SOC, Amore Mio! Following .italo's Tracks to a More Mature SOC

There were several key questions asked in the webinar that I wanted to address, as I have heard them multiple times in the last few weeks from different security professionals. 

Q: What is used to identify the threat actors that apply to YOUR industry? Is there any template/formula you use to identify them?

A: In the MITRE ATT&CK Frameworks threat actors are described as well as (when available) which industry they are going after. With the recent MITRE ATT&CK v12 release they even added another dimension with campaigns. As discussed in the webinar, threat actors nowadays specialise by vertical. This allows them to target common industry used applications and be better at triple extortion ransomware. This means adding to system encryption/downtime & exfiltrating data - understanding the data / data mining and utilising those to further ransom of the vicitim their clients or suppliers to maximise success. In the Webinar. “MITRE ATT&CK Framework: Seeing Through The Eyes of Your Attacker” we showcase how to select and build a customised ATT&CK Map step-by-step. 

Q: Where can I find technical and organisational requirements for operators of essential services?   

A: The European Commission has set out a directive with NIS-D (like the GDPR). This means that every member country has to adopt the NIS-D and transfer it into their national legislation. You can find the “State-of-play of the transposition of the NIS Directive'' for each member country on the European Commission website. There you can find the National Cyber Security Policy and its assigned national government agency. Each has issued papers - either with minimum standards embedded into local laws or a specification of requirements of laws (like in Germany from the BSI specifying requirements for the safeguards to be implemented §8a BSI Act). At the moment there is a revision of the “Network and Information Security Directive'' in progress. Its aim is to further address the security of supply chains and supplier relationships as well as specifying a list of minimum basic security elements at EU level. 

Q: How many detections does the Splunk security essentials app provide? 

A: Currently the library says over 1,000 which includes detections, the content from Splunk’s Research Team (ESCU) and automation playbooks. However those should be used as a library for inspiration, adoption and prioritisation to get newly formed SOC Teams started. SOC Teams who are further on in their journey have established a profession called Detection Engineering. This is where organisations start to establish their own capabilities for detecting cyber attacks rather than relying 100% on external security vendors. This is achieved by applying attack vectors and tactics to their own environment and implementing appropriate strategies - either in the form of simple rules, more advanced statistics or sophisticated machine learning techniques based on know-how and effectiveness.

Q: Are there any further examples how to utilise those risk scores in Splunk? 

A: There are detailed technical descriptions available in splunk docs. I particularly like the risk factor editor to add organisational context. Developers or those who want to know how it works under the hood can access our developer documentation for the risk analysis framework. If you’re more interested in concepts or how to use it - there are many .conf sessions with in-depth examples of how it was implemented and designed. I like the Charles Schwab and Chevron .conf sessions. If you speak German, you might also like the Fresenius Healthcare session in which they built a ETF/Stock Market/DAX like Index for Cyber Security based on the risk analysis framework which includes some awesome dashboards including a “risk pulse”.

Happy Splunking,

Matthias