Blue Team
Defend your castle
Last updated
Defend your castle
Last updated
Advanced Persistent Threat
This can be considered a team/group (threat group), or even country (nation-state group), that engages in long-term attacks against organizations and/or countries
Stands for Tactics, Techniques and Procedures. TTPs categorises behaviours of a threat actor/group bases on their pattern of activities.
Analysing TTPs help in threat intelligence by consolidating cybersecurity opeartions. It helps in putting defenses at place based on how adversaries performs their operations.
As per NIST description:
The behavior of an actor. A tactic is the highest-level description of this behavior, while techniques give a more detailed description of behavior in the context of a tactic, and procedures an even lower-level, highly detailed description in the context of a technique.
All identified adversaries TTPs are stored in a knowledge base maintained by MITRE ATT &CK(MITRE Adversarial Tactics, Techniques, and Common Knowledge) by MITRE corporation.
Diamond model is a framework used to relationship between a threat actor and their victim along with their TTPs.
This model has mainly 4 pillars.
Adversary: Threat actor who attacks.
Victim: Individual or Corporation whom Adversary attackes.
Infrastructure: The resources adversay has to carry out their attacks. e.g. Domain, C2 Servers, Botnets etc.
Capability: TTPs of adversaries. What tools they have, how they do reconnasicance, how they deliver attack, how they maintain persistence, how they exfiltrate data, how they remotely control victim computer etc.
Security Information and Event Management is a security solution which ingest logs from many layers/components in an organization i.e. workstations, network logs, servers etc.
Continuous logging, analysing and making correlation of ingested data. Then Detect the anomalies and rings alarms for detected threat and help in incident response.
Endpoint Detection and Response is also a security solution which continuously monitors end-user devices to detect and respond to cyber threats like ransomware and malware.
Continuous monitoring and automatic data analysis to identify malicious activity.
Detection: An monitoring agent is installed on your devices which continuously collects data and send it to a server for analysis, certain ML algorithm and AI is used to analyse the malicious activity in this data like downloading certain types of files, logging in from a unusual location, turning off security solutions etc. EDR will flag these irregular behaviour and try to create a road map of incidents occured by correlating the incidetns before and after the flagged incident to get a broader context of what actually happened.
Triage: An alert is sent to IT people it is their responsibility to elimiate false positive and triage alerts on basis of certain criterion.
Investigation: After triage is done it is time to investigate the activity to better understand it and minimize the damage by responsing quickly.
Respond: When an incident is confirmed , EDR can automatically responsd to it by isolating the device, stopping the maclicious process etc. IT team determing furture course of action.
EDR not only help in identifying mlaware attack but also helps in secure password management, Phising attempts, protection against malicious URLs etc.