Cyber Threat Monitoring

Slide Enterprise360 Cyber Threat Monitoring Detect cyber threats in early stages. Investigate threat impact on application, infrastructure and network. Investigate methods used by adversaries in exploiting vulnerabilities and loop holes in your application , network and infrastructure. Respond to threats with evidence and confidence. Slide Enterprise360 - Cyber Threat Monitoring Network Threat Intelligence Based on MITRE ATT&CK rule framework. Detect, Investigate and Respond to various threats across the entire cyber threat kill chain from initial access to all the way up to exfiltration Slide Enterprise360 - Cyber Threat Monitoring DDoS Attacks Detect, Investigate and Respond to DDoS attacks. Detect & investigate attacks across volume based, state exhaustion & application layer attacks Slide Enterprise360 - Cyber Threat Monitoring Application Threats Detect, Investigate and Respond to various application based threats resulting from outdated versions, insecure methods, vulnerabilities. Slide Enterprise360 - Cyber Threat Monitoring Reputation Threats Detect, Investigate and Respond to Reputation threats. Based on live threat intelligence feeds using STIX/TAXII detect bad reputation IP, DNS host and URL communications in inbound or outbound directions on all your internet links. Slide Enterprise360 - Cyber Threat Monitoring Network Anomalies Detect & investigate various anomalous behaviors in network, unusual connections, file transfers, and application protocol violations. Plug the anomalies before they become potential threats

Enterprise360

Cyber Threat Monitoring – Key Advantages

network-threat (Custom) 0x417

Network Threats using MITRE rule framework

STIX-TAXII

Reputation Threats using STIX/TAXII Feeds

DDOS-img1

DDoS Threats

External Threat Investigation-image

External Threat Investigation

SIEM Integration

SIEM Integration

Passive Threat Detection

Passive Threat Detection

Network Threat Detection and Response

Passive Threat Detection in network using MITRE ATT&CK Framework

Initial Access

Detect threats early in the lifecycle when the adversary is trying to get into your network.
Initial Access threats use techniques that use various entry vectors to gain initial foothold within your network. Detect common techniques like targeted spearphishing attacks. Investigate impacted hosts/users and contain the threats in very early stages.

Execution/Persistence

Execution threats result in adversary-controlled code running on a local or remote system after the victim falls into the initial access threat trap Detect common threats with techniques that run malicious code on your internal hosts and how they persist inside the compromised hosts. Investigate impacted hosts/users and contain the threats.

Defense Evasion

Defense evasion threats consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include obfuscating/encrypting data. Detect threats which evade the defenses on the network & investigate impacted hosts/users to contain the threats.

Credential Access

Credential access threats consists of techniques for stealing credentials like account names and passwords to gain access to systems. Techniques can be used directly over the network or on compromised hosts where credentials are stored in different cached applications. Detect most common credential access threats and techniques. Investigate compromised hosts and methods used for proper threat response.

Discovery

Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network & explore to gain access to services which store sensitive information. Detect various threats and techniques used for discovery and investigate compromised internal hosts for proper threat response.

Lateral Movement

Lateral Movement threats consists of techniques that adversaries use to enter and control remote systems on a network from pre compromised hosts. Detect lateral movement threats and techniques. Investigate compromised hosts for proper threat response.

Collection

Collection threats consists of data staging techniques adversaries may use to gather information from the critical sources where sensitive information is stored. Detect collection threats and techniques used and investigate compromised hosts and application services for proper threat response

Command & Control

Command and Control threats consists of techniques that adversaries use to communicate with internal enterprise systems securely and control them from their systems in public internet. Detect C&C threats, explore techniques used to conceal connections using common application services. Investigate compromised hosts for proper threat response.

Exfiltration

Exfiltration threats consists of techniques that adversaries use to steal data from your network marking a compromise or data breach, which is end goal/objective of the adversary. Detect exfiltration threats and various techniques used to move collected data from internal of your enterprise to public internet over pre- established C&C connections. Investigate compromised hosts and application services for proper threat response.

Network Threat Detection

using MITRE ATT&CK rule framework – Use Cases Per Stage

Initial Access Execution Persistence Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control-C&C Exfiltration
Spearphishing Attachment Compiled HTML File External Remote Services Port Knocking Account Manipulation Account Discovery Distributed Component Object Model Automated Collection Commonly Used Port Automated Exfiltration
Spearphishing Link Execution through API Port Knocking Brute Force Network Service Scanning Exploitation of Remote Services Data From Network Shared Drive Connection Proxy Data Compressed
Windows Remote Management Credentials in Files Network Share Discovery Pass the Hash Data Staged Custom C&C Protocol Data Encrypted
Credentials in Registry Remote System Discovery Pass the Ticket Custom Cryptographic Protocol Data Transfer Size Limits
Credentials from Web Browsers Remote Desktop Protocol Data Encoding Exfiltration Over Alternative Protocol
Forced Authentication Remote File Copy Data Obfuscation Exfiltration Over Command and Control Channel
Kerberoasting Shared Webroot Fallback Channels Exfiltration Over Other Network Medium
Keychain Third-party Software Multi-hop Proxy Scheduled Transfer
LLMNR/NBT-NS Poisoning and Relay
Private Keys

DDoS Threats

Volumetric Attacks

Detect various types of volumetric based DDoS attacks. Investigate each attack to understand impact on your application services, infrastructure and network. Determine source of the attack to block them on your firewall.

State Exhaustion Attacks

Detect various types of state exhaustion based DDoS attacks. Investigate each attack to understand impact on your application services, infrastructure and network. Determine source of the attack to block them on your firewall.

Application Layer Attacks

Detect various types of application layer DDoS attacks. Investigate each attack to understand impact on your application services, infrastructure and network. Determine source of the attack to block them on your firewall.

Reputation Threats

Using STIX/TAXII framework + Threat Intelligence Feeds

Bad Reputation IP

Detect any connection outbound and inbound from Internet matching against Bad reputation Public IP address using live threat intelligence feed.
Investigate internal host, application connection to take immediate action to block the communication on your firewall

Bad Reputation URLs

Detect any connection outbound to Internet from your internal enterprise network matching against Bad reputation web URL address using live threat intelligence feed.
Investigate internal host, application connection to take immediate action to block the communication on your firewall

Bad Reputation DNS hosts

Detect any connection outbound to Internet from your internal enterprise network matching against Bad reputation DNS hostname using live threat intelligence feed.
Investigate internal host, application connection to take immediate action to block the communication on your firewall

Other Threats

Network Anomalies

Detect various classes of network anomalies violating network, application , protocol standards. anomalous behaviors and connections help detect unusual activity inside the enterprise network before they turn into potential threats. Investigate each anomalous connection with evidence to take appropriate action.

Application Threats

Detect applications running insecure versions, methods and algorithms in the network. Identity server running those applications to upgrade to up to date secured versions to avoid exposure to vulnerabilities. Proactively secure your applications and servers in the network.

Certificate Threats

Detect & investigate webservers and applications using untrusted, self signed and expiring certificates. Keep tab and get alerted on expiring certificates on critical web servers before they expire and cause service outages.