link) in an email that looks very unprofessional and scam, the spammer will not necessarily remove you from his lists .
This is where things get more complex. They will notice your click and their systems will identify your email address as active . They know you’re there, and you may see larger amounts of spam after clicking the link.
The same goes for uploading images in spam emails. Do not click the “Upload images” button, or spammers will know that you have opened the email . Even if you don’t see an image in the message, there may be a small tracking pixel that allows the spammer to identify you if you upload the asset.
This is why most email clients don’t automatically upload images.
E-mail scraping, search for unencrypted e-mails on the net
Another spammer technique to retrieve addresses from the network is to scrape them ( scraping ) from the unencrypted data on the network. There are software out there that read files on the net and find those that contain e-mails and save them. A bit like Google’s crawlers do when they crawl a site, but with malicious intent.
You may have seen a comment where someone leaves their address to be contacted. The bot that scans the network will save similar addresses.
The spammer adds this address to his spam lists et voilà , spam is served . This is why eBay provides a temporary email address where you can be reached rather than including your real email address. This technique is probably less common now that spammers have huge leaked account databases to work with.
Spammers can also try to acquire valid email addresses by browsing other places that are publicly available, such as whois records for a domain . These records show an email address associated with the person or organization that registered the domain name.
Purchase of email addresses
Another spammer technique, definitely for lazy hackers, is to buy addresses from databases that provide them.
Unscrupulous people sell email lists to spammers for a low price. These addresses were often distributed on CD in the past , and may still be, but the leaked account databases have probably eliminated some interest in this market.
Spammers can also simply exchange their mailing lists with each other, making sure other bad guys get their hands on your address once it happens the first time.
Please be aware that this technique is not entirely illegal. When we subscribe to a service, we often have the possibility to provide our e-mail address to third parties for advertising purposes. Some users accept without reflection and without verifying whether it is an obligation to subscribe to the service or not. .
I personally happened to be contacted by a person who, with no intent to spam, but to make up the number, had bought my address from a contact resale agency, divided by areas of interest. If he had been a spammer, he could have used a similar service.
How to protect your address
Spammers can also obtain email addresses in other ways but the methods listed above are some of the most common.
There isn’t much you can do to prevent your email address from being leaked and receiving spam.
- – you can avoid putting your e-mail address on the web in plain text form
- – never click on a link
- – don’t upload a image in a suspicious email.
However, your address will almost certainly end up in the hands of a spammer at some point.
Actually, you don’t have to worry so much about whether the address is in circulation, but about how the address is used, especially if it is active.
Spammer techniques of using addresses
Once a scammer obtains your email address, it is very likely that they will use it to take advantage in any way possible . The better he is, the greater the risks.
Many will send you spam emails, with the hope of collecting private information such as credit card numbers . They will try to trick you into believing that you have won something, or that they have a profitable item for sale. Hackers may also use your email to steal your identity and send messages to your contacts . Remember the techniques of Zombie Phishing ?
Other scammers will use your personal information to try to access your other accounts . Most people reuse the same passwords for different accounts, which means that hackers who have access to one account can easily infiltrate the others.
This is why using the same passwords around the web is highly discouraged and not secure at all.
One of the reasons why you should never actively interact with spam messages is that interactions send hackers an important piece of information: the address is active, someone uses it on their device.
An active address, once discovered, is a perfect target for more specific attacks than phishing , and since all addresses are at risk, even corporate ones, from phishing you can easily get to a double extortion ransomware .
In the latter case, the threat of a DDoS attack may already come from mentioned zombie phishing technique, and it could all have started with some spam message.
The computers that will basically send requests to the server to perform the DDoS attack could themselves be part of a botnet created as a result of techniques used by spammers .
Phenomenology of an attack
As a first spammer technique, company addresses are retrieved . This can be done through scraping or database buying on the dark web. Next, to check which addresses are active , a couple of spam campaigns are sent. Nothing harmful, fake newsletters with an obvious Unsubscribe message, or a tracking pixel.
Note: A tracking pixel is usually a very small transparent image that is uploaded from a remote server. Just check how many times it has been downloaded and by whom to understand which addresses are active and which are not .
As a result, the contact database will have shrunk to a list of active addresses , in which users have been inattentive enough to click on a link from a suspicious email.
Finally, to these selected addresses, is sent a real phishing message containing malware or a request to intervene on a seemingly legitimate web page . For example, the request to reset your credentials via the attached link.
The unsuspecting user, thinking he is doing a safe thing, follows the link, enters the credentials and gives them to the spammer . At this point the attacker has gained access to an account. From that moment on, the risks are much more and much more damaging.
How to defend against spammer techniques
Let’s take a few steps back. The whole chain of events that led the hacker to gain access to an important account went through spam and phishing messages.
In some of the passages, the attack could have been avoided . The ability to recognize a suspicious message and then ignore it is the first weapon available to a user. SOD can help your business with this .
Through a ethical phishing service, we first test the resilience of users . Once any weak points have been identified, a training course ad hoc is constructed to provide adequate proactive defense tools to all employees.
SOC as a Service
Not always being aware users is enough , and a careless mistake could cost a company a lot of sensitive data. For this reason, we can also implement a service SOCaaS for the mitigation of risk and damage following an attack.
In this scenario, a system consisting of next generation SIEM and protocols UEBA implemented by an artificial intelligence, they monitor the network in search of any anomaly . Any suspicious behavior is identified and analyzed by technicians to see if it can actually become a threat or not.
If you would like more information on how SOD can help you raise your company’s cybersecurity level, don’t hesitate to contact us.
Estimated reading time: 6 minutes
Out of nowhere, someone replies to an email conversation dated months ago. This is a real conversation that actually happened. Maybe it’s about a meeting, a job opportunity. This email seems very relevant, but beware, it could be zombie phishing .
Indeed, something is wrong, the topic discussed has been over for months and now there is a strange error message in the body of the email. This is a sneaky tactic: revive a long dead email conversation.
Not the usual phishing
The Cofense ™ Phishing Defense Center ™ (PDC) spotted a large Zombie Phishing campaign in 2018. The scam , like almost any phishing attack, is carried out through compromised email accounts.
Scammers take over an email account and respond to long-closed conversations with a phishing link or malicious attachment (e.g. malware or a keylogger ) . Since the email subject is usually relevant to the victim, a curiosity-driven click is very likely to occur . In fact, let’s not forget that the original conversation was already present in the messages received, it is easy to think that it is a follow up or similar.
These Zombie Phishing attacks appear to use automatically generated infection URLs to evade detection. No two links are alike, and they are hidden behind “error” messages without too many frills in the body of the message. This scenario provides a pattern of apparent legitimacy for the users who are victims.
The zombies in computer science
In the computer industry, a zombie is a compromised computer connected to the network. The compromised state could be due to a hacker, virus, malware, or trojan horse .
The infected machine performs malicious tasks under a remote direction. Zombie computer botnets are often used to spread email spam and launch denial-of-service (DoS) attacks.
Types of attack
Here are some observed patterns of Zombie Phishing carrying malicious links . A distinguishing factor was the use of two distinct graphic templates containing button or link error messages.
The message reads something like “Incomplete message” or “Inability to show the whole message”. The link or button invites you to click to see the original message. Obviously the click only involves the installation of a malware or other similar events . Note that no two identical links have been identified, a sign that probably a bot was generating the addresses.
Another common factor is the use of domains with the
.icu TLD. This is probably a factor that varies considerably over time. Here are some of the domains found in the first analysis of 2018:
These zombie phish attacks have been observed to use official organizational logos to add legitimacy to the fake login pages. A common practice in phishing techniques that we have already seen in other articles.
Landing pages are designed to look like a legitimate online portal, including a company logo and even a favicon. In these cases the ultimate goal is the theft of the victim’s credentials .
Furthermore, any victim who visits the malicious website is “tagged” using the host’s IP address as an identifier and, after entering the credentials, is directed to the same spam website seen by other victims. This is often done via obfuscated links using URL shorteners (such as
If the same host tries to visit the phishing link again, the fake login page is skipped and you are forwarded directly to the spam page. This markup and URL shortener obfuscation helps attackers keep a low profile and continue their campaign unabated.
The conversation hijacking tactic is by no means new and is now living a new life with zombie phishing . Scammers have hijacked compromised email accounts to distribute malware and phishing emails as replies to conversations that have been concluded for years now.
