Friday 11 May 2018

Protecting The Pack (SOC)

Written by Will Lambert 

Credit – Crimson Tails -

When a wolf pack moves, it is well documented that the leader or strongest of the pack travels at the very rear. It is the leader’s or Alpha’s responsibility to safeguard its pack from threats. He continuously monitors the ever-changing landscape. The vantage point the rear of the pack provides allows the Alpha to inspect and monitor the threats posed to the entire pack, both external and internal. At the very front of the pack are the weak and lame wolves, those who the Alpha would sacrifice if needed. The weak and lame are closely followed by the strongest male wolves. Their main purpose, to provide safety and security - to protect the critical assets of the pack. The critical assets being the female wolves. Who would have guessed that wolves were such gentlemen…? I for one was very surprised.


If we aligned wolf walking to a Cyber Security posture, our critical assets would take up the mantle of the female wolves. Our strongest wolves would be the devices & methodologies employed which provide a layer of security defence to protect our critical assets. Firewalls, ACLs, switches, procedures, physical access logs, etc. would all be aligned to the roles of strongest wolves. Honeypots, honeynets could theoretically resemble the lame and weak wolves, as a threat distraction while the protection of the remaining pack is readied or reinforced. But who or what would take the place of the Alpha? We will need a method to study the entire pack, the network as a whole, continuously monitoring for threats and provide a level of incident response. This is known as a Security Operations Centre or SOC.

Some may argue that the place of the Alpha could be taken by a Security Information and Event Management (SIEM) – which is a tool that collects and normalises logs. These logs are then tested against a set of values. The SIEM operates on an if then logic basis, similar to antivirus. If the SIEM knows traffic is bad, it will highlight that traffic as bad to a human analyst. But I would argue the Alpha is more than just a SIEM. Yes, like a typical SOC, the Alpha will have SIEM traits. He will identify other predators as a threat or “bad traffic”. Similarly, a SIEM will recognise known malware as a threat to the network and raise the alert for human analysts. The differentiator between a SOC and a SIEM is the incident response and actively searching for known and unknown threats.  

Traditionally, a SOC will differentiate between three types of traffic:

1.       Known Good
2.       Known Bad
3.       Unknown

So, what is Known Good – it is exactly as it sounds… BAU traffic for which no suspicious activity or other distrustful markers have been highlighted. Known Bad is the SIEM traits of a SOC as we discussed earlier, highlighting traffic using if then logic. The difficult concept which I will attempt to explain, is Unknown traffic.

Unknown Traffic is traffic that requires further investigation. Possibly, some markers within the traffic have been highlighted as not correct, or not in place with the environment. It could be that the SOC has not yet learned our environment. What is common practice for us, will most likely be unusual in another network. Our SOC will need to learn what is “normal” to us. As human beings, when we are in a new environment, we draw on our past experiences to help us. If you go abroad on holiday, you may use certain hand gestures to breach the language barrier – a wave to say hello or goodbye. This is the same with a SOC. At first, the language will be all wrong, the SOC will identify this as unknown. Unknown traffic is almost like the SOC has open palms saying to a human analyst “I don’t know what this means! This language is foreign to me!”. At least when I go abroad, I can get by with “una cerveza por favor” and the rest by adopting the typical British methodoligy of speaking slowly and loudly as time goes on. The time taken for a SOC to learn BAU activities is known as the tuning or learning phase. The SOC will alert on BAU traffic as it learns the language. After some time, these alerts will be normalised and will be known as BAU.

Once the tuning phase is complete, Unknown traffic will consist of traffic not conducive to the environment. Typically, these may by be indicative of preparatory steps taken in advance of an attack - network or AD enumeration, shell use, lateral movement, privilege escalation etc. Now, this is quite a mammoth task, if you consider the wide variety of attack techniques that are available to the Hacker market, on both surface and Darknet marketplaces. This is not just the tools that are readily available from a wide variety of online sources – but what a SOC also needs to have knowledge of is tools, tactics and procedures that people are discussing on Darknet forums and alike. All this chatter discussing the latest tools, techniques, procedures and anything else attack related – including potential targets of attacks, combine to be known as Threat Intelligence. Threat Intelligence gives the ability to actively hunt for threats, both internal and external to our environment. It gives the SOC the ability to identify how attacks are executed and aids towards the incident response activities.

To summarise, an Alphas natural instinct teaches him that this is not a case of if it is targeted in an attack, but when. He knows what “normal” is in his pack. He has several defences at his disposal, he knows where his critical assets are – what he needs to protect and what tools he can deploy to protect them. However, this is not enough. As the pack moves, the Alpha will always be vigilant of new and emerging threats, continuously monitoring the horizon and changing terrain – not unlike the ever-changing terrain synonymous with the cyber landscape presented to us on a daily basis. An investigation of “unknown data” helps to prepare the pack for any event. As for any type of attack, preparation is key.

“Every Battle Is Won or Lost Before It’s Fought”
Sun Tzu – The Art of War

No comments:

Post a Comment