Network Security

Identify a cyber security platform that will maximize your investment for years to come.

Identify a cyber security platform that will maximize your investment for years to come.
Written by ga_dahmani
Identify a cyber security platform that will maximize your investment for years to come.

Break down a successful cyber attack in its simplest form; Threat actors use computers as designed which consists of performing hundreds of millions of operations per second based on obscure but creative instructions. Well, somewhere on the Internet there has to be a disgruntled Microsoft employee, right?

Armed with an idea, such as targeting disgruntled employees, hackers can use a combination of training videos, open source tools and high-speed Internet to harvest a target username and network entry point, scraping the Internet for their desired human behavior in text form. Asking the average computer to scan an entire website for a particular pattern can be done in minutes on any device, including a smartphone with a line of code, like this: Cewl -e –email_file emaillist.txt https:/ /yourcompanieswebsite. com/.

A web forum where someone capitalizes or follows sentences with more than one exclamation point? Unhappy user identified! The username found on a forum could allow a threat actor to switch to additional threat vectors, such as email addresses, Facebook or LinkedIn accounts. We all use similar usernames across web services, right? The threat actor can profile additional behaviors on the target by inducing more obscure but creative potential exploits that focus on harvesting more potential entry points. Then, befriend this user across multiple platforms and learn about them and how they communicate with their peers. Ask them through a private message for the necessary credentials in a way that does not raise suspicions. Access to the destination network was achieved.

Human vulnerabilities can become real vulnerabilities, and we all know that humans are an unpredictable species, so the attack surface of the human psyche is limitless.

That is how Cyber ​​threat actors continue to demonstrate that they can execute successful cyber attacks seemingly anywhere, including attacks against large organizations, such as Microsoft, leveraging the most advanced cybersecurity defense systems.

Cyber ​​Security Artifacts – Artifacts are traces left behind.

When looking at the details of new cyber threats from afar, the most important question to ask is how did analysts obtain this artifact? Action movie lovers like me imagine a tactical situation where a “high speed” SWAT team enters the Hackers location from the roof using ropes and helicopters before smashing the windows and arresting the hacker. While under intense interrogation, the hacker finally reveals his secrets and shows the agents the source code. All vulnerabilities are resolved this way, right? Jokes aside, the answer is a lot less action-packed.

The most basic networks, including home networks, are riddled with millions of artifacts, or tiny digital footprints, that reside within each device. Analysts gain details about attacks by logging into devices, extracting artifacts, and finally solving the puzzle by recreating history by correlating artifacts from different devices.

Cyber ​​Security Compliance

In my experience, artifact collection is driven by cybersecurity compliance. Cybersecurity compliance involves complying with various controls typically enacted by a regulatory authority, law, or industry group to protect the confidentiality, integrity, and availability of data. The number of controls that must be adhered to varies by industry, and the number of controls increases depending on the sensitivity of the data they are intended to protect.

The application of asset identification and the subsequent storage of asset artifacts in the form of logs and system events are common controls that break through compliance standards in many industries.

Both of these control requirements work together by having organizations, through the process, identify and document all of their assets and then ensure that asset artifacts are kept in a security information event management (SIEM) system. To abreviate. Yes, even that dusty old network printer that no one uses needs to send its device logs to the SIEM.

To summarize, the goal of combined controls is to encourage organizations to collect and store as many artifacts from as many devices as possible so that when an incident occurs, analysts have the best chance of identifying the breach.

Incident Response and Behavior Modeling

Incident Response (IR) is a set of information security policies and procedures that identify, contain, and eliminate cyber attacks. A good IR plan generally includes notifying authorities when a new incident is suspected. Organizations like the Federal Bureau of Investigation (FBI) send out forensic analysts who immediately gain access to an organization’s SIEM dataset and begin identifying interesting artifacts. Interesting artifacts are buried alongside billions of ordinary artifacts, but include firewall connection logs, IPs connected to applications, Extended Detection and Response (EDR) events, and user account activity.

The combination of interesting artifacts from each device eventually leads analysts to identify Indicators of Compromise (IoC). Flash number: CU-000163-MW RagnarLocker Ransomware Indicators of Compromise it is a recent example of the work of analysts in the field.

IoCs mined from the field are shared digitally with a multinational community of Cyber ​​Warriors. Sharing includes documenting novel attack behavior models in knowledge bases such as MITER ATT&CK and then build and load a STIX 2.0 statement to the community which can be downloaded and used by Cyber ​​Security defense platforms.

Choosing a cyber security platform that will maximize your investment for years to come

A platform that will perform best and deliver the most value for years to come will act as a virtual field analyst working at the speed of a computer analyzing streams of device artifacts. It will ingest application artifacts, network devices, and cloud sources from any location into its own SIEM dataset, effectively centralizing intelligence within an open architecture. It will work with existing and new security layers, not instead of them. As an analyst, you will correlate artifacts from the perimeter security infrastructure and other security telemetry. You’ll stay on top of the most current threat intelligence data by regularly retrieving STIX 2.0 statements and scanning every artifact that enters the system for a detail that matches something bad. The platform must drive its SIEM data set through an integrated machine learning system so that known behaviors about the technology environment can be understood. Artificial intelligence (AI), a tool that most threat actors cannot use, should be used to identify and report suspicious or anomalous behavior. AI must build stories that reference industry standards like the ATT&CK Miter Frame to be presented to human analysts, when a series of malicious actions are identified on the network. What AI improves it will simply be pushed out as a future system update.

The end results should be a platform that can consistently identify any creative dark exploits launched by threat actors. A creative dark feat like; Find accounts of disgruntled employees logging on to the network for the first time, outside of their normal business hours from another continent and from an IP address that is currently flagged by an Intelligence Agency.


The platform classification, as described, is generally referred to as Extended Detection and Response (xDR) and should not be confused with Endpoint Detection and Response (EDR). Confusing naming convention aside, more diligence is needed around the platform log retention period when an xDR platform is identified. Most xDR platforms have a retention period for non-compliant artifacts around their embedded SIEM datasets. The shortened period is because there are performance challenges with ML and AI when asked to look beyond 3 months of data, so many platforms are looking at artifact data well below data retention periods regulations. Therefore, while these xDR platforms are affordable, it would also be necessary to implement a traditional SIEM solution to meet regulatory data retention periods. Fortunately, some xDR vendors can extend log retention up to 7 years and thus become truly end-to-end next-generation solutions.

About the author


Leave a Comment