This technique is still popular because it makes victims much more likely to click on links and download or open files. The threshold of attention against classic phishing attacks is lowered when messages are brought into conversations already in their inbox .
A couple of years old example of this was the botnet Geodo . Basically it is insertion into existing email threads ( conversation hijacking ) to deliver malicious documents. These, in turn, download a sample of Geodo or other malware such as Ursnif , which according to Key4Biz was the most widespread in Italy in June 2020.
However, the effectiveness of this tactic can greatly depend on the content of the conversations . A reply to an automated advertising email is less likely to cause an infection than a reply to a help-desk support thread.
There have been several Geodo zombie phishing campaigns consisting of replies to automated advertising emails. This is an indication that, in some cases, campaigns consist of indiscriminate replies to all emails in a mailbox. Since the volume of these conversation hijacking is still relatively low, the small reach of these emails is probably limited by the number of ongoing conversations .
Certain account types are therefore more likely to attract the direct attention of threat actors and induce them to invest additional effort and time in developing unique phishing campaigns for those accounts.
Defense from zombie-phishing
Here are some quick tips to avoid losing your credentials in a Zombie Phishing attack:
- Beware of email subjects that may seem relevant but come from old conversations
- Beware of any error message in the body of the message
- Don’t trust attached documents just because they’re replying to a conversation
- Hover your mouse over buttons or links in suspicious messages to check for suspicious domains
It has been observed that these campaigns have gotten smarter . To combat this and other forms of phishing, employee training is key.
A properly trained workforce is what it takes to defend your organization against Zombie Phishing attacks.
SOD offers a full service in this regard . We begin by attacking the company in a controlled manner, testing any weaknesses in employee safety or behavior. Subsequently, specific training is designed to remedy the gaps and fully train the staff.
To keep defenses high, our SOCaaS includes the analysis of user behavior, logs of connected machines and the network in a to immediately identify phishing attempts.
Estimated reading time: 10 minutes
Social engineering is the term used for a wide range of malicious activities performed through human interactions. It uses psychological manipulation to trick users into making security mistakes or provide sensitive information. Then, with that information, the hacker is able to successfully carry out targeted attacks, such as data theft, a ransomware or a ‘ interruption of services.
Social engineering attacks usually occur in stages . The perpetrator first investigates the intended victim to gather the necessary background information , such as potential entry points and weak security protocols, required to proceed with the attack. Then, the attacker moves to gain the victim’s trust and provide incentives for subsequent actions that violate security practices, such as disclosing sensitive information or granting access to critical resources.
What makes social engineering particularly dangerous is that it relies on human error rather than vulnerabilities in software and operating systems . Mistakes made by legitimate users are much less predictable, making them more difficult to identify and thwart than a malware-based intrusion.
Note that the target of a social engineer is not necessarily a network or software . Being able to enter a building evading security, and then installing a device or stealing documents, are actions that still fall under this type of attack.
The techniques of social engineering
Social engineering attacks come in many different forms and can be carried out wherever human interaction is involved . The following are five most common methods of digital social engineering attacks.
Baiting (from “bait”)
As the name suggests, baiting attacks use a false promise (a decoy , indeed) to whet the victim’s greed or curiosity. They lure users into a trap that steals their personal information or installs malware on their systems.
The most infamous form of baiting uses physical media to disperse malware . For example, attackers leave the bait (typically infected keys) in conspicuous areas where potential victims are certain to see them (e.g. bathrooms, elevators, the parking lot of a targeted company). The decoy has a legitimate look, like a label indicating the content, like the company’s payroll. The clue that reveals what it should contain may change, of course, but has the potential to be potentially very interesting .
Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting in automatic installation of malware on the system.
Lure scams don’t necessarily have to be done in the physical world. Forms of online baiting consist of enticing advertisements leading to malicious sites or encouraging users to download a malware-infected application. Here it leads to the phishing techniques, which we will see shortly.
Defense notes : to defend against these social engineering attacks, as well as paying close attention to what is connected to your computer, it does not hurt to have an efficient antivirus and anti-malware system. For the company, a new generation SIEM system and UEBA help in detect suspicious user behavior and greatly reduce the risk of malware infection.
Scareware (from “to scare”)
Scareware consists of bombarding victims with false alarms and fake threats . Users are tricked into thinking their system is infected with malware, prompting them to install software that has no real benefit (other than the perpetrator) or is malware itself. Scareware is also called deception software ( deception software ), rogue scanner software and fraudware .
A common example of scareware is the legitimate-looking popup banner that appears in your browser as you browse the web , displaying text such as “ Your computer may be infected with spyware programs harmful “. In other cases, the popup offers to install the tool (often infected with malware) for you, or directs you to a malicious site where your computer is infected.
Scareware is also distributed via spam email which distributes bogus warnings, or offers users to buy useless / harmful services. Social engineering is often very imaginative and manages to find ever new ways to deceive. Always be alert.
Defense notes : In case you suspect that the received message is really legitimate, it is best to seek a solution actively , i.e. without using the links suggested by the message same. For example, we received a message from a service announcing that our account has been compromised. If in doubt, you can contact the support of the service directly from their site to ask for clarification. Avoid using the links suggested by the suspicious message at all costs .
Pretexting (from “to pretend”)
In this social engineering attack, an attacker gains information through a series of cleverly constructed lies . The scam is often initiated by an perpetrator who pretends to need sensitive information from a victim in order to perform a critical task.
The attacker usually begins by establishing trust with his victim by impersonating colleagues, police, bank and tax officials, or others who have a right to know authority . The hacker asks questions that are apparently necessary to confirm the victim’s identity, through which he collects important personal data.
Many types of information are collected using this technique, such as identity card numbers, personal addresses and telephone numbers, telephone records, staff vacation dates, bank records, and even security information relating to a physical facility.
Any information, however harmless it may seem, could later be used for a second attack. Even the name of a security guard hired by the company could already be enough to build trust and ask for a tear to the rule when asking for the access code to automatic doors.
Phishing (from “to fish”)
As one of the most popular types of social engineering attacks, phishing scams are email and text message campaigns that aim to create a sense of urgency , curiosity or fear in the victims . Then it prompts them to reveal sensitive information, click links to malicious websites, or open attachments that contain malware.
An example is an email sent to users of an online service notifying them of a policy violation that requires immediate action on their part, such as a mandatory password change. Includes a link to a website, nearly identical in appearance to its legitimate version, which prompts the user to enter their current credentials and new password . After submitting the form, the information is sent to the attacker.
Since identical, or nearly identical, messages are sent to all users in phishing campaigns, detecting and blocking them is much easier for mail servers that have access to threat-sharing platforms.
Defense note : While it is true that in some cases we have become accustomed to not giving weight to these kinds of messages, it is also true that social engineers have become increasingly clever. There is no need to let your guard down. Instead, it is very useful to always be wary of messages that require credentials.
These attacks leverage the fact that it’s easy to fool some users, whether out of distraction or naivety. The best defense is employee training through a ethical phishing service and subsequent targeted training.
Spear phishing (from “spear, and “to fish”)
This is a more targeted version of phishing in which an attacker chooses specific individuals or businesses . They then tailor their messages based on their victims’ characteristics, job positions, and contacts to make their attack less obvious. Spear phishing requires a lot more effort from the author and can take weeks and months to complete. They are much harder to detect and have better success rates when done skillfully.
A spear phishing scenario could involve an attacker who, impersonating an organization’s IT consultant, sends an email to one or more employees. It is worded and signed exactly as the consultant normally does, thus fooling recipients into thinking it is an authentic message. The message prompts recipients to change their password and provides them with a link that redirects them to a malicious page where the attacker now captures their credentials.
How to defend against social engineering attacks
Social engineers manipulate human feelings, such as curiosity or fear, to carry out patterns and lure victims into their traps. Therefore, it is essential to be cautious whenever you feel alarmed by an email, attracted to an offer displayed on a website, or when you come across digital media wandering around. Being alert can help protect you from most social engineering attacks that happen online.
Additionally, the following tips can help you improve your vigilance in relation to social engineering attacks.
- Do not open emails and attachments from suspicious sources . If you don’t know the sender in question, you don’t need to reply to an email. Even if you know them and are suspicious of their message, cross-check and confirm the news from other sources , such as over the phone or directly from a service provider’s website. Even an email that appears to come from a trusted source may have been initiated by an attacker.
