Table of Contents
- While unified platforms have historically been within the means of only large organizations—ones able to build their own cybersecurity ecosystems—that’s no longer the case. Enterprises of all sizes can obtain a readymade platform from a vendor and customize it relatively easily to meet their specifi
- Microsoft Patch Tuesday for March 2023 — Snort rules and prominent vulnerabilities
- Sygnia Named in the 2023 Gartner ® Market Guide for Digital Forensics and Incident Response Retainer Services for the Second Consecutive Time
- Build Security Muscle Memory With Tabletop Exercises
- Use Searching Engines to Hunt For Threat Actors
- 50 Threat Hunting Hypothesis Examples
- How to Choose the Right SOC Model for Your Organization?
- Part 1: Bro, do you even detection engineer?
- Chinese Hackers Targeting Security and Network Appliances
- What’s in store for MSPs: Trends for 2023
- Understanding metrics to measure SOC effectiveness
- CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks
While unified platforms have historically been within the means of only large organizations—ones able to build their own cybersecurity ecosystems—that’s no longer the case. Enterprises of all sizes can obtain a readymade platform from a vendor and customize it relatively easily to meet their specifi
Trend Micro
What’s driving cybersecurity operations to evolve
Moving IT into the cloud, adopting as-a-service business models, and supporting hybrid work have all changed—and grown—the enterprise attack surface.
Instead of the classic network perimeter, identity is the new boundary that has to be protected.
What SOC teams need most are better ways to correlate and prioritize alerts so they can isolate the ones that truly matter while getting in front of threats instead of reacting to them.
Step 1: Optimize XDR for stronger cybersecurity operations
Combining XDR with SIEM optimizes the capabilities of both: SIEM data enriches XDR detection and investigation while XDR’s correlations give context to SIEM logs for better threat identification over time.
Step 2: Adopt proactive cyber risk management
“A sustainable security program that provides data-driven risk decision making and measurable treatments as an outcome is essential to manage the new normal,” according to Gartner’s 2022 Planning Guide for Security and Risk Management.
Given the sheer number of entry points and potential connections—from bring-your-own-device equipment to remote work environments, cloud elements, and as-a-service solutions—operationalizing zero trust can be complicated.
Integrating risk management with the threat detection and response capabilities of optimized XDR helps, along with deployment of secure access service edge (SASE) tools.
Step 3: Converge solutions within a unified platform
While unified platforms have historically been within the means of only large organizations—ones able to build their own cybersecurity ecosystems—that’s no longer the case.
Enterprises of all sizes can obtain a readymade platform from a vendor and customize it relatively easily to meet their specific needs.
Link: https://www.trendmicro.com/en_us/ciso/23/c/cybersecurity-operations.html
Microsoft Patch Tuesday for March 2023 — Snort rules and prominent vulnerabilities
Jonathan Munshaw
Talos Blog
Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across the company’s hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months.
Two of the vulnerabilities included in March’s security update have been exploited in the wild, according to Microsoft, including one critical issue.
A moderate-severity vulnerability that’s already being exploited in the wild is CVE-2023-24880, a security feature bypass vulnerability in Windows SmartScreen, a cloud-based anti-phishing and anti-malware feature included in several Microsoft products.
The other zero-day included this month is CVE-2023-23397, a privilege escalation vulnerability in Microsoft Outlook that could force a targeted device to connect to a remote URL and transmit the Windows account’s Net-NTLMv2 hash to an adversary.
Three of the other critical vulnerabilities Microsoft is patching have a CVSS severity score of 9.8 out of 10: CVE-2023-21708, CVE-2023-23392 and CVE-2023-23415.
In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them.
Please note that additional rules may be released at a future date and current rules are subject to change pending additional information.
Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Link: https://blog.talosintelligence.com/microsoft-patch-tuesday-for-march-2023-snort-rules-and-prominent-vulnerabilities/
Sygnia Named in the 2023 Gartner ® Market Guide for Digital Forensics and Incident Response Retainer Services for the Second Consecutive Time
Sygnia, Inc
Blox Digital
TEL-AVIV, Israel and NEW YORK, March 16, 2023 /PRNewswire/ — Sygnia, a leading cyber technology and services company which provides high-end consulting and incident response support for organizations worldwide, today announced that it was named in the 2023 Gartner ® Market Guide for Digital Forensics and Incident Response Retainer Services (DFIR) for the second consecutive time.
Link: https://curated.tncontentexchange.com/partners/pr_newswire/subject/surveys_polls_and_research/sygnia-named-in-the-2023-gartner-market-guide-for-digital-forensics-and-incident-response-retainer/article
Build Security Muscle Memory With Tabletop Exercises
Joshua Harr
Rapid 7 Blog
There are three methodologies that I discuss with our customers.
Each of these methods have benefits for all organizational levels, but are ideally suited to specific levels as outlined below.
Break-The-Glass
Escalatory Method
Choose Your Own Adventure
The “One Right Answer” Issue
When I discuss a TTX with customers, there are times where they want to practice one specific thing to prove that there is an issue in the program or point out problems in other teams.
This is never a good idea.
The Goal
One of those goals should be bringing the organization together and practicing the plans and processes to ensure that the muscle memory is there when you need it most—gametime.
Link: https://www.rapid7.com/blog/post/2023/03/15/build-security-muscle-memory-with-tabletop-exercises/
Use Searching Engines to Hunt For Threat Actors
Gustav Shen
Medium
As a red team operator, I fully understand the importance of OPSEC.
Although I am not a threat-hunting expert, utilizing threat intelligence to track and locate other hackers and observing their mistakes can help enhance my own OPSEC awareness, allowing me to avoid low-level mistakes.
The threat intelligence community boasts numerous outstanding threat hunters, such as Michael Koczwara, whose articles have provided me with significant insights.
These threat hunters expose threat actors’ infrastructure IPs and domain names, assisting in enriching blacklists for both individuals and cybersecurity products.
This article (https://bank-security.medium.com/hunting-cobalt-strike-servers-385c5bedda7b) explains how to use different methods, such as default Cobalt Strike certificates and default 404 responses, to search for Cobalt Strike servers on the internet using the Shodan search engine.
Other articles, like https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f, analyze the characteristics of C2 servers beyond Cobalt Strike and how to locate them using search engines.
There is a wide variety of internet asset search engines available, such as Shodan, Censys, Zoomeye, and Fofa.
However, when it comes to locating threat actor servers with open directory configurations, my personal choice is the Quake search engine.
Threat actors tend to prefer setting up temporary HTTP file servers using Python due to its simplicity and convenience.
However, sometimes they forget to shut down the Python HTTP server promptly, leaving traces we can track.
Filtering by HTTP response is relatively straightforward; we can enter the name of any security tool or malware, such as Mimikatz, Cobalt Strike, or Rubeus.
Some query examples:
title: “Directory listing for /” and response:”cobaltstrike”
Link: https://gustavshen.medium.com/use-searching-engines-to-hunt-for-threat-actors-74be52976e9f
50 Threat Hunting Hypothesis Examples
Cyborg Security
A hypothesis is an educated guess or a proposed explanation for a phenomenon that can be tested and verified.
In threat hunting, a hypothesis is a proposed explanation for an observed behavior that may be indicative of malicious activity.
To help organizations and hunters overcome this challenge, we’ve compiled a list of 50 threat hunting hypotheses examples.
These examples cover a wide range of scenarios and can serve as a starting point for organizations and hunters looking to improve their threat hunting efforts.
Whether you’re a seasoned threat hunter or just getting started, this list of threat hunting hypotheses is sure to provide you with valuable insights and ideas for your next threat hunting project.
Creating effective threat hunting hypothesis examples is a crucial aspect of successful threat hunting.
