In this session we will cover:
Operational Architecture: Think about how the SOC interacts with the various different security zones
The MAPE cycle aids the development of knowledge - previous security measures have sought to address this cycle.
Always remember: Correlation does not imply causation
Analytical reasoning about data observations to inform on cyber risk to our organisation
The Lockheed Martin Cyber Kill Chain framework helps the identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective. The seven steps of the Cyber Kill Chain enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures.
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base of adversary tactics and techniques based on real-world observations. Created in 2013, researchers emulated both adversary and defender behavior to improve post-compromise detection and analysis. Framework based on Tactics, Techniques and Procedures (TTPs).
The Common Vulnerabilities and Exposures programs aims to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog used as a global identifier. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities. In the United States, the National Institute of Science and Technology (NIST) maintain a National Vulnerability Database (NVD) that references against the catalogued CVE database.
The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the MITRE ATT&CK adversary model. CAR defines a data model that is leveraged in its pseudocode representations, but also includes implementations directly targeted at specific tools (e.g., Splunk, EQL) in its analytics. With respect to coverage, CAR is focused on providing a set of validated and well-explained analytics, in particular with regards to their operating theory and rationale.
Analytics stored in CAR contain the following information:
Mwiki, H., Dargahi, T., Dehghantanha A., Choo, K-K. "Analysis and Triage of Advanced Hacking Groups Targeting Western Countries Critical National Infrastructure: APT28, RED October, and Regin". Critical Infrastructure Security and Resilience pp. 221-244, 2019
Hadar, E. and A. Hassanzadeh, A. "Big Data Analytics on Cyber Attack Graphs for Prioritizing Agile Security Requirements," 2019 IEEE 27th International Requirements Engineering Conference (RE), pp. 330-339, 2019