- Use multi-factor authentication . One of the most valuable pieces of information attackers look for is your user credentials . Using 2-factor authentication helps ensure the protection of your account in case of system compromise. There are free applications for all types of mobile devices that allow you to implement this type of authentication.
- Be wary of attractive offers . If an offer seems too tempting , think twice before accepting it as real. Use Google to check the topic and quickly determine if you are dealing with a legitimate offer or a trap.
- Update your antivirus / antimalware software . Make sure automatic updates are turned on. Check periodically that updates have been applied and scan your system for possible infections.
If your company has an IT department, these recommendations should be standard security measures.
Security services for companies
When you think about the data that your company holds and manages, you are never too cautious in defense. Social engineering relies on the fact that an employee hacks more easily than a computer , which is often true.
In addition to the cyber protection measures listed above, it is good that all employees are aware of the risks and potential threats.
SOD offers a series of services that go in this direction. The first and perhaps most important is ethical phishing in which we try to attack the company with phishing techniques . We find out what the weak points are and organize internal training to provide the right tools for staff.
We also have the classic Vulnerability Assessment and Penetration Test for testing cybersecurity systems. Addons are applicable to this service to cover a greater number of areas. There is a specific addon for app analysis and code review , but also one where we try to hack the company with physical attacks . We will test the physical security of the company, the ability to enter buildings, access to network controllers and more.
Finally, to keep networks under control, the SOCaaS service allows you to monitor the entire network, identify suspicious actions (with behavior analysis via artificial intelligence), unauthorized installations, breach attempts and much more.
Data security in the company is really important, contact us to find out how we can help you!
Estimated reading time: 5 minutes
A Zero-Day attack (also known as 0-day) exploits a software vulnerability unknown to security officers and the software vendor. Hackers can exploit the weakness, as long as it is not mitigated, through Zero-Day exploit or, indeed, attack.
The term “zero-day” originally referred to the number of days after the software was released. A “zero-day” software, therefore, meant a program obtained by forcing a developer’s computer before release. The term was then applied to the vulnerabilities that this practice allows to exploit. Once the vendor becomes aware of the vulnerability, they usually patch or recommend solutions to mitigate it.
Software often has vulnerabilities. These are unintentional flaws, or code problems that could hypothetically be exploited.For example, there may be a flaw that allows a cybercriminal to access otherwise secure data. Programmers are often on the lookout for these vulnerabilities and when they discover them, they analyze them, produce a patch to fix them, then distribute that patch in a new version of the software.
However, this is a time-consuming process. When the flaw becomes known, hackers around the world can start trying to exploit it.
If a hacker manages to exploit the vulnerability before the developers find a solution, this exploit then becomes known as a Zero-Day attack.
Zero-day vulnerabilities can take almost any form, because they can manifest themselves as any type of vulnerability in software. For example, they can take the form of missing data encryption, SQL injection, buffer overflows, missing permissions, bugs, or problems with password security.
This makes these vulnerabilities difficult to find before they are exploited in zero-day attacks. This, in some ways, is good news: it also means that hackers will have a hard time finding them. But also that it is difficult to defend against these vulnerabilities effectively.
How to protect yourself
We have seen how difficult it is to protect yourself from the possibility of a zero-day attack, because it can take many forms. Almost any type of security vulnerability could be exploited as a zero-day if a patch is not produced in time. Also, many software developers intentionally try not to disclose the vulnerability publicly in the hope that they can distribute a patch before any hacker discovers the vulnerability.
There are a few strategies that can help you defend your business against zero day attacks:
Stay informed on Zero-Day attacks
Zero-day exploits aren’t always advertised, but occasionally we hear about a vulnerability that could potentially be exploited. If you stay tuned to the news and pay attention to releases from your software vendors, you may have time to put security measures in place or respond to a threat before it is exploited. A good way to do this is to follow your suppliers’ newsletters. At the bottom of this page you will find the form to subscribe to the SOD one.
Keep your systems up to date
Developers are constantly working to keep their software up to date and secure to prevent the possibility of exploits.When a vulnerability is discovered, it is only a matter of time before they produce a patch. However, it is up to you and your team to make sure your software platforms are always up to date. The best approach in this case is to enable automatic updates, so that the software is updated routinely, and without the need for manual intervention.
Use additional security measures
Make sure you’re using security solutions that protect you from a zero-day attack. SOD offers a solution that includes a set of tools that allow you to raise your defenses significantly. SOCaaS is a real security operations center for your company. Using state-of-the-art tools such as SIEM and UEBA and thanks to granular control over the monitored network, every attack attempt is identified in the shortest possible time.
Each type of data produced by the interconnected systems in the infrastructure is collected, normalized and analyzed for anomalies. This means that not only are you checking for known indicators of compromise (IOC), but suspicious operations and behavior of facility users are also monitored. In this way, it is also possible to identify attack attempts that are normally very difficult to detect, such as those involving Zero-Day Attacks, but not only. In fact, through the SOCaaS service, it is possible to identify compromised accounts, the violation of protected data, lateral movement attacks, phishing, etc.
The security of a company’s IT system is a very important topic that we care a lot about. The compromise or loss of sensitive data can cost a lot from both an economic and a reputational point of view. Do not neglect this important aspect for the safety of your business, contact us to tell us about your situation, we will be happy to show you how we can help you.
The IT world continues to evolve and the same goes for industry acronyms. One of these is the term MSSP which, in a sense, is the evolution of MSP. The two abbreviations mean: Managed Service Provider (MSP) and Managed Security Service Provider (MSSP). The latter, in general, could be considered as an organization that provides outsourced security services to other organizations. This definition is very vague and somewhat obvious. So what is an MSSP?
Definition: what is an MSSP?
An MSSP offers Security-as-a-Service, ensuring that organizations, end users and systems have the security, protection and compliance with the necessary compliance requirements. In reality, MSSPs have been around for a while, but have recently gained more attention and focus as the cybersecurity landscape continues to evolve rapidly. End users are more aware of the threats and consequences they face if they are not proactive.
Let’s take a step back, let’s examine what an MSP is, to better distinguish it from an MSSP. In simple terms, a managed service provider (MSP) is an organization commissioned by a customer to perform various IT services. MSPs typically partner with their clients for annual or multi-year periods, receiving recurring income for ongoing services.
An MSP can help a client at any stage of their IT cycle, including:
– the creation of policies and programs
– discover potential solutions
– implementation of solutions
– performance monitoring
MSPs can also manage ongoing IT services, such as updating systems and making configuration changes to suit business needs. These line-of-service elements can include help desk support, network and application management and monitoring, hardware repair, and more. These services are generally outlined and agreed upon in a Service Level Agreement (SLA).
What is it that distinguishes MSSPs from MSPs? The extra “S” in MSSP indicates that these are more security focused than a typical MSP. While MSPs often offer other IT services and something related to security, MSSPs focus solely on security. However, even in this case, they could include a fairly large set of services in addition to security.
For example, the MSSP technology offering may include the implementation, configuration and / or management of the following technologies:
– Intrusion Prevention Systems (IPS)
– Filtering of web content
– Anti-virus, anti-spam, firewall
– Vulnerability scanning
– Patch management
– Data loss prevention
– Information on threats
In addition, MSSP services may include:
– Policy development and risk management
– Search for the solution
– Search and requisition of solutions and tools
– Implementation of the solution
– Configuration management
– Security updates
– Reporting, review and compliance
– Training and education
An MSSP may offer a broad and generalized range of security capabilities and services, or it may specialize in one or a few areas of interest. Another thing that differentiates between MSP and MSSP are the NOCs and SOCs.
MSPs often establish their own network operational network (NOC) from which they monitor and administer customer operations, MSSPs instead establish a security operations center (SOC), which is responsible for protecting the infrastructure (networks, applications, database, server, etc.).
Why choose an MSSP?
Now that we know what an MSSP is, we need to understand why such a service should be chosen.
The reason is to be found in the digitalization of the business, which is the biggest driver of company growth in recent years. As companies become more and more interconnected through technology, the opportunities grow, but with them so do the security threats. In this case, executives and boards of directors are looking to transform their companies into power centers of the digital age and are taking a closer look at their position on security.
