In today’s remote working environment, security professionals need specialized technical security awareness education that goes beyond the standard “don’t click a phishing link” training provided to the rest of the company. While security analysts are adept at recognizing phishing emails and setting secure passwords, their cybersecurity awareness must extend to optimizing log management strategies to keep pace with evolving threat actors.
Choose a Framework for Threat Hunting
Threat hunting is essential for mitigating phishing attack risks. To prevent phishing attacks from escalating into data breaches or ransomware incidents, it’s crucial to proactively search for indicators of compromise.
Building a robust security program involves understanding various attack models and tracking threat actor tactics, techniques, and procedures (TTPs). The four most prominent frameworks for this purpose are:
- Lockheed Martin Cyber Kill Chain®
- FireEye Attack Lifecycle
- Gartner Cyber Attack Model
- MITRE ATT&CK Lifecycle
Each framework offers a unique approach to tracking threat actors, yet they share several similarities. For instance, the differences between the Lockheed Martin Cyber Kill Chain and the MITRE ATT&CK lifecycle illustrate diverse methods of monitoring threat actors.
Why Choosing a Framework Matters
Selecting the right framework is crucial because it guides how you map proactive threat hunting queries. Understanding what you need to look for and how to search for it allows you to create higher fidelity alerts, thereby improving key metrics such as Mean Time to Identify (MTTI) and Mean Time to Respond (MTTR).
By aligning your threat hunting strategies with a chosen framework, you can enhance your organization’s ability to detect and respond to threats more efficiently, ensuring a more secure and resilient network.
Example
Comparing the Lockheed Martin Cyber Kill Chain and MITRE ATT&CK framework shows how the framework changes the way a security analyst approaches activities like threat hunting and detection.
| Cyber Kill Chain | MITRE ATT&CK |
| Reconnaissance: looking for information about a company, scanning networks | Reconnaissance: looking for information about a company, scanning networks |
| Weaponization: looking for a vulnerability that they can exploit as a backdoor | Resource Development: Looking for resources that can support their plan |
| Delivery: Delivering the payload to the victim | Initial Access: Attempting to gain unauthorized access to systems, network, software |
| Exploitation: Using the discovered vulnerability to execute the malicious code | |
| Installation: Installing malware on target asset | Execution: Executing malicious code |
| Persistence: Finding a way to remain in systems and networks | |
| Privilege Escalation: Attempting to gain additional levels of access and permissions within systems and networks | |
| Defense Evasion: Hiding from security tools and analysts and not triggering alerts | |
| Credential Access: Attempting to steal usernames and passwords | |
| Credential Access: Attempting to steal usernames and passwords | |
| Discovery: Learning about the environment | |
| Lateral Movement: Moving throughout the environment as part of persistence | |
| Collection: Gathering or exfiltrating sensitive information | |
| Command and Control (C2): Establishing a remote communication channel | Command and Control (C2): Establishing a remote communication channel |
| Actions on Objectives: Completing the attack either by deploying a malware or exfiltrating information | Exfiltration: Stealing data |
| Impact: Manipulating, interrupting, or destroying systems and data |
While the Cyber Kill Chain focuses on identifying indicators of malware and ransomware, the MITRE ATT&CK framework is designed to detect advanced persistent threats (APTs), which may also involve malware or ransomware. Both frameworks highlight how phishing attacks often begin with basic reconnaissance and social engineering tactics to deliver payloads or facilitate resource development.
Mapping Threat Hunting Queries to a Framework
Regardless of the framework you choose, it’s essential to map your proactive threat hunting queries to it. Knowing what to look for and how to search enables you to create higher fidelity alerts, which improve key metrics like Mean Time to Identify (MTTI) and Mean Time to Respond (MTTR).
Enriching Data for High Fidelity Alerts
Real-time alerting is crucial, but the key to achieving it lies in how you aggregate and correlate your log data. Not every alert indicates a threat actor’s presence, so data enrichment is vital for setting appropriate triggers.
Phishing attacks often culminate in credential theft. Cybercriminals may use these credentials to verify email or login existence within the organization or to send malware that communicates with their command and control (C2).
To achieve high fidelity alerting, ensure you can group aggregated data by fields or create multiple groupings, such as:
- Conditions around increased errors for new deployments
- High rate of login failures by username
- New TCP Port startups on hosts with connections to unknown locations
Creating effective security alerts involves setting rules that are complex enough to be meaningful but not so complex that they never trigger.
Ensuring Data Works for Forensics
Security analysts are also investigators. Forensic analysis can be time-consuming because it requires examining historical data to understand what happened before, during, and after an event.
In the aftermath of a phishing attack, you need to trace activities back to the original compromised user and device. Effective forensic analysis capabilities can help you shut down threats efficiently.
To support this, implement log management practices focused on cybersecurity. Consider:
- Collecting logs from the appropriate devices, users, and applications
- Ensuring consistency across data and formats
- Setting a consistent timestamp across all logs
With proper log management practices, your centralized log management tool can serve as a powerful security analytics tool.
Automating Manual Processes
Automation can significantly reduce key security metrics, especially for small teams. While “leveraging automation” may seem like a buzzword, several low-effort, high-value automations can enhance your security posture.
Automation can save time and demonstrate proactive measures to stop cybercriminals, whether for compliance or to mitigate phishing risks. Effective automations include:
- Scheduling reports
- Setting multilayer rules for automated blocking
- Running predefined threat hunting queries regularly
Graylog: Centralized Log Management for Situational Awareness
For security analysts, awareness translates to situational awareness. Understanding specific risks that impact your organization often involves consolidating diverse data to gain visibility.
Graylog’s centralized log management solution enables you to collect, aggregate, and correlate log data across your complex environment. Our intuitive interface empowers users of all skill levels to actively protect sensitive data. With Graylog’s security analytics, you gain the situational awareness needed, and our dashboards provide at-a-glance insights to monitor and mitigate risks proactively.
About DT Asia
DT Asia began in 2007 with a clear mission to build the market entry for various pioneering IT security solutions from the US, Europe and Israel.
Today, DT Asia is a regional, value-added distributor of cybersecurity solutions providing cutting-edge technologies to key government organisations and top private sector clients including global banks and Fortune 500 companies. We have offices and partners around the Asia Pacific to better understand the markets and deliver localised solutions.
How we help
If you need to know more about Security Awareness and Log Management for Security Analysts, you’re in the right place, we’re here to help! DTA is Graylog’s distributor, especially in Singapore and Asia, our technicians have deep experience on the product and relevant technologies you can always trust, we provide this product’s turnkey solutions, including consultation, deployment, and maintenance service.
Click here and here and here to know more: https://dtasiagroup.com/graylog/
