Save Time and Quiet the Noise, Turn Indicators of Compromise into Behavioral, Pattern-Based Detections in Minutes
Catch the On-Demand webinar here in case you missed it or read on for an overview.
You’re a Security Engineer, and after a long week you have plans to meet your buddies for your weekly happy hour, which lately you’ve missed a lot thanks to false alerts and noise… So, you’re really looking forward to this one. But, around 10am you get an email from your CISO asking for a coverage report for the latest headline, a new phishing attack. This phishing attack has been named in a new Advanced Persistent Threat (APT) path in a zero-day headline, threatening your team. You can’t push this off until tomorrow, your CISO wants an answer (and a fix) by EOD and customers depend on you to protect their information.
This will take forever. You know you need to investigate the Threat Intel to understand the Tactics, Techniques, and Procedures (TTPs) and understand your current detection coverage for those TTPs and any gaps that may have existed. You also know you need to deploy new detection content to address these gaps, and build the threat scenario to detect the specific attack path for the current APT. You look at all the steps needed, understanding the APT tactics and techniques alone will take you all morning, let alone deploying something to detect it.
Get ahead of the “it needs to be fixed by EOD” game
Don’t worry, we don’t want you to miss happy hour and we do have a solution to speed up that coverage report. Anvilogic’s team of researchers, The Forge, curate, build, test and validate the detection content Armory with the latest trending threats and over 800 ready-to-deploy detections. Our Forge team delivers daily trending topics and the relevant detections directly in the Anvilogic Armory, so you can stay proactive. You can also finally beat your CISO to an email – giving them an update on where you are with particular attacks and headlines before they even get the chance to ask for it. Making you ahead of the game. Anvilogic also provides you with recommendations and MITRE ATT&CK mapping based on your priorities to help identify specific threats and detect the TTPs used. You can also correlate across individual identifiers to create a behavioral attack-pattern scenario, such as, suspicious email attachments followed by, malicious document executions, and encoded PowerShell commands observed. As well as observe any C2 activity that you might see on a particular host.
If this seems too good to be true it’s not. The Armory can look for a specific detection and any atomic detections that were made along the attack path. We know this seems like a lot of work, but it’s really not. The first thing you would want to do is figure out your current coverage and any gaps that might exist. We recommend aligning and mapping your priorities to the MITRE ATT&CK matrix. Which can help to quickly identify coverage gaps and save time fast tracking the research phase. This can also help to answer any other inquiries coming from the lines of businesses around your specific detection coverage for any relevant attacks out there in the wild.
Phishing for weak spots
In the webinar the team gives an example of Phishing and shows how Anvilogic can help you quickly identify multiple rules associated with phishing attacks and deploy detections in minutes. This is great to visually understand both your protection coverage and gaps for initial access execution command control, all in one spot for where your coverage is today.
More than just a heat map
We understand this could just look like a heat map. However, if you dig a little deeper, you will see how you can begin to operationalize the MITRE ATT&CK matrix. You are able to quickly identify your gaps and see what detections are recommended to help make sure those gaps are covered. From there, you can quickly deploy by either using the ready-to-deploy detections that were recommended or build a detection from scratch using Anvilogic’s no-code builder that includes both threat identifiers and threat scenarios.
When talking about threats let’s take a quick look at the difference between a threat identifier, and a threat scenario. You can think of a threat identifier as the production detection use cases sending alerts to your security operations center (SOC). Whereas a threat scenario, is a sequential behavioral-pattern correlation of those rules together to better detect for attack paths.
Identifying the attack path for an Advanced Persistent Threat
With the use of multiple identifiers and the ability to filter it just got easier to track the APT attack path. Having these already figured out also makes it once you figured out your gaps you already have relevant sections of code, and the best part is you don’t have to take all the time to write them yourself. We built the Anvilogic Armory, because we know using the MITRE ATT&CK framework, creating detection maps to the framework, and THEN running the kill-chain is a very manual process. We also know it can take hours to map all of those TTP rules based on name or description and logic. Again, this is why we have the Armory, we want you to get to the point of deployment ASAP.
We know you are thinking, now you don’t have to write the code, but once you deploy there is going to have A TON of noise. You already know your environment gets suspicious attachment names and weird file extensions all the time, it’s just part of doing business, but filtering out too much activity as a result of having too much noise, might not work either. Let’s face it at the end of the day we understand you don’t want your analysts experiencing alert fatigue by constantly running into false positives. We understand your concern, we have had the same one. In our above detection example we’re looking for a number of different attachment extensions, but we also included zip files, which we know is a common piece in business operations. Through the deployment of the specific attack path you’ll see we are not just alerting for suspicious email attachments, but within hours will also look for malicious document execution or encoded PowerShell commands. These are observed on the host, they will not only help to detect for the full attack hack, but avoid needing to alert for those specific cases individually, which we all know can obviously be super noisy. We also continue to maintain consistency in the baseline and tune that logic, which can be a hassle.
All in all, we know how loud the alerts can be, we have been there. The use of the Armory not only saves time, but quiets the noise, identifies the gaps, and also has more detections and case scenarios already built into the framework. Basically making it so you can work smarter, not harder.
Did getting the lowdown on the Armory?
To watch the whole webinar and see all of the time saving and efficiency of the Armory in real time head over to the registration page. Also, if we peaked your security knowledge, there are a lot more like this post in our blog series. While you are over there, why not check out more in our webinars series, where we talk shop with some of the best in the business. And, don’t forget to sign up for our weekly threat report to keep up to date, with the latest cyber threats, news, reports, and active notifications of relevant threats to harden your security posture.
Categories: Modern SOC