But this is where things get real: the solutions are complicated, and building your own cybersecurity department 24/7 takes time, money and people. On the other hand, a single data breach can seriously damage the value of your company and cost you a considerable economic loss.
This is why outsourcing your company’s entire IT security solution to a Managed Security Service Provider (MSSP) is an increasingly common decision. This cybersecurity-as-a-service model is popular with businesses, regardless of size. This is because cyber defense is becoming so complex and takes so long that companies have no choice but to outsource security services to follow best practices.
We at SOD provide exactly this type of security services, through various modalities. In addition to the typical services of an MSP, such as VPS, Super Cloud, etc., we are able to cover every need for corporate security through our SOCaaS which implements various solutions including UEBA, SIEM, Vulnerability Assessment & Penetration Test, Active Protection, Log Management, IT Monitoring Service, Management Services, GDPR and Privacy.
If you are interested in knowing how SOD can help your company in improving applied cybersecurity, you can get in touch with us, we will be happy to answer questions and propose a solution suitable for the situation.
Ransomware commonly comes up with an email that tricks users into trusting a malicious file. Many of the most recent data breaches have been completed because a user has been the victim of such an attack in the previous period. Threats such as ransomware, which focus on user compromise, are causing more and more companies to adopt user and entity behavior analysis (UEBA) in their security operations center (SOC). The new functions of the SOC service, including long-term search, are oriented towards the increasing offer of additional tools for the optimal management of corporate security.
We continue to innovate our platform to increase the power of SOC in fighting ransomware and other threats. In our latest release, we have added even more machine-learning and context-aware detection capabilities that enable security analysts to tackle the most sophisticated attacks. Furthermore, the latest updates bring an ever greater ease of use for security architects.
Long-term search for the security analyst
The service introduces a number of innovations to reduce detection and response times for security analysts and threat seekers.
Improved detection of sophisticated threats
– Long-term search helps analysts discover hidden threats by providing a search capability on archived data. The search is scalable and does not affect SIEM performance.
– Analytics Sandbox helps break down false positives by providing an online QA environment to test and validate use cases.
– Persona-based threat chains detect advanced threats more accurately, including the dynamic relationship between users, hosts, IP addresses, and email addresses. Analysts benefit from greater visibility into the progression of an attack. This feature combines suspicious activity from a single user into a single priority alert, instead of separate and unrelated alerts.
– Relative Rarity offers analysts a broader context on how rare an event is compared to all other events in their environment.
– Viewing security alerts using the MITER ATT&CK Threat Framework helps analysts prioritize risk and reduce response times.
Reduction of response times
– Improved case management allows for better management, sharing and investigation of alarms, allowing operators to respond more quickly.
– New EDR integrations improve incident response by providing additional endpoint data from CarbonBlack Defense, Tanium, Symantec DLP and others.
– Better search views improve the analyst experience by reducing detection and response times. They help analysts easily identify compromised accounts, data exfiltration, and associated hotspots.
Why long-term search is so important
With a global dwell time of around 60 days on average, threat hunting continues to be an important part of cybersecurity resilience. However, searching through the data history usually takes a long time.
Many vendors are unable to dynamically scale a quick search through archived data without significant effort. The latest features of our SOCaaS provide this possibility for threat hunters with long-term search on an almost unlimited scale. With long-term research, organizations can reduce the time it takes to investigate and find threats that are already in their environment.
Analysts need to continually query the data to see if there are new threats. For example, an analyst might learn from a trusted source that their industry has been targeted. At this point we need to investigate a new indicator of compromise that has just been discovered to verify if an attacker is already inside.
Through long-term search, SOD’s native SOCaaS SIEM allows threat hunters to be proactive, making historical data research fast and convenient.
By introducing new technologies into our SOC service, we are offering more and more security for our customers.
We take care of your data by verifying not only that it is not safe now, but also that it has not been breached in the past. In case we suspect a new threat, we know how to spot it.
If you have any questions, contact us, we will be happy to answer all your questions.
The practice of shadow IT is the use of computer systems, devices, software, applications and services without the explicit approval of the IT department. In recent years, it has grown exponentially with the adoption of cloud-based applications and services.
While shadow IT could improve employee productivity and drive innovation, it can also introduce serious security risks to the organization due to data breaches, potential compliance breaches and more.
Why users practice shadow IT
One of the main reasons employees apply shadow IT is simply to work more efficiently. A 2012 RSA study reported that 35% of employees believe they need to bypass their company’s security policies just to get their job done right. For example, an employee may discover a better file sharing application than is officially allowed. Once you start using it, the use may spread to other members of your department.
The rapid growth of cloud-based consumer applications has also increased the adoption of shadow IT practices. The days of packaged software are long gone; Common applications such as Slack and Dropbox are available with a simple click, and corporate data is easily copied beyond work applications to employee personal devices, such as smartphones or laptops, especially in BYOD (Bring Your Own Device) working conditions .
Shadow IT: Security Risks and Challenges
The point is that if the IT department is not aware of the use of an application, they cannot support or guarantee that it is secure. Industry analyst firm Gartner predicted, in 2018, that by 2020, one-third of successful attacks businesses experience focus on their shadow IT assets.
While it is clear that the practice will not go away, organizations can minimize risks by educating end users and taking preventative measures to monitor and manage unauthorized applications.
Not all shadow IT is inherently dangerous, but some features like file sharing and storage and collaboration (for example, Google Docs) can cause sensitive data leaks. This risk goes beyond applications alone: the RSA study also reports that 63% of employees send work documents to their personal email to work from home, exposing data to networks that cannot be monitored.
In times like the one we are experiencing, in which teleworking is encouraged and, in some cases, the only possible solution, it is essential to have an eye for the applications in use on employees’ computers.
Benefits of Shadow IT
Despite the risks, shadow IT has its advantages. Getting IT approval can take time that employees can’t afford to waste.For many employees, approval is a productivity bottleneck, especially when they can get a fix in minutes.
Having IT behaving like an Orwellian “Big Brother” doesn’t always help productivity. Discerning cases of positive shadow IT can be the best compromise. Finding a middle ground can allow end users to research solutions that work best for them. This gives IT time to control user data and permissions for applications. If end users do not need to request new solutions, the IT department has been given time to focus on more critical tasks.
Whatever the reason why shadow IT occurs, if the IT department is unaware of it, the risk of breach is high. What the corporate cyber security departments should do is implement automated traffic and behavior control systems.
The solution offered by a SOC as a Service is the most complete in this respect. It allows you to keep an eye on all the devices in the system and also monitor user behavior.
Thanks to the Nextgen SIEM and UEBA systems, in fact, the collection of usage data is easy and manageable in real time. The data collected is enriched and aggregated to give analysts the most complete view possible and allow rapid intervention. Meanwhile, the UEBA system checks that there are no anomalous behavior by users or suspicious outgoing data traffic.
Shadow IT, while not usually a malicious attack, is a practice that should be discouraged and, as it is risky, stopped in the bud.
Classic cyber threat defense tools and systems are rapidly becoming obsolete, and there are ways to overcome them. What remains confidently common among cyber criminals attempting an attack is the intent of the attack itself. Indeed, knowing that there are systems capable of detecting indicators of compromise (IOC), it is natural that competent hackers will try not to leave traces traceable to standards. User and Entity Behavior Analysis (UEBA) offers a more comprehensive way to make sure your business has world-class IT security. At the same time, it helps detect users and entities that could compromise the entire system.
A definition of User Entity Behavior Analytics
User and Entity Behavior Analysis or UEBA, is a type of cybersecurity process that takes note of standard user behavior. In turn, the system detects any abnormal behavior or cases where there are deviations from the “normal” patterns mentioned above. For example, if a particular user regularly downloads 10MB of files every day, and suddenly downloads 1GB, the system would be able to detect this anomaly and immediately alert operators. The behavior may be legitimate, but it’s worth checking out.
The UEBA system uses machine learning, algorithms and statistical analysis to know when there is a deviation from established patterns. Next, it shows which of these anomalies could result in a potential and real threat. Additionally, UEBA can aggregate report and log data, as well as analyze file, stream and packet information.
With a UEBA all users and entities of the system are tracked. In this way the system focuses on insider threats, such as dishonest employees, compromised ones and people who have access to the system and then carry out targeted attacks and fraud attempts, as well as the servers, applications and devices that work inside. of the system.