Link: https://www.cyborgsecurity.com/blog/50-threat-hunting-hypothesis-examples/
How to Choose the Right SOC Model for Your Organization?
Richard Orland
Opp Trends
Outsourcing/Managed Service Provider – MSP
In-house/Organisation Model – IOM
Co-sourcing Model – CSM
• Virtual Security Operations Center (VSOC):
Considerations for Choosing the Right Model
Business size and scope
Resource availability
Regulatory compliance requirements
Budgetary parameters
Choosing the right Security Operations Center model for your organization requires careful consideration of multiple components.
While there are many factors to consider, two primary aspects – deployment type and coverage level – should be addressed when deciding on an SOC model to implement.
Deayment type refers to how resources are being used within the SOC.
Organizations can either opt for an in-house SOC, a Managed Security Service Provider (MSSP), or a hybrid approach that combines aspects of both in-house and outsourced solutions.
Coverage level refers to the range of capabilities offered by an SOC model, including system support operations such as security event log monitoring, malware analysis and incident investigation as well as proactive services such as patch management and vulnerability assessments
There are several levels to consider – basic coverage which is ideal for small organizations; standard coverage which often includes 24/7 monitoring; advanced coverage which encompasses more complex technologies; and extended coverage which typically meets sophisticated organizational needs requiring specialized skillsets .
Link: https://www.opptrends.com/right-soc-model-for-your-organization/
Part 1: Bro, do you even detection engineer?
Atanas Viyachki
Medium
Detection engineering is the capability that focuses on identifying threats and building those in-house detections.
But, it should not stop there.
Focused on enabling security engineers from various departments to be able to create detections, I developed the Open Detection Engineering Framework (ODEF).
ODEF is to my knowledge the first framework that defines the detection lifecycle.
With three phases — sunrise, midday and sunset ODEF covers the life of a detection from inception to decommissioning.
Each phase has corresponding functions, goals and guidelines.
This helps the detection engineer to maintain north star focus and deliver a detection with exceptional quality.
ODEF provides two templates for documenting detections — in yaml and markdown.
Each for different purpose:
ODEF phases
“Sunrise” is the first phase of the detection lifecycle.
It marks the inception, development and commission to production of the detection
While sunrising a detection there are 6 core functions that should be addressed:
Research
Prepare
Build & Enrich
Validate
Automate
Share
The “Midday” phase is normally the longest phase from detection lifecycle perspective.
During this phase the detection is commissioned to production.
It should be automated and enabled to run continuously.
The phase monitors the detection during its operation and aims to improve it if needed.
High level goals for the Midday phase:
Operate and monitor the detection for FP or TP
Improve the detection logic in case of influx of FP
Perform systematic reviews to ensure relevancy
During the “Sunset” phase the detection is taken out of commission.
The phase ensures that resources are not spent for outdated and irrelevant detections.
At the same time it ensures that documentation of the detection remains.
High level goals for the Sunset phase:
Decommission the detection and leave it in a state that it can be re-enabled anytime
Preserve the knowledge
ODEF Mindmap
The goal of the mindmap is to show the effort required for each lifecycle phase.
The more branches you count, the bigger the effort.
When building high-quality detections, the sunrise phase takes the biggest amount of effort.
Stay tuned for Part 2 — ODEF Implementation.
Where we will see how to grow quality detection as code capability.
And enforce detection quality with automated unittests.
Link: https://medium.com/@aviyachki/part-1-bro-do-you-even-detection-engineer-1584dca5ddc9
Chinese Hackers Targeting Security and Network Appliances
Prajeet Nair
Info Risk Today
Chinese threat actors are turning security appliances into penetration pathways, forcing firewall maker Fortinet to again attempt to fend off hackers with a patch.
A threat cluster related to UNC3886 also targeted a Fortinet zero-day in a campaign that involved delivery of a custom backdoor “specifically designed to run on FortiGate firewalls” (see: Fortinet VPN Flaw Shows Pitfalls of Security Appliances).
