High-profile breaches across different sectors, in the last few years, have proven the need for a better incident response (IR) capability to detect, contain, and remediate threats. These breaches are evidence that prevention alone is no longer a sufficient approach. However, many organizations lack a mature IR capability and once the incident is remediated, organizations are still left wondering how to effectively secure themselves.
Prevention remains a critical component of an effective security program and organizations are increasingly investing in native detection and response capabilities, trying to build Security Operations Centers (SOC).
But a new approach is that the people, processes, and technologies that are the backbone of SOC must be integrated within one Cyber Multilayered Center (CMC) that combines functions:
- Security Operations Center
- Cyber Threat Intelligence (CTI),
- Red Teaming,
- Attack Surface Reduction (ASR).
The Cyber Multilayered Center
- is a comprehensive, integrated approach to security.
- the CMC mission is to protect the business: its assets, people, clients, and reputation
- it ensures that all security efforts are coordinated efficiently by leveraging the benefits of proximity (either physical or logical) and easy communication between security teams.
- is designed to integrate key security functions into a single unit.
Components, comprise of:
1. Security Operations Center (SOC): the heart of the CMC and the first line of an organization’s defense responsible for detecting, responding to, containing, and remediating threats, as well as proactively identifying malicious activity. The SOC is also home to Threat Defense Operations (TDO), the dedicated “hunting” arm of security and intelligence operations responsible for intelligence actions, conducting in-depth malware analysis, and continually building and improving prevention and detection methods.
2. Cyber Threat Intelligence (CTI): the “forward observers” responsible for identifying threats to the organization and disseminating timely, relevant, and actionable reporting to the SOC, CxO, and other stakeholders.
3. Red Team: the “attackers” who simulate the tactics, techniques, and procedures (TTP) of threats relevant to your organization. The Red Team will continually “stress test” your SOC, driving improvements in detection, response, and SOC analyst threat understanding.
4. Attack Surface Reduction (ASR): the proactive defense group responsible for identifying and mitigating vulnerabilities, unnecessary assets, and nonessential services. More than just patch management, optimized ASR teams focus on continually improving an organization’s hardening and deployment procedures to eliminate vulnerabilities before systems go live.
By integrating these functions, the CMC aims to:
- break down communication barriers,
- centralize threat knowledge and analysis,
- unify the organization’s security strategy,
- maximize the value of investments in cybersecurity.
The CMC approach represents a complex interaction between the security teams with multiple “touch points,” parallel workflows, and constant feedback mechanisms, although the security functions that make up the CMC are not new,. With the right design and implementation considerations, organizations can:
- increase operational effectiveness by orchestrating the security functions and information flow from threat intelligence, through security and IT operations
- improve security readiness by enabling stronger detection mechanisms and awareness of threats
- accelerate security maturation by reducing the costs associated with coordinating complex security functions across multiple teams.
- is not distinguished by its individual parts
- is distinguished by the integration and interdependencies across its functions.
- is more than just a security approach,
- is a security mind-set that organizations can implement to better secure themselves, protect their customers, and reduce costly business disruptions.c
Components, one by one, detailed, with functions:
- A robust SOC will detect and respond to threats
Organizations are quickly recognizing the need to detect and respond to a variety of threats; simply blocking threats isn’t enough. The Security Operations Center (SOC) is the organization’s first line of defense against all forms of threats and is the heart of the CMC. The SOC will handle any suspected malicious activity and work closely with the other teams in the CMC. A well-designed and maintained SOC will focus on gaining efficiencies though continuous analyst training and mentoring, and constant evaluation of the organization’s security technologies.
1.1 A tiered SOC structure.
The SOC can be designed around a simple detect, identify, and mitigate model.
- Tier 1 analysts are charged with classifying the severity of the event and correlating the event with any historical activity.
- If necessary, Tier 1 analysts will escalate incidents to Tier 2 and 3 analysts, who will conduct in depth investigations and perform root cause analysis to determine what happened.