It is the unfortunate truth that today’s cybersecurity tools are rapidly becoming obsolete. Now the most skilled hackers and cyber criminals are able to bypass the perimeter defenses used by most companies. A few years ago you were sure if you had web gateways, firewalls, and intrusion prevention tools. This is no longer the case in the complex threat landscape, and is especially true for large companies that have proven to have very porous IT perimeters that are also very difficult to manage and supervise.
The key point? Preventive measures are no longer sufficient. Firewalls will not be 100% infallible and attackers will enter the system at one point or another. That’s why detection is just as important: when hackers successfully enter your system, then you need to be able to quickly detect their presence to minimize damage.
How does it work?
The premise of the system is actually very simple. You can easily steal an employee’s username and password, but it is much more difficult to mimic the person’s normal behavior once inside the network.
For example, let’s say you manage to steal John Smith’s password and username. However, it is almost impossible to act exactly like Mario Rossi once inside the system, unless extensive research and preparation is also done in this direction. Therefore, when Mario’s username is logged into the system and his behavior is different than typical, that’s when the UEBA alarms start ringing.
Another related analogy would be the theft of a credit card. A thief can steal your wallet and go to a luxury store and start spending thousands of dollars. But, if the spending pattern on that card is different from that of the thief, the fraud detection department will recognize the anomalous expenses and block suspicious purchases, either by sending you an alert or asking you to verify the authenticity of a transaction. .
What can UEBA do?
UEBA is a very important component of modern IT security and allows you to:
1. Detect insider threats: It is not too far fetched to imagine that an employee, or perhaps a group of employees, could disobey, steal data and information using their login. UEBA can help you detect data breaches, sabotage, abuse of privileges and policy violations by staff.
2. Detect Compromised Accounts: Sometimes, user accounts are compromised. It could be that the user has unintentionally installed malware on his machine, or that sometimes a legitimate account has been forged. UEBA can help eliminate compromised users before they can do any damage.
3. Detect Brute Force Attacks: Hackers sometimes target cloud-based entities as well as third-party authentication systems. With UEBA, you are able to detect brute force attack attempts, allowing you to block access to these entities.
4. Detect permission changes and super user creation: Some attacks involve the use of super users. UEBA allows you to detect when super users are created, or if there are accounts that have been granted unnecessary permissions.
5. Detect Secure Data Breach: If you have secured data, it’s not enough to keep it safe. Know when a user accesses this data if they have no legitimate business reason for doing so.
UEBA and SIEM
Security Information and Event Management, or SIEM, is the use of a complex set of tools and technologies that provides a complete view of the security of your IT system. It leverages event data and information, allowing you to see normal patterns and trends, and to warn of anomalies. UEBA works the same way, only it uses information on user (and entity) behavior to verify what is normal and what is not.
SIEM, however, is based on rules, and competent hackers can easily circumvent or evade these rules. Furthermore, the SIEM rules are designed to immediately detect threats that occur in real time, while the most advanced attacks are usually carried out over months or years. The UEBA, on the other hand, is not based on rules. Instead, it uses risk scoring techniques and advanced algorithms that allow it to detect anomalies over time.
One of the best practices for cybersecurity is to use both SIEM and UEBA to have better security and detection capabilities.
How a UEBA should be used
UEBA was born out of the need to identify the harmful behavior of users and other entities. UEBA tools and processes are not intended to replace legacy monitoring systems, but should instead be used to complement them and improve a company’s overall security. Another great practice is to take advantage of the storage and calculation capabilities of big data, using machine learning and statistical analysis to avoid receiving an avalanche of unnecessary alarms and being overwhelmed by the large volume of data. generated.
UEBA uses machine learning and algorithms to strengthen security by monitoring users and other entities, detecting anomalies in behavior patterns that could be indicative of a threat. By taking a proactive approach to security and gaining greater visibility into user and entity behavior, today’s businesses are able to build stronger security systems and more effectively mitigate threats and prevent breaches.
SOAR (Security Orchestration, Automation and Response) technology helps coordinate, execute and automate activities between people and tools, enabling companies to respond quickly to cyber security attacks. The aim is to improve their overall security position. SOAR tools use playbooks (strategies and procedures) to automate and coordinate workflows which may include security tools and manual tasks.
How does SOAR help in the security field?
1. Combining security orchestration, intelligent automation, incident management and interactive investigations in a single solution.
2. Facilitating team collaboration and enabling security analysts to take automated actions on tools across their security stack.
3. Providing teams with a single centralized console to manage and coordinate all aspects of their company’s security.
4. Optimizing case management, increasing efficiency by opening and closing tickets to investigate and resolve incidents.
Why do companies need a SOAR?
Modern companies regularly face many challenges and obstacles when it comes to fighting cyber threats.
A first challenge is represented by an ever increasing volume of complex security threats. Furthermore, the security tools involved very often struggle to talk to each other, which is in itself a nuisance.
Such a large amount of data and software can only mean a large number of security alerts. In fact, there is too much threat intelligence data to allow teams to manually classify, prioritize, investigate and target threats. Furthermore, the work of security officers involves very specific skills and with increasing demand it is increasingly difficult to find a sufficient number of security officers to carry out the work.
SOAR helps companies address and overcome these challenges by enabling them to:
– Unify existing security systems and centralize data collection to achieve full visibility.
– Automate repetitive manual activities and manage all aspects of the accident life cycle.
– Define incident analysis and response procedures, as well as leverage security playbooks to prioritize, standardize and scale response processes in a consistent, transparent and documented way.
– Quickly and accurately identify and assign the severity levels of incidents to safety alarms and support the reduction of alarms.
– Identify and better manage potential vulnerabilities in a proactive and reactive way.
– Direct each security incident to the analyst best suited to respond, while providing features that support easy collaboration and monitoring between teams and their members.
Below I wanted to list some practical examples of how a SOAR comes into action in certain situations.
Enrichment and Phishing Response: Activating a Playbook. Automation and execution of repeatable activities such as triage and involvement of interested users. Apply an extraction and control of indicators to identify false positives, then request activation of the SOC for a standardized response at scale.
Endpoint Malware Infection: Extracting threat feed data from endpoint tools and enriching that data. Cross-reference between recovered files and hashes with a SIEM solution, notify analysts, clean up endpoints, and update the tools database.
Failed User Login: After a predefined number of failed user login attempts, evaluating whether a failed login is genuine or malicious, a SOAR can activate in various ways. First of all by putting into practice a playbook, involving users and then analyzing their answers, then also the expiring passwords and finally closing the process.
Indicators of Compromise (IOC): Take and extract indicators from files, track indicators through intelligence tools and update databases.
Malware Analysis: Verify data from multiple sources, extract and delete malicious files. A report is then generated and checked for malice.
Cloud Incident Response: This is done through the use of data from cloud-focused threat detection and event logging tools. The data is then unified between the cloud and on-premises security infrastructures, correlated thanks to a SIEM. The indicators are then extracted and enriched, to then check for the presence of malice. A final step of human control to the analysts who review their information update the database and close the case.
The benefits of a SOAR
Basically, a SOAR implements working methods and protocols of action in the system for fighting against cyber threats of a company. This significantly improves operational efficiency and accelerates incident detection as well as response times, which are effectively standardized.
A SOAR increases analysts’ productivity and allows them to focus on improving security instead of performing manual tasks.
By exploiting and coordinating the existing security technology investments in a company, it is possible to make a real difference.
SIEM has existed for quite some time, but it is not yet well understood. Also, the fact that technology has evolved significantly in recent years doesn’t help shed some light. Today we see where we are, trying to understand the Next Generation SIEM and the managed systems offered as services that make use of the latest generation SIEM (SOCaaS, for example). Let’s see what all this means for companies.
Being a fundamental part of the SOCaaS offered by SOD, it seems appropriate to explain in detail what a Next Generation SIEM is and what its functions are.
A brief history of SIEM
Before examining what a Next Generation SIEM is, it is right to briefly review the history of this technology and its beginning.
The term Security Information and Event Management (SIEM) was coined in 2005 by Mark Nicolett and Amrit T. Williams of Gartner. The word is the merger of Security Event Management (SEM) and Security Information Management (SIM).
Its original definition given by the creators of the term is: a technology that supports the detection of threats and the response to security incidents, through the collection in real time and historical analysis of events from a wide variety of sources of contextual data.
