In the first phase of architecturing the SOC, we have seen the basic level understanding of the attacks and necessary steps to breaking the Attack Chain. Let’s move on to the phases of SOC and advacned level of protecting the organization.
Early years, when we say virus, it’s just an ‘exe’ file with some pop-ups. Most of the viruses created by script kiddies and they don’t cause many damages to any PCs. But the modern-day malware is not created by script kiddies, but they are developed by companies for profit and there are motives and agenda behind every malware created.
Malware families were grouped into virus/ worm/ PUP/ Spyware/ Adware/ Polymorphic Virus/ FakeAV/ Screensaver Virus. These won’t create much impact or there will be no business motive behind these.
But, nowadays the modern malware landscape is huge and wider with unique ways of codings, these
Malware families were grouped into virus/ worm/ PUP/ Spyware/ Adware/ Polymorphic Virus/ FakeAV/ Screensaver Virus. These won’t create much impact or there will be no business motive behind these. But, nowadays the modern malware landscape is huge and wider with unique ways of codings, these malwares having in-built capabilities of downloading further piece of malicious codes, exfiltrate data, communicate outside servers, data erase, encrypt the files and much more. These modern day malwares are created with agenda, modus, moneyminded, etc.
The modern day malware families will be, Trojans/ Rootkit/ Bot/ Botnet/ POS Malware/ ATM Malware/ Ransomware/ Cryptomining Malware/ Spybot/ Wiper/ CnC Trojan/ Exploit Kit/ Browser Hijacker/ Credential Stealer/ RAT/ WMI Backdoors/ Skeleton Key/ Keylogger etc..
So, the basic understanding of the modern threats becomes necessary for every SOC team. Understanding the threat profiles is much more important in SOC monitoring. SOC should know what they are dealing with, they should understand the behavior, they should differentiate the pattern, they should know the variants realeased by hackers community and also SOC team should know the ways to handle it without any disrupt. Threat Profiles are the types of the malware/scripts/vulnerable abused applications/ Network & windows Artifacts used by the cyber criminal (Threat Actor) to accompolish their cyber attack on your organization.
These capabilities can be classified as:
1.) Initial Access – Attackers use to gain an initial foothold within a network.
2.) Execution – Execution of adversary/attacker-controlled code on a local or remote system. This tactic is often used in conjunction with initial access as the means of executing code once access is obtained, and lateral movement to expand access to remote systems on a network.
3.) Persistence – Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.
4.) Privilege Escalation – Privilege escalation is the result of actions that allows an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. Adversaries can enter a system with unprivileged access and must take advantage of a system weakness to obtain local administrator or SYSTEM/root level privileges.
5.) Defense Evasion – Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation.
6.) Credential Access – Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network.
7.) Discovery – Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion.
8.) Lateral Movement – Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool.
9.) Collection – Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.
10.) Exfiltration – Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.
11.) Command and Control – The command and control tactic represents how adversaries communicate with systems under their control within a target network. There are many ways an adversary can establish command and control with various levels of covertness, depending on system configuration and network topology. Due to the wide degree of variation available to the adversary at the network level, only the most common factors were used to describe the differences in command and control.
Let’s see the variants of malware families which cause more noise as attack vectors. This list is not complete, just a sample of variants released.
Why should I worry about the malware and their behaviors?
We should worry! Because the modern malwares have some specific ways to propagate with more complex structure of commands to accompolish for further asylum. Every malware you face, it’s not the responsibility of your organization AV team, it’s the core responsilibilty of the SOC to understand it’s behaviour and the capabilitties they posses to intrude in your network.They won’t alone, in most instances they work combine to get their work done.