Frameworks, tools, and resources I find useful as a Threat Detection / Incident Response professional. Feel free to contribute.
- Frameworks
- Incident Response Lifecycle
- Cyber Kill Chain
- Pyramid of Pain
- 1-10-60 Rule
- Cybersecurity Defense Maturity Scorecard
- Detection Engineering Maturity Matrix
- ATT&CK
- DeTT&CT
- Detections-as-Code (DaC)
- Distributed Alerting (DA)
- Risk-Based Alerting (RBA)
- Purple Teaming
- Data Science
- Threat Modeling
- Threat Inteligence
- Detection Rules / Signatures
- Notes
SANS outlines the 6 incident phases.
NIST outlines 4 phases.
Lockheed Martin breaks down an intrusion into 7 well-defined phases, and can help identify patterns that link individual intrusions into broader campaigns. The 7 phases cover all of the stages of a single intrusion that — when completed successfully — leads to a compromise.
- Clearly defined linear sequence of phases (as opposed to ATT&CK).
ReconnaissanceandWeaponizationare often ignored but can be valuable.
Part of the Cyber Kill Chain. Defenders can measure the performance as well as the effectiveness of these actions, and plan investment roadmaps to rectify any capability gaps
- Valuable tool in evaluating capabilities and gaps.
David J Bianco shows the relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them.
- Pain is a two-way street for both the adversary and analyst. For the analyst, hash detections (atomic) are trivial to write, and TTP detections (behavioral) are tough to write.
- Atomic may offer higher confidence than behavioral detections, but behavioral detections offer more longevity.
- Useful to keep in mind when prioritizing detection rules.
CrowdStrike investigated, the average “breakout time” in 2017 was one hour and 58 minutes. Breakout time indicates how long it takes for an intruder to jump off the initial system (“beachhead”) they have compromised and move laterally to other machines within the network.
- 1 minute to detect, 10 minutes to investigate and 60 minutes to remediate.
- Useful to keep in mind when discussing ingest lag, working hours, and on-call.
Not-Sure-Who-Invented-This defines cybersecurity maturity across key domains.
- Decent tool for board maturity assessment
- Github & detectionengineering.io
- Article and SANS Blue Team Summit Talk
- Converted to Google Sheets
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. Enough gas been written on this.
Rabobank CDC DeTT&CT aims to assist blue teams in using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage, and threat actor behaviors.
The principle of infrastructure-as-code but for detections. This allows you to version control detections and apply the same CI/CD principles to your detections as you do to your infrastructure.
- Splunk has a open-source project called Splunk Security Content
- Elastic has this open-source project called Detection Rules for Elastic Security
- Carta released their own tool called Krang
Popularized by Slack in this blog post. The concept is to shift the burden of alert triage from Analyst to the relevant teams. Additional verification can be accomplished with 2FA.
- Great for misconfiguration-type alerts e.g. internet exposed server, compliance requirements, RBAC.
Risk-based alerting (RBA) provides teams with a unique opportunity to pivot resources from traditionally reactive functions to proactive functions in the SOC.Apr 18, 2023 Detection tagged with observations and metadata to produce a score. Alerts are then correlated by some grouping e.g. user, IP, source. Then alert if the correlated alerts are above a certain score.
Purple teaming to create/inspire detections.
- Tool atomic-red-team
- Tool stratus-red-team
- Conference talk by Strip
Threat modeling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value.
- Article owasp
- Article by infosecinstitute
Threat intelligence is data that is collected, processed, and analyzed to understand a threat actor’s motives, targets, and attack behaviors. Threat intelligence enables us to make faster, more informed, data-backed security decisions and change their behavior from reactive to proactive in the fight against threat actors.
- Article by crowdstrike
- Detection Engineering
- IP/URL
- Browser Extension
- Indicator types
- Atomic - Atomic indicators are those which cannot be broken down into smaller parts and retain their meaning in the context of an intrusion. Typical examples here are IP addresses, email addresses, and vulnerability identifiers.
- Computed - Computed indicators are those which are derived from data involved in an incident. Common computed indicators include hash values and regular expressions.
- Behavioral - Behavioral indicators are collections of computed and atomic indicators, often subject to qualification by quantity and possibly combinatorial logic. An example would be a statement such as ”the intruder would initially use a backdoor which generated network traffic matching [regular expression] at the rate of [some frequency] to [some IP address], and then replace it with one matching the MD5 hash [value] once access was established.”