SIEM was born out of the need to address the huge number of alarms issued by intrusion prevention systems (IPS) and intrusion detection systems (IDS) that were overwhelming IT departments. By helping organizations aggregate events and better analyze those within the network, SIEM has helped organizations improve threat detection. It has also led organizations to take a more proactive approach to security. Preventive security technologies are no longer sufficient on their own.
The difficulties of SIEMs in the early years
Eager to improve their cybersecurity situation, many enterprise-wide organizations have rapidly adopted SIEM technology. Over the years, however, inherited problems have emerged from the past:
1. The datasets were inflexible, so some SIEMs were unable to process the required data, which meant their effectiveness was limited
2. They were difficult to maintain and manage, which added complexity and drained staff resources
3. SIEMs produced a high number of false positives, creating even more work for the security teams
4. With the advancement of technology, SIEMs have struggled to keep up with the evolution of threats and therefore the IT risk for companies has grown
The Next Generation SIEM arrives
Many advanced threats are now polymorphic rather than static. That is, they are able to constantly modify their behavior to evade detection. As such, Next Generation SIEM systems must not only process more data, but also become much more capable of recognizing new patterns within them.
Given the difficulties and limitations of inherited SIEM systems, many thought they would disappear over time. But this did not happen, SIEM still remains a key technology used by companies. However, technology has had to evolve.
While SIEM once relied on only a handful of data sources, the “Next Generation” of SIEM systems was developed to process a greater volume and variety of data, as well as correlating it in a timely fashion.
Gartner reported that the SIEM market is continuously growing. One reason for this growth is that Next Gen SIEM systems are now used by midsize organizations, not just large enterprises.
What are the capabilities of Next Gen SIEM?
Next Gen SIEMs, sometimes referred to as analytical SIEMs or SIEM 3.0, have brought new capabilities to organizations and their security teams.
– Allow faster integration into a corporate infrastructure through an open architecture to cover cloud, on-premise and BYOD resources
– Include real-time visualization tools to understand the most important and high-risk activities
– Use scenario and behavior analysis to “photograph” well understood scenarios and highlight significant changes in behavior
– Integrate and use Threat Intelligence information from customized, open source and commercial sources
– Provide a flexible framework that allows for the implementation of a tailored workflow for key organizational use cases
– Measure status against regulatory frameworks (e.g. PCI DSS) for prioritization and risk management
Security Orchestration, Automation and Response
Security Orchestration, Automation and Response (SOAR) is a growing security area that Next Gen SIEM vendors are exploiting to contribute and take advantage of the latest features. In its essence, SOAR has two fundamental aspects:
1. It allows to bring more data to a Next Gen SIEM for analysis
SOAR is helping SIEM technology to become smarter and big data oriented, thus enabling security teams to make faster and better informed decisions. Broader intelligence means more reliable threat identification and fewer false positives.
2. Help automate incident response
Another important way SOAR is influencing the evolution of SIEM Next Gen is to help standardize incident analysis and response procedures. The goal is to partially or completely automate response activities in order to reduce the potential harm and inconvenience that breaches can cause. Such response activities could include blocking compromised user accounts and blocking IP addresses on a firewall.
By automating routine actions, SOAR helps security teams become more efficient and frees them up time to focus on threat hunting and patch management.
User Behavior Analysis (UEBA)
Another important feature of Next Generation SIEMs is the use of User and Entity Behavior Analytics (UEBA). UEBA does not track security events or monitor devices, but instead focuses on monitoring and analyzing the behavior of an organization’s users.
UEBA can be extremely useful in helping organizations identify compromised accounts, as well as insider threats. It works using advanced machine learning and behavioral profiling techniques to identify anomalous activity such as account compromise and abuse of privileges. By not using rules-based monitoring, the UEBA is more effective in detecting anomalies over time.
The challenges for a modern SIEM
Despite unquestionable advances in detecting complex cyber threats, SIEM Next Gens can still, if not used and maintained properly, generate a large number of alerts. For organizations without IT resources and dedicated security personnel, researching these alerts to distinguish true network security problems from false positives can be extremely complex and time-consuming.
Even when real threats are identified, knowing how to respond to them can be just as challenging.
Getting the most out of SIEM to help address growing security challenges will also depend on better trained personnel who can use the systems more effectively and validate alarms. For organizations that lack in-house knowledge or skills, it therefore makes sense to work with an external vendor who can cover or augment security capabilities.
A full SOCaaS service, including Next Generation SIEM and UEBA for threat hunting, is the ideal choice. Not only does it save time in terms of validating and checking alarms, but also in economic terms, not having to face installation costs and staff training.
If you are interested in learning more, do not hesitate to contact us, we will answer your questions.
A SIEM solution in IT is one of the essential components of a SOC (Security Operation Center). Its task is to collect information and analyze it in search of anomalies and possible breaches in the system. But the defense process hasn’t always been that simple. What we now call SIEM, Security Information and Event Management, is the union of two different types of cyber security tools.
SIM and SEM: the origins
Before the arrival of a complete SIEM solution in computing, security was heavily focused on perimeter security and did not keep the internal network adequately controlled. The first solutions developed in the 90s were basic and basically dealt with security information management (SIM) or security event management (SEM). They were solutions available as tools that had to be deployed on-site in the data center to be protected. This limited scalability, because adding capacity required the purchase of additional equipment.
These early solutions were also built on proprietary databases that forced customers to use technology from a single vendor. If you wanted to move your data to another system, the process was long and complicated. It should also be noted that archiving was more expensive, so only the most valuable data was collected. Furthermore, although the SIM and SEM solutions contained all the data necessary for the defense, the search and alarm were rudimentary. Additionally, they depended on experienced security analysts to research, understand and interpret what they found in the data.
SIEM origins in computer science
As data became more sensitive and technology more powerful, SIEM systems (SIM + SEM) became capable of ingesting, processing and storing a great deal of data. Next-generation SIEM IT solutions are able to use signature-based alerts to identify threats in collected data. However, only those alerts that have identified indicators of compromise (IOC) of a certain threat can be identified in this way.
To be clear, if the type of attack to which a system is subjected has not been cataloged in a series of IOCs, a first generation SIEM is not able to detect it. The main drawback of those systems was the very limited ability to detect unknown cyber threats.
To give a practical example: it was possible to use a rule like this: “give a warning if a user enters 10 consecutive wrong passwords“. In theory this could be used to detect brute force password attacks. But what if the attacker only tried 9 passwords in a row? Or what if the alarm was given for a very forgetful user?
Next Gen SIEM (NGS)
A next generation SIEM is built on a large data platform that provides unlimited scalability and is hosted in the cloud. A next gen SIEM includes log management, advanced threat detection based on behavior analysis and automatic incident response, all on a single platform.
This eliminates the problems that old on-premises systems were prone to. Not having to install anything and being able to send the necessary data to the cloud quite simply, the computing power of the local machine is not compromised and the SIEM can manage all the data safely.
How a SIEM proceeds in cyber threat analysis
1. Data Collection: An IT SIEM solution collects data from across the organization using agents installed on various devices, including endpoints, servers, network equipment and other security solutions. Next generation SIEM includes support for cloud applications and infrastructure, business applications, identity data and non-technical data feeds.
2. Data enrichment: Enrichment adds further context to events. SIEM will enrich data with identity, resources, geolocation and threat information.
3. Data storage: The data will then be stored in a database so that it can be searched for during investigations. The next generation SIEM exploits open source architectures and big data architectures, exploiting their scalability.
4. Correlation and Analysis: SIEM solutions use several techniques to draw actionable conclusions from SIEM data. These techniques vary greatly.
5. Report: A SIEM, particularly a next generation SIEM, gives you the ability to quickly search for data, allowing you to dig through alerts and search for threat actors and indicators of compromise. The displayed data can be saved or exported. It is also possible to use out-of-the-box reports or create ad hoc reports as needed.
What a SIEM is used for
Threat hunting and investigation
The ability to perform threat hunting on a SIEM is critical to understanding the true patterns of attacks based on access, activity and data breaches. By developing a detailed and contextual view of attacks, security analysts can more easily develop policies, countermeasures and incident response processes to help mitigate and remove the threat.
Response in case of an accident
An effective response to incidents is essential to intervene more quickly and reduce the residence time of the threat. For this, a SIEM provides an incident response playbook with configurable automated actions. A SIEM is able to integrate with third party solutions for security orchestration (SOAR) or individual case management.