1.2 Threat Defense Operations (TDO).
- specialized analysts are responsible for creating detection logic in the form of signatures, rules, and custom queries based on CTI-provided threat intelligence. TDO engineers deploy the detection logic to a range of devices, appliances, tools, and sensors that make up an organization’s security stack. The rules, signatures, and queries create a threat-based preventative sensor network that generates network and host-based alerts that Tier 1–3 analysts in the SOC respond to.
- TDO analysts will then fine-tune their detection logic based on SOC feedback, creating an efficient CMC that won’t waste time investigating false alarms.
- The TDO team is also responsible for providing indepth malware analysis that yields valuable technical intelligence (TECHINT) that can be used in detection logic and further enriched by CTI.
1.3 Managing all the security alerts.
This process – building detection of solutions and then identifying and mitigating threats – is where many organizations struggle. The main point to remember is that more technology, tools, and threat feeds do not necessarily enable your SOC to operate more efficiently. Smooth workflows are more likely to succeed than those that prioritize technology. Organizations should focus on technology that enables SOC investigators to spend less time collecting data and more time investigating the root cause of the activity they’ve been alerted to.
1.4 Implementing 24/7 operations and managing investigations.
Design and implementation should focus on standardizing daily operations, case management, and methods of “measuring success.” Modern-day threats necessitate that SOCs operate 24/7, 365 days a year, requiring well-thought-out shift schedules and defined roles. Having a well-integrated, easy-to-use casemanagement system that doesn’t get in the way of investigations and seamlessly interacts with other SOC tools is key. This tool ideally provides metrics on how effectively your SOC monitors, detects, and contains cases and will allow an organization to identify gaps in people, processes, and technologies.
1.5 Standardizing the standard operating procedures.
Successful implementation also demands accurate and up-to-date documentation. This includes documentation on network architecture, standardized operating procedures (SOPs), and point-of-contact lists. If the SOC is considered the “heart” of the CMC, then SOPs act as its beat, guiding analysts in situations ranging from collecting forensic evidence to stopping data exfiltration.
2 Integrate Cyber Threat Intelligence functions.
Threat intelligence is incredibly powerful: it can serve as a force-multiplier for CMC, helping to improve awareness of threats and offering the means by which these threats could be prevented or detected. Good threat intelligence will be implemented in a way that demonstrates the following characteristics:
2.1. Cyber Threat Intelligence is timely.
Receiving that intelligence before the threat is realized is crucial to the organization. Dissemination of strategic and tactical intelligence, including indicators of compromise (IOCs), can take the form of indications and warning (warning of an imminent threat), daily or weekly reports (highlights on relevant threats), and executive briefs (assessments on major and specific cyber issues for C-suite stakeholders).
2.2. Cyber Threat Intelligence is relevant.
Relevant threat intelligence produces valuable insights on not only issues occurring in the global business environment but also on specific issues within industry and related to a specific IT environment.
2.3. Cyber Threat Intelligence is actionable.
Actionable threat intelligence is created when analysts filter through large volumes of data and information, analyze why specific pieces of information are relevant to an organization, and communicate how that information can be used by various stakeholders. SOC, TDO, and ASR teams need tactical and technical intelligence to support current investigations, create detection logic, and prepare for potential attacks. Technical intelligence will also be used to determine if certain malicious actions or indicators have already been present on your network.
2.4. Strategic and tactical threat intelligence.
Although the SOC team is the organization’s first line of defense, it can operate more effectively and efficiently with the support of CTI. The security team will handle a wide array of potential threats and must be able to quickly triage events, determine the threat level, and mitigate incidents. CTI can help SOC analysts to prioritize these alerts, can aid in investigations, and can help SOC analysts attribute malicious activity to specific threats or threat groups.
3 Red Team exercises to stress-test and strengthen the Cyber Multilayered Center.
A fundamental question for every business is: Will your cybersecurity organization be ready when an attack comes? An important means of assessing and “stress-testing” the CMC is to actively attack it. Through coordinated Red Team exercises, the CMC personnel can learn to detect and respond to a variety of threats.
