On August 27th, 2022, I had the amazing opportunity to attend my first cyber security conference, Blue Team Con. I learned so much and my perspective on defensive security has changed. I will explain how I think SOC Analysts can change the landscape of defensive security and how to think two steps ahead of our adversaries.
I firmly believe every analyst should try to have the mindset of a CISO, no matter if they are L1, L2, or L3. By this I mean, think of where the crucial information or data is for the organization and work outwards. Defensive Security is a game of infinity. It is impossible to fix every vulnerability, and by doing so, we are wasting valuable time. Hypothetically speaking, if you knew an adversary would launch an attack on you, how would you prepare? What vulnerabilities would you focus on? You most certainly would not focus on vulnerabilities that pose no risk to that critical data to your organization. We should understand risk by a simple equation of Risk = Threat x Vulnerability.
Every analyst should gain hands on experience in emulating these offensive attacks that they are defending against. It ultimately boils down to containing is not enough, become proactive and not reactive and understanding the adversary. It is great that you understand how to stop a MITM (Man-In-The-Middle) Attack, but do you know how it actually works? Before an adversary launches an attack, they have already some understandings of what data they want, how they will get this data and the techniques and sub-techniques of doing so. How can you beat the enemy if you don't understand the enemy? Adversaries know how to exploit a vulnerability and bypass certain defenses, because they know how it works. If you know what is needed for an attack to be successful, you can prevent it before it happens.
We can look at how a ransomware campaign happens. Often times, the adversary wants to hide their presence. How do they do this? They can make configuration changes once they have breached. But, on the defensive side, we can track this by logging any audit changes.
Lastly, I think every analyst should understand their tools. They should be the subject matter expert and know how this tool works under the hood. We see this mindset with our adversaries. They don't just run a tool or execute a script. Often times, they will modify it, create their own tools and scripts and go from there. I would argue that it is even more crucial for us to be subject matter experts.
No comments:
Post a Comment