06 CYBER SECURITY ANALYTICS TOOLS - INCIDENT RESPONSE
Contents
06 CYBER SECURITY ANALYTICS TOOLS - INCIDENT RESPONSE¶
The 4 core questions to security monitoring and incident response.
What are we trying to protect?
What are the threats?
How do we detect them?
How do we respond?
If you don’t know what you are trying to protect, how can you expect to defend it?
There will always be place for incident prevention and not all threats can possibly be blocked. We are seeking a pragmatic approach to detection and response.
Identify what assets are most critical, and then build layers of defence from there
MITRE Cyber Analytics Repository (CAR)¶
The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the MITRE ATT&CK adversary model. CAR defines a data model that is leveraged in its pseudocode representations, but also includes implementations directly targeted at specific tools (e.g., Splunk, EQL) in its analytics. With respect to coverage, CAR is focused on providing a set of validated and well-explained analytics, in particular with regards to their operating theory and rationale.
Infrastructure, Intellectual property, customer and employee data, brand reputation.
OS Credential Dumping: LSASS Memory¶
OS Credential Dumping: LSASS Memory: Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
RedCanary report LSASS memory as 15.5% organizations affected and 1,447 confirmed threats.
Structured Threat Information eXpression (STIX™)¶
Structured Threat Information eXpression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX enables organizations to share CTI with one another in a consistent and machine readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively. STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more.
Trusted Automated Exchange of Intelligence Information (TAXII™)¶
Trusted Automated Exchange of Intelligence Information (TAXII™) is an application layer protocol for the communication of cyber threat information in a simple and scalable manner. TAXII is a protocol used to exchange cyber threat intelligence (CTI) over HTTPS. TAXII enables organizations to share CTI by defining an API that aligns with common sharing models. TAXII is specifically designed to support the exchange of CTI represented in STIX.