VP and CISO for Star and Disney India, overseeing the company's cybersecurity strategy in India. Passionate Whitehat hacker. LinkedIn.
getty
Amazon, Google and Tesla. If you think about these three companies, the first two words that come to most minds are innovation and disruption. They disrupted their respective industries by predicting the future correctly. In a similar manner, I've always wondered if we could predict the type of security incidents one can expect to encounter in their company. If the answer is yes, we can save a lot of time and resources on building a threat detection framework. But as we all know, in real-world tracking, spotting an actual incident is like finding a needle in a haystack.
Hackers do a reconnaissance of a company to understand the strengths and weaknesses of the infrastructure. Based on the outcome of this activity, they design their payload for a higher success rate. In this scenario, if defenders can predict a hacker's technique in advance and create a hunting model, too, then the chances of detecting and responding to this kind of incident would be much faster.
To build this prediction framework, we need two essential datasets to start. The first is the list of techniques hackers use to compromise a company. Fortunately, the Mitre Att&ck framework already provides those techniques. The second is mapping SIEM use cases with Mitre Att&ck techniques; this will help the defenders understand the blind spot in their detections against the different methods used by hackers. For instance, one of the techniques could be a scheduled task as a defender; we would need to look for relevant use cases and appropriate logging available on your SIEM. In this scenario, windows event logs should be available on the SIEM platform, and the detection use case should look for windows event ID 4698.
After the above activity, we will learn about the techniques where there is no coverage from the use case standpoint. We can map those techniques using the Mitre mapping matrix to determine which adversaries will have a higher success rate against your company. Once this activity is done, defenders can take a focused approach to build multiple threat hunting models to detect these adversaries in the kill chain. This approach also helps to improve the logging coverage of an organization across all its devices.
Many apps are available from different SIEM vendors to map the log sources and use cases with Mitre Att&ck techniques. Leading SIEM vendors are already providing these kinds of apps on Mitre. The Splunk app and IBM Qradar are great examples. You can install these apps on their respective SIEM and check the coverage of the most used Mitre techniques according to the Red Canary report, which shows the ranking of methods associated with confirmed threats across Red Canary's customers.
1. Command And PScripting Interpreter.
2. Signed Binary Process Execution.
3. Create And Modify System Process.
4. Scheduled Task.
5. OS Credential Dumping.
6. Process Injection.
7. Obfuscated Files.
8. Ingress Tool Transfer.
9. System Services.
10. Masquerading.
This exercise will give you the list of adversaries that are having a high probability of success against your company. This approach will help defenders predict the type of incidents they can expect in their environment. This proactiveness can help an organization detect and respond to cybersecurity incidents much faster than the traditional approach.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
