Defense - Resources

Defense Frameworks

• MITRE D3FEND A knowledge graph of cybersecurity countermeasures.
• NIST Cybersecurity Framework 2.0

Guides and best practices

Too many to list.

CISA

• NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations Discussed in the lectures.
• #StopRansomware Guide One-stop resource with best practices and ways to prevent, protect and/or respond to a ransomware attack.
• CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks List of mitigations suggested after an extremely interesting penetration exercise by CISA on a large critical infrastructure organization, with detailed attack steps (mapped to ATT&CK). Very worth reading: one can understand the depth, length and sophistication of such attacks.

Italy

• Misure minime di sicurezza ICT per le pubbliche amministrazioni Riferimento pratico per valutare e migliorare il livello di sicurezza informatica delle amministrazioni, al fine di contrastare le minacce informatiche più frequenti (chiamate anche "misure minime AgiD").

Major incidents: suggested mitigations

Many alerts and threat reports often include a final list of suggested mitigations. They do not reference any standard nor any systematic framework (a complete mess). Just a couple of examples:

• APT Cyber Tools Targeting ICS/SCADA Devices.
• Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations.
• Midnight Blizzard: Guidance for responders on nation-state attack

SIEM / SOC / Log analysis

Machine Learning and AI

• Outside the Closed World: On Using Machine Learning For Network Intrusion Detection Everyone interested in "automatic detection of attacks" should read and understand this work before even starting. There is a lot of academic research and a lot of industrial products based on the idea of detecting attacks by merely detecting anomalies or deviations from "normal" behavior (all the supposedly magic AI-based stuff is based on variations of this basic idea). This 2010 paper (yes, 2010) illustrates why those approaches are unlikely to work or, more precisely, under which conditions they might work. It has won the IEEE Security and Privacy "Test of Time" award, a very prestigious award given once a year "to 10-12 year old papers whose influence grew over time". Slides here.

• The Many Faces of Undetected macOS InfoStealers | KeySteal, Atomic & CherryPie Continue to Adapt Every major vendor is now "AI-powered" and "AI can detect novel and previously unseen malware and attacks". This post illustrates that this is not the case: a known malware family changes slightly, which suffices to evade signatures (signatures? why signatures? everyone uses AI!). Interestingly, this post never mentions AI, not even once; maybe because it has been written by technicians, not by marketing people.

SIEM/SOC

• 99% False Positives: A Qualitative Study of SOC Analysts' Perspectives on Security Alarms A scientific work whose title says it all. With slides and presentation video. 31st USENIX Security Symposium 2022.
• Global Security Operations Center Study Results by IBM and Morning Consult (2023). A survey that involved 1000 SOC Team Members from 10 different countries.

Log analysis

• Events to Monitor (Microsoft Active Directory) A table of the events that should be monitored as signs of compromise. Some event types are such even one single instance should be investigated, other should be investigated only if they occur with frequencies significantly different from the expected baseline. Try to guess how many event types are in the table (spoiler: 381).
• Domain of Thrones: Part II The final section "Recommended Logging for Domain Compromises" contains a much smaller list of very few events to monitor (of course this list focuses on only some specific kinds of compromise).

• Domain of Thrones: Part I is also very interesting: it describes several domain persistence techniques in great detail with many examples, but also from a detection perspective:

  • Credential Theft on the Domain Controller (DC)
  • NTDS Access
  • DCSync
  • Golden Ticket
  • Diamond Ticket
  • Active Directory Certificate Services (AD CS)

• Applied Incident Response, a wonderful book by Steve Anson (full text available from UniTrieste network).

  • Have a look at chapter 8 "Event Log Analysis" and chapter 12 "Lateral Movement Analysis" to grasp some idea of the complexity of Windows logs. In particular, have a look at how many different "low-level events" may be involved in such a seemingly simple "high-level event" as a logon.
  • Chapter 7 "Network Security Monitoring" is also particularly interesting.