Written by Will Lambert
Credit – Crimson Tails - http://animal-jam-clans-1.wikia.com/wiki/Crimson_Trails_Wolf_Pack
When a wolf pack moves, it is
well documented that the leader or strongest of the pack travels at the very
rear. It is the leader’s or Alpha’s responsibility to safeguard its pack from
threats. He continuously monitors the ever-changing landscape. The vantage
point the rear of the pack provides allows the Alpha to inspect and monitor the
threats posed to the entire pack, both external and internal. At the very front
of the pack are the weak and lame wolves, those who the Alpha would sacrifice
if needed. The weak and lame are closely followed by the strongest male wolves.
Their main purpose, to provide safety and security - to protect the critical
assets of the pack. The critical assets being the female wolves. Who would have
guessed that wolves were such gentlemen…? I for one was very surprised.
Credit http://dpatlarge.com/a-wolf-pack-in-herd-code/
If we aligned wolf walking to a
Cyber Security posture, our critical assets would take up the mantle of the
female wolves. Our strongest wolves would be the devices & methodologies
employed which provide a layer of security defence to protect our critical
assets. Firewalls, ACLs, switches, procedures, physical access logs, etc. would
all be aligned to the roles of strongest wolves. Honeypots, honeynets could
theoretically resemble the lame and weak wolves, as a threat distraction while the
protection of the remaining pack is readied or reinforced. But who or what
would take the place of the Alpha? We will need a method to study the
entire pack, the network as a whole, continuously monitoring for threats and
provide a level of incident response. This is known as a Security Operations
Centre or SOC.
Some may argue that the place of the
Alpha could be taken by a Security Information and Event Management (SIEM) –
which is a tool that collects and normalises logs. These logs are then tested
against a set of values. The SIEM operates on an if then logic basis, similar
to antivirus. If the SIEM knows traffic is bad, it will highlight that traffic
as bad to a human analyst. But
I would argue the Alpha is more than just a SIEM. Yes, like a typical SOC,
the Alpha will have SIEM traits. He will identify other predators as a threat
or “bad traffic”. Similarly, a SIEM will recognise known malware as a threat to
the network and raise the alert for human analysts. The differentiator between a SOC and a SIEM is the
incident response and actively searching for known and unknown threats.
Traditionally, a SOC will differentiate between
three types of traffic:
1.
Known Good
2.
Known Bad
3.
Unknown
So, what is Known Good – it is exactly
as it sounds… BAU traffic for which no suspicious activity or other distrustful
markers have been highlighted. Known Bad is the SIEM traits of a SOC as we
discussed earlier, highlighting traffic using if then logic. The difficult
concept which I will attempt to explain, is Unknown traffic.
Unknown Traffic is traffic that
requires further investigation. Possibly, some markers within the traffic have
been highlighted as not correct, or not in place with the environment. It could
be that the SOC has not yet learned our environment. What is common practice
for us, will most likely be unusual in another network. Our SOC will need to
learn what is “normal” to us. As human beings, when we are in a new
environment, we draw on our past experiences to help us. If you go abroad on
holiday, you may use certain hand gestures to breach the language barrier – a
wave to say hello or goodbye. This is the same with a SOC. At first, the
language will be all wrong, the SOC will identify this as unknown. Unknown traffic
is almost like the SOC has open palms saying to a human analyst “I don’t know
what this means! This language is foreign to me!”. At least when I go abroad, I
can get by with
“una cerveza por favor” and the
rest by adopting the typical British methodoligy of speaking slowly and loudly
as time goes on. The time taken for a SOC to learn BAU activities is known
as the tuning or learning phase. The SOC will alert on BAU traffic as it learns
the language. After some time, these alerts will be normalised and will be
known as BAU.
Once the
tuning phase is complete, Unknown traffic will consist of traffic not conducive
to the environment. Typically, these may by be indicative of preparatory steps
taken in advance of an attack - network or AD enumeration, shell use, lateral
movement, privilege escalation etc. Now, this is quite a mammoth task, if you
consider the wide variety of attack techniques that are available to the Hacker
market, on both surface and Darknet marketplaces. This is not just the tools
that are readily available from a wide variety of online sources – but what a
SOC also needs to have knowledge of is tools, tactics and procedures that
people are discussing on Darknet forums and alike. All this chatter discussing
the latest tools, techniques, procedures and anything else attack related –
including potential targets of attacks, combine to be known as Threat
Intelligence. Threat Intelligence gives the ability to actively hunt for
threats, both internal and external to our environment. It gives the SOC the
ability to identify how attacks are executed and aids towards the incident
response activities.
To
summarise, an Alphas natural instinct teaches him that this is not a case of if it is targeted in an attack, but when. He knows what “normal” is in his
pack. He has several defences at his disposal, he knows where his critical
assets are – what he needs to protect and what tools he can deploy to protect
them. However, this is not enough. As the pack moves, the Alpha will always be
vigilant of new and emerging threats, continuously monitoring the horizon and
changing terrain – not unlike the ever-changing terrain synonymous with the
cyber landscape presented to us on a daily basis. An investigation of “unknown
data” helps to prepare the pack for any event. As for any type of attack, preparation
is key.
“Every
Battle Is Won or Lost Before It’s Fought”
Sun
Tzu – The Art of War