3.1. Simulate threat actors’ TTP.
Red Team operations will ideally be designed to simulate the tactics, techniques, and procedures of threats that your CTI team has assessed to be a risk.
It is the Red Team’s responsibility to test these questions and the limits of your SOC and broader CMC. For example, if it is known that the SOC rarely encounters web shells – a type of malware installed on web servers – your Red Team may choose to directly attack a web server.
An important aspect of a Red Team operation is that only selected leaders are aware of operations (often referred to as the “white team”), adding to the realism of the event. This implementation allows those who are aware to observe the event as it unfolds, particularly how teams interact with each other, how information is passed along, how stakeholders are engaged, and how the teams handle a variety of attack scenarios. These leaders can also help to scope Red Team activities to ensure no critical data or operations are actually compromised or exposed.
Implementation of Red Team operations should therefore emphasize the interdependency between the SOC and Red Team mission. The Red Team should assist the SOC during remediation efforts to ensure any uncovered vulnerabilities are no longer susceptible to exploitation.
4 Reducing the organization’s attack surface.
The goal of Attack Surface Reduction (ASR) is to close all but the required doors to your technical infrastructure and limit access to those doors through monitoring, vulnerability assessment/mitigation, and access control. The ASR team is dedicated to identifying, reducing, and managing critical vulnerabilities, services, and assets, while also focusing on preventing the introduction of vulnerabilities via improved hardening procedures.
4.1. Understanding and prioritizing the “attack surface.”
Implementing ASR is all about identifying and understanding your most critical business applications and services including their functions, supporting infrastructure, scope, and inherent vulnerabilities.
The ASR team should prioritize each asset, considering their critical value to operations and the ability for the most relevant threat actors to leverage these assets in an intrusion. In addition, the impact of these attacks must be considered.
4.2. More than just patch management.
While vulnerability and patch management is a core ASR function, achieving a vulnerability-free organization is not a realistic goal. Vulnerabilities must be identified and managed appropriately, keeping a focus on preventing and quickly responding to the most critical. Continually improving deployment and hardening procedures, especially for publicly facing services and services that may permit attackers to access hightrust zones, is a critical ASR process for facilitating preventive measure and effective mitigation timing.
4.3. A highly technical function that demands strong human analysis.
Maintaining complete asset awareness is increasingly difficult in today’s dynamic business environment. Organizations require continuous scans and costly-to-maintain configuration management databases (CMDB) to track and ensure the attack surface hasn’t expanded beyond the organization’s acceptable risk level. And, new exposures often emerge throughout the course of normal business as new IT systems are introduced or upgraded.
Experienced ASR security professionals, who possess a deep understanding of network engineering, IT concepts, and security, are able to synthesize disparate pieces of information that can point to a previously undetected or contextually important attack vector.
“Will we be next?” or even, “Have we already been breached?” are the questions that all companies should have in mind. By developing a Cyber Multilayered Center, organizations develop the speed, collaboration, coordination, information flows, and C-suite awareness necessary to not only survive but thrive.
With a 20 years experience in IT&C, looking forward to strategical and technical challenges imposed by digital evolution, Virgilius leads the IT Direction in ANCOM, with managerial and analytical spirit, trying to lead ANCOM on the way of digital transformation. His vision is a digital ANCOM, with safe, interoperable IT distributed systems. At ANCOM, there are advanced systems which represents itself a future development base.
Virgilius has a Ph.D, Magna cum Laude, is invited Professor at the Technical University; besides, he is certified in ethical hacking, expert in competitive/ business intelligence, critical infrastructures security and national security information management. Member in National System for Fighting Against Cybercrime, he was involved to cooperation and technical exercises for detection, investigation, response to cyber incidents.
- Booz Allen Hamilton – Bill Stewart, Sedar LaBarre, Matt Doan, Denis Cosgrove