Defense against insider threats
The reason why insider threats are such a big problem is because it’s not about entering the perimeter, but about exploiting insider positions. They can be your employees, contractors or business associates. It may be they themselves wanting to exploit their location, or their account may have been hacked.
With all kinds of internal threats, the attacker tries to stay hidden, gathering sensitive data to exploit. This could cause significant damage to the company, its position in the industry and its relationship with consumers or investors. By using a SIEM, you avoid this risk.
Cyber threat detection
Your organization is likely to have at least one sensitive data repository. Cybercriminals thrive on looting this data for financial gain. Many breaches begin with a simple phishing email against an organization’s target. Simply clicking on an attachment can leave malicious code behind. A SIEM will allow you to monitor advanced cyberthreat patterns such as phishing, beaconing and lateral movement.
For many industries, adherence to compliance standards is critical. A SIEM can help by providing reports focused on data compliance requests. Integrated packages covering all major mandates, including PCI DSS, SOX, and ISO 27001, are a standard feature of SIEMs as well.
Next Generation SIEM
A next generation SIEM is not just a cloud hosted system. It also makes use of the implementation of AI and Machine Learning to increase the defense of the IT system.
We will see it in a future article, but it is right to specify that the SOCaaS offered by SOD makes use of the latest generation technology offered by Next Gen. SIEM systems. Contact us to find out more about it and talk to experts who can dispel all your doubts.
During a cyber attack, hackers have only one goal in mind. This goal could be accessing a developer’s machine and stealing a project’s source code, analyzing emails from a particular executive, or extracting customer data from a server. All they have to do is log into the machine or system that contains the data they want, right? Not exactly. Actually, it’s a little more complicated than that. To achieve their goal, hackers are likely to break into a low-level web server, email account, or employee device, to name a few. From that node, they will move sideways (hence the name network lateral movement) to achieve their goal.
In fact, when attackers compromise a resource on a network, that device is almost never their final destination. In addition, the initial compromise rarely causes serious damage and may go unnoticed. Only if the security teams are able to detect a lateral movement before the attackers reach their intended goal, it is possible to prevent the data breach.
In this article, we will look at some of the more common types of network lateral movement and identify ways in which we can detect the attack and defend ourselves.
Understanding the network lateral movement
Lateral movement occurs when an attacker takes possession of a resource within a network and then extends its reach from that device to others within the same network. Let’s see it with an outline to help us understand better.
The perimeter of the infrastructure to be penetrated is represented with a horizontal line. The upper half represents what is outside the net, while what is below the line represents what is inside. In order for an attacker to enter the network, it must move vertically, ie from the outside to the inside (also called North-South traffic). But once a foothold has been established, it is possible to move sideways or horizontally, ie within the same network (called East-West traffic) to reach the final goal of the attack.
Approaches to the Lateral Movement
Overall, there are two common methods by which a hacker applies the lateral movement.
First approach: The attacker performs an internal scan to find out what other machines are on the network. In particular, it scans open ports that are listening and machines that suffer from vulnerabilities. At that point, the attacker can abuse these weaknesses to move sideways to another resource.
The second approach to the lateral movement exploits stolen credentials, and is the more common of the two. In this type of attack, the hacker could use an email phishing technique to infect a machine that interfaces with a particular server. Then he can use his login to recover passwords via a keylogger or other similar tools. At this point, he can use whatever credentials he was able to obtain to impersonate the user who was the victim of the phishing and log in to another machine. Once you have established access to that computer, you can repeat the tactic looking for additional credentials and / or privileges to exploit. In this way, the attacker can make their way and create remote connections to the target device.
In both cases it is difficult to identify the attack, because it does not occur through software or application malfunctions.
How to defend yourself
A lateral movement often manifests itself through anomalous network activity. For example, it is suspicious that a machine, which normally communicates with a few others, starts scanning the entire network. The same is true if that machine tries to connect to open ports, to interact with services and credentials with which it normally has no contact, or to use a username that has never been used before.
The list of alarm bells goes on and on. The key thing to understand is that a lateral movement involves machines doing something out of their routine, without proper authorization from IT.
This is what gives organizations the ability to detect this type of attack. Implementing log file monitoring is a first step in defense. Ideally, the data should be constantly analyzed for anomalies and possible breaches.
These defenses are not infallible. Security teams that simply rely on log files limit the scope of their defensive position, for example, due to log files collected only from particular applications. You might decide to monitor a certain service for credential theft, but attackers might not use that particular service to perform a lateral movement. This means that any malicious actions that do not use the monitored services will not be detected promptly.
In addition to this, hackers know the types of protocols that security personnel tend to monitor, making their task even more complex. Attackers can use this knowledge to model their attack campaigns in order to have a better chance of going unnoticed. It is one of the reasons why the MITER ATT & CK database was created to collect known techniques and raise the defenses.
The advantage of a SOCaaS
It is not enough for organizations to seek lateral movement using log files or an EDR tool. It is necessary to turn attention to the network as a whole. In this way it is possible to see all network traffic, establish a baseline of normal network activity for each user and device, and then monitor any unusual actions that could be indicative of attacks. It is known as anomaly detection, and is more comprehensive and often easier than examining each log file for out-of-the-ordinary events.
The problem with anomaly detection is that many of these irregularities are benign, and a lot of time is spent analyzing them. What is needed to separate harmful lateral movement from benign network anomalies is an understanding of the aspect of harmful behavior.
This is where a complete system that uses both behavioral analysis tools and professional security technicians comes into play.
The SOCaaS offered by SOD includes a Security Data Lake (SDL) for data collection and various tools for data analysis. One of these is the UEBA, particularly suitable for the detection of social threats, as it analyzes user behavior through AI using their actions as a source of data.
With these and other tools that make up the SOC, you can actively reduce the risk of attacks on your corporate data. If you are interested in learning more about SOD SOCaaS, I invite you to visit the dedicated page or contact us directly.
Mitre Att&ck is a global knowledge base of adversary tactics and techniques based on real observations of cyber attacks. These are displayed in arrays organized by attack tactics, from initial system access and data theft to machine control. There are arrays for common desktop platforms (Linux, macOS and Windows) and for mobile ones.
What is MITRE ATT&CK ™ and what does it mean?
ATT&CK stands for “adversarial tactics, techniques, and common knowledge” and that is: tactics, adversary techniques and common knowledge. Let’s try to go deeper.
Tactics and techniques are a modern way of thinking about cyber attacks. Rather than looking at the results of an attack – an indicator of compromise (IoC) – security analysts should look at the tactics and techniques that indicate an attack is in progress. Tactics represent the goal you want to achieve, while techniques represent how an opponent plans to achieve it.
Common knowledge is the documented use of tactics and techniques used by opponents. Essentially, common knowledge is the documentation of the procedures used by the attacker. Those familiar with cybersecurity may be familiar with the term “tactics, techniques and procedures” or TTP. This same concept has been used by ATT&CK ™, replacing the term procedure with common knowledge.
Who is MITRE and what is the goal of ATT&CK ™?
MITRE is a US government funded research organization based in Bedford, MA, and McLean, VA. The company was spun off from MIT in 1958 and was involved in a number of top secret commercial projects for various agencies. These included the development of the FAA’s air traffic control system and the AWACS radar system. MITRE has a substantial cybersecurity practice funded by the National Institute of Standards and Technology (NIST).
A curiosity: the word Mitre means nothing. Apparently one of the first members, James McCormack, wanted a name that meant nothing but was evocative. Some mistakenly think it means Massachusetts Institute of Technology Research and Engineering.
ATT&CK’s goal is to create a comprehensive list of known opponent tactics and techniques used during a cyber attack. Open to governmental, educational and commercial organizations, it should be able to gather a wide, and hopefully comprehensive, range of attack phases and sequences. MITRE ATT&CK aims to create a standard taxonomy to make communications between organizations more specific.
How is the ATT&CK ™ matrix used?
The matrix visually organizes all known tactics and techniques in an easy to understand format. Attack tactics are shown above, and individual techniques are listed below in each column. An attack sequence would involve at least one technique per tactic, and a complete attack sequence would be constructed by moving from left (Initial Access) to right (Command and Control). It is possible to use more techniques for a single tactic. For example, an attacker might try both a Spearphishing Attachment and a Spearphishing Link as initial login tactics.
