Table of Contents
There is immense analytical and deduction value in knowing the tactics, techniques, and procedures (TTP’s) of threat actors. These are often tell-tale signs of behavior that are repeated across countless organizations as threat actors carry out their attacks. Many of them are straightforward and well-known to defenders, such as the naming convention they often use for the creation of inbox rules to hide their activity. But the fact that they are often part of a procedure means there is likely a linear progression to the specific actions taken.
The knowledge of that progression allows an analyst to go back through the logs and search for the various activities that are often a prelude to the action that was just noisy enough to draw attention to itself. In a vacuum, viewed as a singular event, it would likely not cause much additional action or review. But to a person with knowledge of TTP’s and the knowledge of how those actions flow, the move to discovery sits less on the immediate flag being thrown and moves towards the prior events that it likely followed.
The compromise of a single account or system for a threat actor is a win, but the ability to expand that compromise across multiple accounts and/or systems really provides them with a greater foothold in their target environment. We know this to be a preference and one of the first goals they look to accomplish when they’ve gained initial entry into an environment. Once you’ve worked your way back to this point, revoking that access becomes a priority.
That’s a lot of work and a lot of time. The ability to see activity at scale, work backwards through it to look for the inciting events you know likely preceded the point where you are at now, takes you to that moment of initial foothold. When you combine all those capabilities and add in the ability to rapidly respond to not just the one, but any of the accounts that have been compromised, that gets you out of playing whack-a-mole and allows you to take mass action.
A lot of organizations may think to change the password on a compromised account, but that doesn’t necessarily have the desired effect. Knowing how access is maintained once an account authenticates, through what are known as sessions, means you need to go further and revoke any active session associated with that user. It’s the devil-in-the-details kind of knowledge that a SOC can provide, giving you both the breadth and depth of insight into the actions to take.
What’s more, by seeing the TTPs and identifying the action the threat actor is using to spread further across the environment, an organization can take additional preventative steps too. Notifying everyone of the malicious email, the malicious file, and pulling out of any mailbox it may be present in, before the next recipient ever sees it.
This is going beyond the single response to the one identified event, the mailbox rule. The knowledge of context and execution allows you a stronger, broader response, that increases the likelihood of quelching the attack from doing the worst damage it could.
Read the full Tales from the SOC eBook.
