In the very first stage of architecturing the SOC, we have seen the basic level understanding of the attacks and needed steps to breaking the Attack Chain. Lets proceed to the stages of SOC and advanced level of securing the company from various Hazard Profiles.
Hazard Profiles But, nowadays the Threat Profiles & & contemporary malware landscape is big and wider with special ways of codings, this malware having in-built capabilities of downloading a more piece of harmful codes, exfiltrate data, interact outside servers, information remove, encrypt the files and much more.
Early years, when we state the virus, its just an exe file with some pop-ups. The majority of the infections produced by script kids and they do not cause any damages to any PCs.
Malware families were grouped into infection/ worm/ PUP/ Spyware/ Adware/ Polymorphic Virus/ FakeAV/ Screensaver Virus. These wont produce much impact or there will be no company motive behind these.
The modern-day malware is not developed by script kiddies, however they are developed by companies for earnings and there are motives and program behind every malware created.
This modern-day malware is developed with program, method, money-minded, etc
These will not create much impact or there will be no organization intention behind these.
Nowadays the contemporary malware landscape is substantial and broader with unique methods of codings, this malware having built-in abilities of downloading a more piece of malicious codes, exfiltrate data, communicate outside servers, data erase, encrypt the files and much more.
. Malware households were grouped into virus/ worm/ PUP/ Spyware/ Adware/ Polymorphic Virus/ FakeAV/ Screensaver Virus.
This modern-day malware is produced with agenda, modus, money-minded, and so on
. The contemporary day malware families will be, Trojans/ Rootkit/ Bot/ Botnet/ POS Malware/ ATM Malware/ Ransomware/ Cryptomining Malware/ Spybot/ Wiper/ CnC Trojan/ Exploit Kit/ Browser Hijacker/ Credential Stealer/ RAT/ WMI Backdoors/ Skeleton Key/ Keylogger etc.
Likewise you can learn SOC Analyst– Cyber Attack Intrusion Training From Scratch
So, the fundamental understanding of modern risks ends up being necessary for every single SOC group. Understanding the risk profiles is a lot more essential in SOC tracking.
SOC should understand what they are handling, they ought to understand the habits, they must separate the pattern, they need to know the versions released by hackers community and likewise SOC group need to understand the ways to manage it without any interfere with.
Threat Profiles are the types of the malware/scripts/vulnerable mistreated applications/ Network & & windows Artifacts utilized by the cybercriminal (Threat Actor) to achieve their cyber attack on your company. These abilities can be classified as:
1.) Preliminary Access– Attackers use to acquire an initial grip within a network.
2.) Execution– Execution of adversary/attacker-controlled code on a local or remote system. This method is typically used in conjunction with initial access as the ways of carrying out code when gain access to is gotten, and lateral motion to broaden access to remote systems on a network.
3.) Perseverance– Persistence is any configuration, action, or access modification to a system that offers a foe a relentless existence on that system.
Enemies will frequently require to maintain access to systems through disturbances such as system restarts, loss of credentials, or other failures that would need a remote gain access to tool to reboot or alternate backdoor for them to restore gain access to.
4.) Privilege Escalation– Privilege escalation is the result of actions that allows an adversary to acquire a greater level of authorizations on a system or network. Specific tools or actions require a higher level of opportunity to work and are likely essential at numerous points throughout an operation.
Foes can get in a system with unprivileged access and need to make the most of system weak point to acquire local administrator or SYSTEM/root-level opportunities.
5.) Defense Evasion– Defense evasion includes techniques an adversary may utilize to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of overturning a specific defense or mitigation.
6.) Credential Access– Credential gain access to represents methods leading to access to or control over service, system, or domain qualifications that are used within an enterprise environment.
Foes will likely try to get legitimate qualifications from users or administrator accounts (regional system administrator or domain users with administrator access) to use within the network.
7.) Discovery– Discovery consists of techniques that enable the adversary to get knowledge about the system and internal network.
When adversaries get access to a brand-new system, they must orient themselves to what they now have control of and what advantages running from that system provide to their current objective or total goals during the invasion.
8.) Lateral Movement– Lateral movement includes methods that make it possible for an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems.
The lateral motion techniques could enable a foe to gather information from a system without requiring extra tools, such as a remote access tool.
9.) Collection– Collection includes strategies used to determine and gather information, such as delicate files, from a target network prior to exfiltration. This category likewise covers locations on a system or network where the foe may search for details to exfiltrate.
10.) Exfiltration– Exfiltration describes strategies and associates that outcome or help in the adversary removing files and details from a target network.
This category also covers places on a system or network where the foe may try to find details to exfiltrate.
11.) Command and Control– The command and control strategy represents how foes communicate with systems under their control within a target network.
Lets see the variations of malware households which trigger more sound as attack vectors in Threat Profiles This list is not total, just a sample of variants released.
There are many ways a foe can establish command and control with various levels of covertness, depending upon system configuration and network geography.
Due to the wide degree of variation offered to the adversary at the network level, only the most common factors were utilized to describe the distinctions in command and control.
Conclusion– Threat Profiles.
Why should I fret about malware and their behaviors?
We should stress! Due to the fact that contemporary malware have some particular ways to propagate with a more complex structure of commands to achieve for further asylum.
Opportunity Escalation– Privilege escalation is the result of actions that allows an adversary to obtain a greater level of consents on a system or network. Defense Evasion– Defense evasion consists of techniques a foe might utilize to avert detection or avoid other defenses. This classification also covers areas on a system or network where the foe might look for info to exfiltrate.
They will not alone, in a lot of instances they work integrate to get their work done.
Every malware you deal with, its not the responsibility of your company AV team, its the core responsibility of the SOC to understand its habits and the abilities they have to intrude in your network.
Execution– Execution of adversary/attacker-controlled code on a local or remote system. This technique is typically used in combination with initial gain access to as the ways of executing code when gain access to is obtained, and lateral motion to broaden access to remote systems on a network.