For today’s remote workforce, security professionals need technical security awareness education distinct from the rest of the company’s “don’t click a phishing link” training. Security analysts know how to recognize phishing emails and set secure passwords. However, where does that leave them when it comes to security awareness? Security analysts need cybersecurity awareness training around how to optimize their log management strategies so that they can keep pace with threat actors.
Choose a Framework for Threat Hunting
Threat hunting is a key component of mitigating phishing attack risks. To stop phishing attacks from becoming successful data breaches or ransomware attacks, you need to look for indicators of compromise and be proactive about it.
Fundamental to building a strong security program means understanding the different attack models and how to follow threat actor tactics, techniques, and procedures (TTPs) across them. Generally, the four most prominent frameworks are:
- Lockheed Martin Cyber Kill Chain(R)
- FireEye Attack Lifecycle
- Gartner Cyber Attack Model
- MITRE ATT&CK life cycle
Although each differs, they also have some similarities. For example, the differences between the Lockeed Martin Cyber Kill Chain and the MITRE ATT&CK life cycle highlight the different approaches to tracking threat actors.
Why Choosing a Framework Matters
The two examples above show the differences between frameworks. They have several similarities, but also multiple differences.
Whatever framework you choose, you’ll be trying to map any proactive threat hunting queries to it. If you know what you want to look for and how you want to search for it, you can create higher fidelity alerts to improve metrics like Mean Time to Identify (MTTI) and Mean Time to Respond (MTTR).
Example
Comparing the Lockheed Martin Cyber Kill Chain and MITRE ATT&CK framework shows how the framework changes the way a security analyst approaches activities like threat hunting and detection.
Cyber Kill Chain | MITRE ATT&CK |
Reconnaissance: looking for information about a company, scanning networks | Reconnaissance: looking for information about a company, scanning networks |
Weaponization: looking for a vulnerability that they can exploit as a backdoor | Resource Development: Looking for resources that can support their plan |
Delivery: Delivering the payload to the victim | Initial Access: Attempting to gain unauthorized access to systems, network, software |
Exploitation: Using the discovered vulnerability to execute the malicious code | |
Installation: Installing malware on target asset | Execution: Executing malicious code |
Persistence: Finding a way to remain in systems and networks | |
Privilege Escalation: Attempting to gain additional levels of access and permissions within systems and networks | |
Defense Evasion: Hiding from security tools and analysts and not triggering alerts | |
Credential Access: Attempting to steal usernames and passwords | |
Credential Access: Attempting to steal usernames and passwords | |
Discovery: Learning about the environment | |
Lateral Movement: Moving throughout the environment as part of persistence | |
Collection: Gathering or exfiltrating sensitive information | |
Command and Control (C2): Establishing a remote communication channel | Command and Control (C2): Establishing a remote communication channel |
Actions on Objectives: Completing the attack either by deploying a malware or exfiltrating information | Exfiltration: Stealing data |
Impact: Manipulating, interrupting, or destroying systems and data |
While the Cyber Kill Chain helps you look for malware and ransomware indicators, the MITRE ATT&CK framework helps look for indicators of advanced persistent threats (APTs) that may also include malware or ransomware. In either case, the phishing attacks often start with basic reconnaissance and then use social engineering tactics to deliver payloads or as part of the resource development process.
Whatever framework you choose, you’ll be trying to map any proactive threat hunting queries to it. If you know what you want to look for and how you want to search for it, you can create higher fidelity alerts to improve metrics like Mean Time to Identify (MTTI) and Mean Time to Respond (MTTR).
Enriching Data for High Fidelity Alerts
Everyone says “get real time alerting,” but they don’t always tell you how to do it. The answer is often based on how you aggregate and correlate your log data. Not every alert means that a threat actor is in your systems, so you need to enrich your data so that you can set appropriate triggers.
Phishing attacks often end with cybercriminals stealing credentials. Sometimes, they’re used to see if an email or login exists within the organization. In other cases, they use it to send a malware that starts communicating with their C2.
For higher fidelity alerting, you want to make sure that you can group aggregated data by fields or create multiple groupings, like:
- Conditions around increased errors for new deployments
- High rate of login failures by username
- Hosts have new TCP Port startups and connections are now going to an unknown location
Detecting security vulnerabilities with alerts works best when you can create rules that are complex enough to have meaning without having so much complexity that they never trigger.
Making Sure the Data Works for Forensics
Security analysts are also investigators. A lot of times, forensic analysis is time-consuming because you need to go back and find historic data. You need to understand what happened before, during, and after the event. This means you need to have the data necessary in a way that makes sense.
In the aftermath of a phishing attack, you need to be able to trace the activities back to the original compromised user and device. This is where the forensic analysis capabilities can help you shut down
As part of this, you need log management practices meant for cybersecurity. Some things to consider include:
- Collecting from the appropriate devices, users, and applications
- Creating consistency across data and formats
- Making sure to set a consistent timestamp across all logs
If you have the right log management practices in place, then you can use your centralized log management tool as a security analytics tool.
Automating Manual Processes
Automation is a way to reduce key security metrics. Trying to manage everything can feel overwhelming, especially when you have a small team. While “leveraging automation” might feel like a worn out marketing term, there are several things that are low-effort but high-value.
Whether for compliance purposes or to mitigate phishing risks, automation can save time and prove that you’re proactively looking to stop cybercriminals.
Some automations that can easily make your life better include:
- Scheduling reports
- Setting multilayer rules for automated blocking
- Running predefined threat hunting queries regularly
Graylog: Centralized Log Management for Situational Awareness
For security analysts, security awareness is really situational awareness. You need to understand the specific risks that can impact your organization. A lot of times, this means bringing together a lot of divergent data so that you can gain visibility.
Graylog’s centralized log management solution allows you to collect, aggregate, and correlate log data from across your complex environment. Our easy-to-use interface empowers people of all skill and experience levels to actively work to protect an organization’s sensitive data. Our security analytics give you the situational awareness you need and our dashboards give you the at-a-glance insights necessary to monitor and mitigate risks proactively.