Thursday’s disclosure comes just days after Mandiant identified a suspected Chinese campaign targeting the SonicWall Secure Mobile Access appliance.
The same group is also likely responsible for a campaign unmasked in September against VMware ESXi servers.
Link: https://www.inforisktoday.asia/chinese-hackers-targeting-security-network-appliances-a-21467
What’s in store for MSPs: Trends for 2023
ESET Ireland
ESET Blog
Moore provided a few tips MSPs can implement to improve their security:
Automatic patch processes
Shrink the attack surface
Enhance data protection
Do not fall to alert fatigue
Employee awareness
Overall, the number one thing any business can do to improve its protection is to opt for a trustworthy cybersecurity solution.
ESET is here to provide that protection to all businesses, big or small.
Link: https://blog.eset.ie/2023/03/24/whats-in-store-for-msps-trends-for-2023/
Understanding metrics to measure SOC effectiveness
Sarim Rafiq Uddin
Secure List
Apart from revenue and profits, there are two key principles that drive business success:
Maintaining business operations to achieve the desired outcomes
Continually improving by bringing in new ideas or initiatives that support the overall goals of the business
Measuring routine operations
Example 1: Measuring analysts’ wrong verdicts
Measuring this metric can aid in identifying critical areas that may affect the outcome of the security monitoring process.
It should be noted that this metric is an internal KPI, and the SOC manager has set a target of 10% (target value is often set based on the existing levels of maturity).
If the percentage of this metric exceeds the established target, it suggests that the SOC analyst’s triage skills may require improvement, hence providing valuable insight to the SOC manager.
Example 2: Measuring alert triage queue
Evaluating this metric can provide insights into the workload of SOC analysts.
Example 3: Measuring time to detect incidents
Measuring this metric can provide insights into the efficiency of the security monitoring service for both internal and external stakeholders.
It’s important to note that this metric is categorized as a service-level indicator (SLI), and the target value is set at 30 minutes.
Measuring improvement
OC leadership should devise a program where management and SOC employees get an opportunity to create and pitch ideas for improvement.
Metric identification and prioritization
SOCs generally do measure their routine operations and improvements using ‘metrics’.
However, they often struggle to recognize if these metrics are supporting the decision-making process or showing any value to the stakeholders.
Hunting for meaningful metrics is a daunting task.
The common approach we have followed in SOC consulting services to derive meaningful metrics is to understand the specific goals and operational objectives of security operations.
Another proven approach is the GQM (Goal-Question-Metric) system that involves a systematic, top-down methodology for creating metrics that are aligned with an organization’s goals.
By starting with specific, measurable goals and working backwards to identify the questions and metrics needed to measure progress towards those goals, the GQM approach ensures that the resulting metrics are directly relevant to the SOC’s objectives.
To determine the appropriate metrics, several factors should be taken into account:
Metrics must be aligned with the primary goals and operational objectives
Metrics should assist in the decision-making process
Metrics must demonstrate their purpose and value to both internal operations and external stakeholders.
Metrics should be realistically achievable in terms of data collection, data accuracy, and reporting.
Metrics must also meet the criteria of the SMART (Specific, Measurable, Actionable, Realistic, Time-based) model.
Ideally, metrics should be automated to receive and analyze current values in order to visualize them as quickly as possible.
Link: https://securelist.com/understanding-metrics-to-measure-soc-effectiveness/109061/
CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks
Networking Forums
Actions to take today to harden your local environment:
Establish a security baseline of normal network activity; tune network and host-based appliances to detect anomalous behavior.
Conduct regular assessments to ensure appropriate procedures are created and can be followed by security staff and end users.
Enforce phishing-resistant MFA to the greatest extent possible.
Link: https://www.networking-forums.com/vendor-advisories/us-cert-cisa-red-team-shares-key-findings-to-improve-monitoring-and-hardening-of/msg27258/?PHPSESSID=3d678145a0f57b5f6046dad06795a510#msg27258