During the last weeks we have been very busy reshaping our Security Operations Center (SOC) to be part of a modern cyber defense center – Nixu Cyber Defense Center (CDC) service – asking ourselves what it takes to detect and contain the modern cyber threats. Traditionally the cyber defense has been largely built on signature-based detection. Once an attack (whether originating from malware code or from human operator) becomes known, a variety of tools and blacklists get updated and the likelihood of catching a similar attack in the future rises considerably.
A modern SOC, however, has to prepare for attackers that avoid using any known methods in their intrusion attempts. There are various ways to obfuscate malware code to bypass the anti-virus checks and successfully install on the target system. The initial intrusion often happens in the midst of common Internet traffic utilizing ports that are seldom blocked on any corporate intranet. After compromising one workstation in the network the attackers move further in the environment utilizing passwords and keys extracted from the compromised workstation. These can be pick often directly from the network traffic also. Majority of the actions performed by an attacker after the initial compromise may actually look like normal domain traffic consisting of log-in events and accessing file shares.
So how do you detect that type of advanced threats then?
What ties all the technologies and numerous acronyms together however is a capable intrusion analyst. A human factor that adds intelligence and advanced logic to the equation:
- An operator who understands what to look for and has the abilities to configure and tune the tools to provide him with the desired data.
- An expert who understands the threats and has the ability to communicate his observations to the customers.
- A responder who can lead the incident response activities once an attack has been detected and drive the counter activities to return the systems and the environment to the safe state.
We are very grateful to have these types of individuals here in Nixu.
From the technology and acronomy point of view
The signature-based tools do also help here. The modern IDS/IPS tools can be tuned to alert on practically any events happening in the network. They can be used to store and inspect all the binary content travelling in the network cables. They can be set to examine all the digital certificates exchanged between the systems in the environment and alert on any odd/incomplete/malformed certificates seen. Some singular protocol fields (such as HTTP User Agent field) can be actively monitored and examined for any oddities.
Anomaly detection also has its important role. Even without a measured and fully understood traffic baseline there are anomalies to note. Workstations rarely talk to each other excluding an occasional file download from a shared folder. HTTP traffic flowing to non-HTTP ports is definitely suspicious. Repeated network connections in set time intervals to an external destination are an anomaly as well.
Advanced Threat Defense (ATD) techniques also include extensive threat intelligence and understanding of the current attacks, sandboxes or emulation engines designed for executing the detected binaries safely and monitoring their behaviour and even abilities to effectively reverse engineer any suspicious binary content in order to determine whether it can be considered harmless.
We can collectively provide a complete premium SOC service that even includes forensics capabilities in case needed. We are building a team that is hungry to hunt the attackers down in your network and ensure the safety of your information technology. You can contact us by asking for more information with this form, we take care of the rest.