Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- A Blue Team Perspective Detection in Depth
| Pyramid of Pain Security operations do not need a list of patches or misconfiguration flaws as the highlight of mitigations or recommendations. Yes, these should be included in the report. However, it is much more beneficial to provide security operations with a list of actions, processes, procedures, etc. that would make a threat's ability to operate (move, gather data, and cause impact) much more difficult. A great way to both describe and illustrate this concept is the Pyramid of Pain. The Pyramid of Pain [24] was created and described by David Bianco in 2013 and revised later in. The pyramid describes types of indicators that maybe used to detect threat activities and how much pain will be caused (to the threat) if a Blue Team is able to deny a threat the ability to perform actions that generate those IOCs. What does this mean in terms of a Red Team engagement Red Teams generate artifacts during an engagement. A Red Team can use the concept of the Pyramid of Pain to measure where they fit on this chart during an assessment. In other words, how much pain is Blue causing Red. When a Blue Team is measured against the actions of a threat instead of against how well they detect malware, configure their firewalls, or implements a password policy, they are measured against threat techniques. This includes known, unknown, and even zero-day attacks. Decomposing threats into their actions provide defenders a manageable way to understand the effectiveness of their defensive strategy. Blue Teams can become more effective and better protect against any threat instead of defending against a single piece of malware. A Blue Team Perspective Detection in Depth Detection Engineering (the process of creating detection logic for attacker activity) is an often misunderstood discipline. It is common to see these “detections” labeled as good or bad, but detection logic isn’t inherently either. The misunderstanding tends to occur when someone’s expectations of specific logic don’t align with reality. To be successful in detection, it is important to build a detection mesh that combines precise indicators with low false-positive expectations (signatures) with broad indicators with low false-negative expectations (behavioral detections). I refer to this concept as Detection in Depth. This approach ensures that analysts can rely on high signal detection of known bad activity, while also expecting that the mesh will stand up to evasion attempts- Jared Atkinson, Microsoft MVP, @jaredcatkinson Introducing the Funnel of Fidelity - https://posts.specterops.io/introducing-the-funnel-of- fidelity-b1bb59b04036 What are some examples of defensible actions that would make a threat’s ability to operate difficult? Download 4.62 Mb. Share with your friends:
|