Support 416-591-6711 option 1 or Email Us

Security for Businesses with Limited IT Resources Part 2

Tue, 02 Jul 2019

This is the second blog in a four-part series that will explore how you can strengthen your own organizations’ cybersecurity. Hopefully, you had an opportunity to read the first blog in the series on threat intelligence, that discussed coming to understand your cyber-adversaries so you can better defend yourself. Each of the four topics covered, threat intelligence; detection and analytics; adversary emulation and red teaming; and risk assessment for your company’s protection, will be filled with practical cyber techniques for companies that have limited IT resources and analysts. At ISA, we aim to protect the cyber presence of all Canadian businesses. The safer your company’s cyber is, the safer all Canadian cyber is. 

Security for Businesses with Limited IT Resources Part 2

Part 2: Detection and Analytics

Using analytics to detect cyber attack techniques may differ from how you’ve thought about cyber detection in the past. Instead of identifying things that are deemed “bad' concerning cyber and blocking them, analytics involves gathering log and incident data about your systems' happenings and using that data to identify irregular and suspect behaviours (the shifty stuff that you identified as part of threat intelligence).

The term "finding needles in a haystack" is a good metaphor for detection and analytics. The needles are important cybersecurity events, and the haystacks are authentication logs, packet capture and other data about the network. Proper use of analytics should alert companies to significant cyber events by detecting oddities that trigger a red flag, like failed login attempts to IT administrator accounts, for example. The data is drawn from across the system, and once the data is trained on what is normal system behaviour, it can then detect when abnormal behaviour occurs.

As our partner Digital Guardian points out, cybersecurity analytics data can be collected in various ways, including from:

  • Network traffic
  • Endpoint and user behaviour data
  • Cloud resources
  • Business applications
  • Non-IT contextual data
  • Identity and access management data
  • External threat intelligence sources [i]

The objective of cybersecurity analytics is to take raw data from different sources and turn it into actionable insights. Those insights, gained from the correlation of alerts and activities, enable your team to recognize events that require a rapid response.

Detection and Analytics for Your Business

The first step that you need to take towards detection and analytics is to discover what data and search capabilities you possess. Logically, to find abnormal behaviours on your system, you first need to understand what’s happening on your system under normal circumstances, every day.

An excellent way to do this is to look at your data sources, particularly those relevant to the threat group's attack techniques. The various sources give you data that could help in observing the given technique – at the very least they are a good starting point.

 The following is a list of sources which are valuable at detecting numerous attack techniques:

  • Process and Process Command Line Monitoring: usually amassed by Sysmon (System Monitor), Windows Event Logs, and multiple Endpoint Detection and Response platforms
  • File and Registry Monitoring: also usually accumulated by Sysmon, Windows Event Logs, and multiple Endpoint Detection and Response platforms
  • Authentication Logs: like those assembled from the domain controller via Windows Event Logs
  • Packet Capture: particularly east/west capture such as that collected between hosts and enclaves in your network by software network analysis framework (ex. Zeek)[ii]

After you discover what data you have access to, you'll need to gather that data into a Security Information and Event Management (SIEM) platform which will allow you to run analytics against it. You might already have this capability built into your IT or cybersecurity operations, or it may be something new that you will need to create.

Once you’ve organized your data in your SIEM, you're ready to run some analytics. An excellent place to begin is to look at analytics generated by others and run them against your data. If you have endpoint process data, a good beginner analytic can be found here. This analytic will attempt to locate usage of Windows Management Instrumentation to execute commands on remote systems which is a common attack technique used by threat groups.

Your role at this point is to look through every result and decide if it’s malicious. If you’re evaluating your own company’s data, it’s hopefully benign.

As John Wunder, Cybersecurity Engineer at not-for-profit MITRE advises, “Once you have the basic search returning data and feel comfortable that you can understand the results, try to filter out the false positives in your environment so that you don’t overwhelm yourselves. Your goal shouldn't be to get to zero false positives, but it should be to reduce them as much as possible while still ensuring that you'll catch the malicious behaviour. Once the analytic has a low false-positive rate, you can automate creating a ticket in your SOC each time the analytic fires or adding it to a library of analytics to use for manual threat hunting.”[iii]

Once you get analytics written by other people into operation, you can then start writing your own analytics and expanding your coverage.

Final Thoughts

This post gave you a glimpse at what it means to build analytics to detect cyber attack techniques. Analytics allow for proactive cybersecurity incident detection, and that means a faster response. Analytics also allows for improved forensics when an incident does occur. By having this information, you can better defend against future episodes. This article builds on the previous threat intelligence post to illustrate that once you understand what the adversary can do, you can use that information to create analytics to detect their methodology.

Cyber threat intelligence and detection and analytics work together and are of great benefit to any sized business. Start small, with open-source analytics and, then, as you get more comfortable, expand into creating your own. Analytics, when properly applied, allow for quick detection and help to mitigate risk. Of course, if creating a SIEM and implementing sound analytics makes you uneasy, then the best plan is to partner with cybersecurity experts who know how to evaluate data and then use it for detection and defence.



‹ Back