As the number of cybercrime events, incidents of identity theft, theft of intellectual property, and cyberattacks continue to rise, there is an increasing need to provide adequate network security to defend against these types of threats to organizations. Defending against these types of threats is very difficult for an organization, and the attacker will always have the advantage. While defenders are looking at all the possible threats to an environment, an attacker only needs to concentrate on what he or she is looking to accomplish.
This will always put the defender at a disadvantage. In order to best secure their environment, a defender needs to use all the information at his or her disposal to determine how to deploy the limited resources available. When approaching a new environment or reevaluating an environment that you are currently part of, determining the best security strategy will depend heavily on the organization’s business model.
There are many different types of business models, but most fall into a few typical categories, though obviously with many subcategories. These three higher-level business model classifications are:
Depending on its business model, every organization must have its own set of varied tools to detect threats on its security.
Many organizations think there is no point in obtaining or deploying security tools, since attackers would surely have no interest in attacking them. But this perspective is deeply flawed. If an organization is small, it will have fewer security systems to protect it for obvious reasons, and an attacker might choose it as a target because it will be easier and faster to breach.
Each organization has a set of data that an attacker can sell on the deep web. In some cases the attackers may just want to block a company’s operation, and a simple DDoS attack can lead to service interruptions that have effects on the company’s brand and on its customers in terms of SLAs. In other cases, attackers may want to take financial and accounting data. In still others, to take credit card data.
Even for smaller companies, attackers may target them because they expect to find almost no defenses. What could they want from such a small company? Trivially, the data about its users and clients, in order to impersonate users in later attacks, including personal data such as fiscal/tax identifying numbers and/or identity card numbers. Thus no one can feel safe, not even small private organizations. They may be targeted for blackmail, or simply for reselling the collected data at a later time.
Other organizations think that having SIEM or a similar security approach (like firewalls, antivirus, etc.) is like having a wall protecting a castle. In reality, it’s more like a guard dog; it’s just one facet of a defense-in-depth strategy, but it’s by no means a silver bullet. Just like any guard dog, if there is no one to train it, or take the time to listen when it barks, it doesn’t do any good.
One of the most important questions to ask about your SIEM is does it enable hunting? If you’re unable to quickly pivot between data sources to follow the breadcrumbs without turning to the manual every 5 seconds, it probably won’t be up to the task of a serious investigation. Does an organization have a dedicated security tool content admin to write rules and tune their SIEM? If not, it will become exponentially harder to get any real value out of the investment on SIEM or other similar tools.
Put in simple terms, hunting in cybersecurity is proactively finding ways that nefarious people do evil things. The days of having a security posture centered mainly around prevention are gone for good: triage after the fact is critically important, but it can’t be the only goal of a mature SOC. Just setting up a SIEM and waiting for any alerts to come to you is not the most productive use of your resources.
NetEye SIEM supports organizations in this more active posture. We have different tools to help our clients:
Let’s look at an anonymized but very real case in which a system administrator having all these tools conducted an excellent campaign of threat hunting.
I can see thanks to the monitoring system that I have unusually high resource consumption on a Windows system which normally does not have a large expenditure of resources. On this system I am collecting system events through winlogbeat and I identify that there are PowerShell processes and that many files are being transferred to the outside.
I analyze the network traffic that machine is generating using ntopng and verify that the traffic that is going out is making use of an encrypted channel. I verify via OCS and GLPI that the machine in question is up to date and there are no missing patches. I scan the antivirus and antispam logs and nothing is found related to that machine, but the problem continues to persist.
At first I tried to restart the machine, but nothing changed. At this point you can see the timeline of the logs and note that when the monitoring system started sending out alerts, the number of logs produced increased. By analyzing the machine logs in depth, and making use of sysmon activated on various systems including this one, I saw that the hash of an executable file had been changed.
At this point, by blocking this process, the system behavior returns to normal. Several days later we found out that the problem was generated by a DNS exfiltration attack by a hacker group called APT 34 which had leveraged a phishing attack that could not yet be detected by our antispam/antiphishing system. By using Tornado, Watchers and Elastic Stack detection, we can now generate an alert that will report to the monitoring system if a similar problem should occur.
I hope that it’s now clearer why it’s important for everyone to equip themselves with security tools such as NetEye SIEM.