Here is an example of a matrix:
In this matrix there are all the phases of an attack sequence. It is organized so that the tactics are ordered from right to left according to the attack sequence. Under each tactic the corresponding techniques, some of which contain sub-techniques. The two techniques mentioned above are actually sub-techniques of phishing which are part of the first step in the sequence (first column on the left).
It is not necessary for an attacker to use all eleven tactics at the top of the matrix. Rather, the attacker will use the minimum number of tactics to achieve his goal, as it is more efficient and provides less chance of discovery. In this attack (illustrated in the diagram below), the adversary performs initial access to the CEO’s administrative assistant credentials using a Spearphishing link delivered in an email. Once in possession of the administrator’s credentials, the attacker searches for a Remote System Discovery of the Discovery phase.
Let’s say they’re looking for sensitive data in a Dropbox folder that the admin also has access to, so there’s no need to increase privileges. The collection, which is the last stage, is done by downloading the files from Dropbox to the attacker’s machine.
Note that if you are using behavior analysis, a security analyst could detect the attack in progress by identifying abnormal user behavior.
And that’s exactly what a SOC should do, here, roughly, how the attack could be mitigated: suppose the administrator clicked a link that no one in the company has ever clicked before, then the administrator logged in a particular Dropbox folder at an unusual time. During the final phase of the attack, the attacker’s computer entered the Dropbox folder for the first time. With behavioral analysis, these activities would be flagged as suspicious user behavior.
To consult ATT&CK
To consult this resource just visit his site and you will find yourself in front of the matrix of which I published a screenshot a little while ago. Suppose we want to consult the Spearphishing Link technique. By clicking on it, the corresponding page will open containing in-depth information about it, such as a description of the technique, what sub-techniques exist, examples of procedures that include it and suggestions for risk mitigation.
Basically all the information necessary to know and defend oneself appropriately from each technique is available.
The advantages of a resource like MITRE ATT&CK are truly remarkable. Cyber security teams have a valuable ally at their disposal, to which they can add dedicated tools for its consultation.
While it is almost certain that attackers are adapting as defenders deploy new skills, it is also true that ATT&CK provides a way to describe the new techniques they develop.
In today’s article, we’ll explain what a Security Operations Center (SOC) is and help determine if a SOC-as-a-Service (SOCaaS) solution is right for your business. Just because you have to manage cybersecurity doesn’t mean your business has to deal with cybersecurity. In fact, your core business could be pretty much anything else.
Proper management of IT security, however, is essential to allow your company to grow and to obtain the certifications for data processing required by law. Having the right cybersecurity skills available at the right time is critical to your success, but you have no idea when that time will be.
Choosing the right technology, people and processes to build a modern security operations section is one of the biggest challenges for IT security managers.
What is a SOCaaS and what it can do for you
Before understanding what the management challenges are, it is good to understand what a SOC is. It performs the following functions:
Plan, configure and maintain your security infrastructure.
With a SOC it is possible to configure the technology stack (endpoint, SaaS applications, cloud infrastructure, network, etc.) to identify the relevant activity and eliminate unnecessary data. Monitor data sources to ensure the ecosystem is always connected.
Detect and respond
In addition, it is possible to monitor the incoming alarm activity. Investigate alarms to determine if it is a true security issue or a false alarm. If something is a real security threat, you can evaluate the magnitude of the situation and take response actions.
The activity of a certain event can be examined to determine if there are any signs of impairment that may have eluded the automated controls. The most common scenario is to review the history of an IP address or file that has been determined to be malicious.
Storage of log files
Another possibility is to securely collect and archive log files, for up to seven years, for compliance with regulations. The team will need to provide this critical data for forensic analysis in the event of a security situation.
Measure performance indicators
Obviously it is possible to monitor the KPIs (performance indicators). In detail it is possible to measure and report the KPIs to demonstrate to the executive team how the SOC is working.
The challenges of implementing your own SOC
Finding, training and retaining cybersecurity professionals is expensive
The skills needed to manage IT security tasks are in high demand. Unfortunately, the shortage is bound to get worse before it gets better. According to the International Certification Organization (ISC), the number of vacant positions worldwide was over 4 million professionals in 2019, up from nearly three million the previous year.
Training personnel with a broad IT background in cybersecurity skills is an option, but retaining these people is expensive. Their replacement, when eventually taken elsewhere, starts a cycle that usually ends up being more expensive than expected, especially compared to SOCaaS.
Also, people who work well in this industry usually want to explore new topics and take on new challenges. You will need to find other related projects or roles to rotate SOC staff to keep them engaged. This also helps build their skills, so they are ready to respond and act promptly when needed.
Cyber security is a team sport
It is important to have a diverse set of skills and a team that works well as a team. Security threats evolve rapidly, proper investigation and responses require people who understand endpoints, networks, cloud applications, and more. Often you end up being a SOC manager, a sysadmin and a threat hunter, depending on the day and what happens in your environment.
This means that you will need a team that is constantly learning, so that you have the right skills when you need them. People who do well in this industry thrive in a team environment where they can learn and challenge each other. For this, you need a workflow that regularly brings together several SOC analysts.
Think of it this way: you wouldn’t put a football team on the pitch that didn’t train together. Your SOC team collides with an opponent who plays as a team every day. To be successful, you need professionals who have a lot of playing experience to build their skills both in the single position and as a team.
A team of SOC analysts who do not do regular training will not be ready when hit by a well-trained opponent. It is difficult to get this experience in a small organization.
A SOCaaS is the immediate answer to this need. The team that will take care of your IT security is trained and stimulated every day by ever new challenges, having to deal with different infrastructures every day.
24/7 coverage is a necessity
Letting an opponent be free to bait for hours, days or weeks makes it infinitely more difficult to contain and remove threats. The adversary knows they have limited time to do as much damage as possible, as in the case of ransomware, or to overshadow ports, as in the case of data extrusion.
You will have the best chance of recovery if you can investigate and respond within minutes. A solution that provides 24 × 7 coverage is therefore essential.
In computer security there are no “working hours” for one particular reason: an attack could come from anywhere on the globe, consequently you cannot rely on conventional hours. This is the result of the spread of the network as an instrument of worldwide connection, we can only deal with it adequately. A SOCaaS relieves the company using it from keeping a division open 24/7.
Managing suppliers and integrating tools is quite expensive
Cyber security is complex and technology evolves rapidly. There will be more and more technologies that need to work together, which requires maintaining the skills to implement, update and configure each component and train your staff on new versions and features. If you have your own SOC, you also need to manage these supplier relationships, licensing, and training.
The bottom line is that building the skills you need requires a lot of low-level tasks and extensive daily work. For organizations that can support it, the effort makes sense. For most organizations, the task is best left to a partner who can provide this service, allowing you to get all the benefits of a high-end SOC without the expense and distraction of building it yourself.
If budget is not an issue and you have enough staff to focus on building and maintaining a 24 × 7 SOC, then it may make sense to go this route. If you are constrained on one of these two fronts, then SOCaaS will be the best approach.
In summary, SOCaaS allows you to:
1. Spend time managing security, not technology and vendors
2. Have a predictable expense. No surprise budget requests
3. Obtain security information from other organizations
4. Manage alarms more efficiently and with more predictable results
5. Be agile and keep up with the IT needs of your evolving organization
6. Stay abreast of today’s security tool innovations.
If your company wants to know more about Secure Online Desktop SOCaaS solutions, contact us for a non-binding consultation. We will show you all the advantages and clear up any doubts regarding this solution.
Tempo di lettura: 5 minUtilizzo del Machine Learning per proteggere i dati Introdotto nel gennaio 2017, Acronis Act… https://t.co/mhqalBxm8D
Gli attacchi informatici sono numerosi e non fanno distinzione tra aziende e singoli individui quando prendono di m… https://t.co/uOucUWZf7W
Estimated reading time: 5 minutes SNYPR è uno strumento di analisi della sicurezza in grado di trasformare i Big… https://t.co/oies7e0nYY
Estimated reading time: 5 minutes Con l’avvento delle piattaforme di big data, le aziende che si occupano di sicu… https://t.co/MSvA0dPgiE
Estimated reading time: 5 minutes With the advent of big data platforms, IT security companies can now make guid… https://t.co/aTv41eq2Ir