Assessment and prioritization of your SOC feeds can help reduce cost & ensure quality

Effective breach detection and threat hunting in the SOC depends on collecting many logs and alerts from a wide variety of infrastructure and applications, including clients and servers, networks, email and clouds, and the wide variety of security solutions deployed in the enterprise. There are significant upfront costs to onboarding those logs onto the SIEM and ensuring those logs are available for detections. Critical questions that SOC Managers must answer include:


Within the recent weeks security professionals have been scrounging their infrastructures, and the internet, for any HAFNIUM-related indicator of compromise but this is all very retroactive work and tends to lead to more tedious efforts when you don’t have the right detection framework in place.

Let’s recap the sequence of events that occurred with HAFNIUM and then discuss how this threat could have been easily detected in any Security Operations Center — without any prior knowledge of the threat.

Initial Access & Foothold

HAFNIUM, and other threat groups, utilized newly released Microsoft Exchange vulnerabilities affecting versions 2013, 2016, and 2019, to gain initial access…


SOC practitioners know that the threat landscape is as complex and fast-breaking as it has ever been, and attackers are increasingly more well-funded than ever, and therefore the best thing we, as protectors, have going for us is the concept of agility in our processes.

Specifically, what that means is, the detection engineering process must be agile enough to respond to new attack patterns and proactively prepare the SOC for correlated signals that are actually actionable. This is not unlike an agile development process in the world of software development thus spawning monikers like ‘detection as code’. …


The recent exposure of SolarWinds showed us how a determined adversary could leverage a trusted source in order to gain access to an organization. While there is still much to learn from SolarWinds, we should not ignore how other areas of trust could be used against an organization. One of these areas is how organizations blindly trust simple commands utilized to install and update package dependencies.

The Attack

Alex Birsan recently published an article on how he effectively leveraged package dependencies to execute code on remote machines and make his way into some of the biggest tech companies. In essence, by identifying…


Detecting the Exploitation of “Baron SamEdit” (CVE-2021–3156)

A recent heap-based buffer overflow vulnerability (CVE-2021–3156) in sudo was discovered with a high CVSS score of 7.8 dubbed “Baron SamEdit”. The proper exploitation of the Baron allows for any unprivileged local user to immediately escalate to root without additional authentication and affects the following sudo versions:

This poses a serious threat to most organizations, especially those that are primarily a Linux-based infrastructure, and detecting this kind of threat is critical. …


The cybersecurity world has been spinning with the suggested reports that APT29, Russia’s elite hacking intelligence arm, has been able to successfully infiltrate the software development lifecycle (SDLC) of SolarWinds, an IT management company, to distribute a malicious backdoor to over 18,000 of their customers. Impacted organizations include both public and private sectors, as well as entities that support critical infrastructure of the United States. The attack went undetected for months, and highlights one of the worst nightmares facing CISOs around the world — the supply chain compromise.

In an earlier series (How to Become a Mature SOC — Part…


Enterprise security operations centers (SOC) have existed for the sole purpose of detecting and responding to threats to an enterprise — external or insider. In the cybersecurity realm, the protectors have never been ahead of the adversaries, and more often than not, have fallen significantly behind and have struggled to recover from cyber attacks. The challenge centers around the efficacy and relevance of detection algorithms and methodologies. Everything is dependent on detection, and yet, many enterprises almost exclusively continue to treat the symptoms — e.g., alert volume/noise, triage/response automation etc. …


The traditional SOC is essentially controlled, in most cases, by a SIEM, e.g., Splunk. The language and inner workings of the SIEM are of paramount importance to the SOC team, and often, hiring decisions are made based on proficiency with the existing SIEM and other SOC tools. In other words, SOC teams are often forced to hire programmers rather than security professionals because of the dependencies with underlying SOC tools.

How would it be if SOC professionals are magically provided the capability to build detection logic without ever needing to write a single line of code? Wouldn’t SOC managers rather…


As a follow up to the part 1 posting of this topic, and the XDR topic posted by our CTO, let’s discuss how we must deal with the decentralization of security operations yet the need for a unified view of the state of security and ways to secure the enterprise.

How do we deal with it?

As said before, we must embrace the next-gen cyber-security operations of an enterprise which shall be run by security domain experts rather than the traditional IT/developer persona. This certainly means the end of a traditional, central SIEM as we know it, and augmentation of…


The lifecycle of threat detection content not only involves landscape knowledge, threat analysis, prioritization, gathering the right data sets, parsing logs, writing threat detection logic, conforming to the required data models, testing, tuning and deploying, but also includes continuously monitoring the deployed content for performance and/or health related issues. Each of these has a plethora of challenges. It doesn’t end there. The deployed rules can produce a high volume of false-positives making triage on the incident response side of the house complex. Further, adversaries are constantly evolving resulting in constant upkeep of the deployed rules. Analysts may have to leverage…

Anvilogic

Anvilogic is a collaborative, no-code Automated Detection Engineering platform that helps SOC teams quickly deploy high-efficacy attack-pattern detection code.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store