soc

Read the first part of my ATT&CK series Read the second part of my ATT&CK series Read the third part of my ATT&CK series Ransomware Today, instead of working based on a supposed activity sector of my company, as I did in my last entry, I’m going to work on the most famous and common threat. Ransomware continues to be the main threat for most companies of all sizes and across all sectors, as multiple reports from CTI companies demonstrate for the last few years. [Read More]

See part 1 of this series here See part 2 of this series here Prioritizing new detections Today we continue our journey to improve our network detections. The next step is incorporating real-world threat data. Last time, we got an ATT&CK navigator layer where we identified which TTPs we have visibility but no detections. You can see the results with this JSON layer. This is just an example, not based in reality, although I’ve seen similar scenarios in real life :). [Read More]

See part 1 of this series here Visibility Last time we left with our data sources mapped to ATT&CK framework and already can see where we might be missing attacks to our network. Now let’s go a step further and get visibility scored based in our data sources plus our knowledge of the network. For that, we start the docker container for DeTTECT: docker start -i dettect Then we use the data sources file we generated in the first part - you can use my example file from here - to generate the techniques administration file with this command: [Read More]

I also want to use the ATT&CK Framework If you want to improve the detections and the effectiveness of your SOC against attacks targeting your organization, the hottest thing right now is the ATT&CK framework and Threat informed defense. However, if you don’t have the resources to hire external consultants to setup this for you, it can be overwhelming for small organizations to get onboard the ATT&CK ship. I’m going to try and ease the process for you, the only prerequisite is that you know your organization, your own network and what you are logging right now. [Read More]