Cyber Kill Chain use areas

How Cyber Kill Chain Can Be Useful for a SOC Team? (Part 2)

Installation: At this stage, SOC analysts are advised to deploy a Security Information and Event Management (SIEM) and Host-Based Intrusion Detection System (HIDS) to detect attacks. To deny an attack, Cyber Kill Chain recommends using Two-Factor authentication, strong password, and privilege separation as well as disrupting attack using data execution prevention. If the attackers successfully penetrate corporate critical IT infrastructure, SOC teams must contain them in a timely fashion to mitigate damages. To this end, Cyber Kill Chain recommends employing Inter-Zone Network Intrusion Detection System, App-aware firewall, and trust zones.

Command & Control: The Command & Control (C2) is a server that is controlled by hackers to send commands to systems exploited by malware and receive stolen data from a targeted system (s). C2 servers often blend in with normal traffic and avoid detection. Many of their activities have been detected in cloud-based services, such as file-sharing services, and webmail.

At this stage, these attacks can be detected using the Host-based Intrusion Detection System (HIDS) and Network Intrusion Detection System (NIDS). The HIDS also assists in disrupting the attack. Cyber Kill Chain also helps the SOC team to deny C2 server attacks using network segmentation, firewall, and Access control Lists (ACLs). Besides, these attacks can be degraded using the Tarpit scheme, which is used on systems to purposely delay incoming connections. This security control is effective against computer worms. To deceive the hackers, always use domain name system redirect. Finally, SOC teams should contain C2 server attacks using trust zones and domain name system sinkholes.

Actions on Objectives: To detect and disrupt an attack, Cyber Kill Chain recommends utilizing endpoint malware protection as well as using data-at-rest encryption to deny an attack. Other security controls include using “quality of service” to degrade attacks, employing Honeypots to deceive attackers, and conducting incident response to contain attacks.

Exfiltration: Exfiltration or Data Exfiltration is also a malicious attempt to steal data and information. SOC team can use the SIEM system and DLP techniques to detect data exfiltration. DLP also helps in disrupting the attack. They can use Egress Filtering to deny an attack. Lastly, exfiltration can be prevented using firewalls and ACLs.

You can also perform malware and malicious traffic investigation with the Security Orchestration, Automation, and Response (SOAR) system.

Conclusion

After taking a deep dive into this article, it has been realized that all stages of Cyber Kill Chain are very useful for a SOC team. Cyber Kill Chain involves all stages of a potential attack and recommends various security solutions to detect, deny, disrupt, degrade, deceive, and contain attack at each of the stages. Among them, SIEM is very valuable.

Selecting an effective SIEM tool is not an easy decision for enterprises as there are a lot of similar products in today’s IT market.  A wise approach is required to select your product. Logsign SIEM is a next-gen Security Information and Event Management solution that focused on combining Security Intelligence, Log Management, and Compliance.

In the last section: Exfiltration, we discover that how Logsign SOAR helps in performing malware and malicious traffic investigation. In addition to this, you can also carry out Email Phishing Investigations, Vulnerability Management, Case Management, Compromised Credentials, and more importantly, the automated Threat Hunting.

References

https://www.varonis.com/blog/cyber-kill-chain/

https://www.sans.org/security-awareness-training/blog/applying-security-awareness-cyber-kill-chain

https://www.peerlyst.com/posts/cyber-kill-chain-for-soc-prasanna-b-mundas

https://www.trendmicro.com/vinfo/us/security/definition/command-and-control-server#:~:text=A%20command%2Dand%2Dcontrol%20%5B,data%20from%20a%20target%20network.&text=It%20can%20be%20used%20to,disrupt%20web%20services%2C%20and%20more.

Leave a Reply

Your email address will not be published. Required fields are marked *