Page 98 - Cyber Defense eMagazine August 2024
P. 98

But what about the dreaded false negative? Well, if we also spread alerts to fire throughout the cyber kill
            chain, it is less likely that a single miss will compromise the environment. In fact, having a deep bench of
            alerting  throughout  the  stages  of an  attack  builds  trust  and  confidence  in  our  systems  that  malicious
            actions will not go unnoticed.



























            Investigation

            Consider  this  scenario:  the  team  has  seen  something  strange,  but  before  they  reach  out  to  the
            Cybersecurity Incident Response Team, they need to dig in and confirm the event is truly an indicator of
            a successful attack or compromise. This requires investigation.  Remember when I spoke about training
            analysts earlier? This is where it needs to be. Analysts are digital investigators. They need to understand
            the  investigation  principles  and  incident  response  and  be  constantly  exposed  to  attacker’s  tactics,
            techniques, and procedures to recognize them when found in the logs.

            There  should be a sense  of trust that  investing  in our analysts  with the intent  of creating  professional
            investigators and incident responders will yield a high return on investment. They cannot be considered
            entry-level security employees, but rather, like architects or engineers with distinct skills and abilities who
            gain  the  same  level  of  commitment  from  security  leaders.  When  analysts  can  trace  every  step  the
            penetration tester took within the environment, we can all rest easier.



            Threat Intelligence

            Every incident response flow chart should start with sensor data. Sensor data are the alerts that kick off
            response.  This  could  be  everything  from  signature  or  behavioral  findings  to  an  article  or  random
            conversation in the hall. Quite often, though, the best sensor data comes from indicators delivered from
            investigating real events. The more related those events are to the company, the better.

            There are many threat intelligence feeds out there, and quite often, we add them only to never hear from
            them  again,  or we  remove  them  a few  days later  as  they are  alerting  on  standard  processes.  Threat
            intelligence  feeds vary in quality, and like most things in cybersecurity,  there is a balance  between the




            Cyber Defense eMagazine – August 2024 Edition                                                                                                                                                                                                          98
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
   93   94   95   96   97   98   99   100   101   102   103