SOC assessments:
Set a reference for SOC capabilities.
Identify detection engineering data-source gaps
Identify detection engineering use cane alerting gaps
Identify SOC workflow chokepoints
Identify SOC communications issues
Inform biggest ROI on cyber tools and processes
Hands-on Assessmnet - Actual Test against the SOC
More precise so limited scope
More invasive
Hands-off Asseemssment - test SOc capabiltiies againsta framework
Reasons not to do an assement:
No SOC staffing
No visability into key data sources
Interested in commiting to imrpovement
Assesments/Audits are always antaognistic
Mitre ATT&CK Cataloogue
What do you supposed to have coverage against?
Can you detect it? yes or no
can it also be mitigated? yes or no
data sources
Mitre engeuity can then map detections and itigations in layers by security tools. This creates a type of solutions heat map
Colelcting from a data source versus using that data source
Anakytics are broader. fidelity of analytic can be: basic; useful but simple; more advanced
ATT&CK maing detection projects:
https://github.com/olafhartong/ATTACKdatamap
https://www.mbsecure.nl/blog/2019/5/dettact-mapping-your-blue-team-to-mitre-attack
https://github.com/MalwareArchaeology/ATTACK
Tool Coverage
Dteection tools questions:
Where doe sthe tool run?
how does the tool detect things (static, dyanmic)?
What data source is the tool monitoring?
Ask SOC gow they use teh tool
SOC Interviews
Example questions:
Describe a recent event?
How it was handled end-to-end?
What was the SOCs role?
What first triggered the response?
What were follow-on activities?
Describe how new analytics are rolled out?
What would you like to see automated?
Ask about detections for ATT&CK techniques
Heat Maps
3 key ingredients:
Scope
Measurement abstraction
Color scheme
Watch complexity and too many colors (Red not the best color)
Management wants high level, tech staff want details
Coverage Charts
Tool coverage + analytic coverage + interview - interview = Final results
Technique Prioritization
Focus on techniques that are:
Relevant
Defensible
Gaps based on assessment
Overlay threat actor techniques against detectable techniques
Select the techniques with low confidence of detection as the priority
Ways to improve coverage:
Add analytics
Add new tools
Injest more data sources
Implement mitigations
Other process improvements:
Communication?
Onboarding analytics?
Documentation?
Onboarding new staff?
leadership support?
Acquiring tools?
Tracking threats?
Tracking assets?
Deployment consistency?
Cyber hygiene?
b
Comentarios