Development and operations a practical guide



Download 4.62 Mb.
View original pdf
Page86/96
Date11.02.2023
Size4.62 Mb.
#60628
1   ...   82   83   84   85   86   87   88   89   ...   96
1 Joe Vest, James Tubberville Red Team Development and Operations
Pyramid of Pain
Security operations do not need a list of patches or misconfiguration flaws as the highlight of mitigations or recommendations. Yes, these should be included in the report. However, it is much more beneficial to provide security operations with a list of actions, processes, procedures, etc. that would make a threat's ability to operate (move, gather data, and cause impact) much more difficult. A
great way to both describe and illustrate this concept is the Pyramid of Pain.

The Pyramid of Pain
[24]
was created and described by David Bianco in 2013 and revised later in. The pyramid describes types of indicators that maybe used to detect threat activities and how much pain will be caused (to the threat) if a Blue Team is able to deny a threat the ability to perform actions that generate those IOCs. What does this mean in terms of a Red Team engagement Red
Teams generate artifacts during an engagement. A Red Team can use the concept of the Pyramid of
Pain to measure where they fit on this chart during an assessment. In other words, how much pain is
Blue causing Red.
When a Blue Team is measured against the actions of a threat instead of against how well they detect malware, configure their firewalls, or implements a password policy, they are measured against threat techniques. This includes known, unknown, and even zero-day attacks. Decomposing threats into their actions provide defenders a manageable way to understand the effectiveness of their defensive strategy. Blue Teams can become more effective and better protect against any threat instead of defending against a single piece of malware.
A Blue Team Perspective
Detection in Depth
Detection Engineering (the process of creating detection logic for attacker activity) is an often misunderstood discipline. It is common to see these “detections” labeled as good or bad, but detection logic isn’t inherently either.
The misunderstanding tends to occur when someone’s expectations of specific logic don’t align with reality. To be successful in detection, it is important to build a

detection mesh that combines precise indicators with low false-positive expectations (signatures) with broad indicators with low false-negative expectations
(behavioral detections). I refer to this concept as Detection in Depth. This approach ensures that analysts can rely on high signal detection of known bad activity, while also expecting that the mesh will stand up to evasion attempts- Jared Atkinson, Microsoft MVP, @jaredcatkinson
Introducing the Funnel of Fidelity - https://posts.specterops.io/introducing-the-funnel-of- fidelity-b1bb59b04036
What are some examples of defensible actions that would make a threat’s ability to operate difficult?

Download 4.62 Mb.

Share with your friends:
1   ...   82   83   84   85   86   87   88   89   ...   96




The database is protected by copyright ©ininet.org 2024
send message

    Main page