This Activate Method is used to track attackers and target system state and their progression through the attack life cycle. It consists of a set of rules that update the attacker and target threat scores as well as their progression and indicator and warning frequency within the attack life cycle. All this information is tracked in a set of lists with varying TTL for the entries.
For this to work efficiently, indicators and warnings have predetermined categorization requirements. For example, an IDS reporting shellcode over the wire is tagged with Category Custom Format Field = "/Attack Life Cycle/Delivery". The rules look for these conditions populate attacker and target information in the appropriate lists as well as the threat score tracking information.
The Attack Life Cycle lists are very straight forward. There is one list for each phase of the attack life cycle and the rules for getting attackers and targets into the lists follow two simple laws:
Attack Life Cycle
- Attackers and Targets can live in multiple list at the same time
- Only Activate rules will populate the lists
- Custom Category Format Field will be used to move data into the appropriate list
- All content is stored under:
/All/ArcSight Activate/Use Cases/Threat Tracking/Attacke Life Cycle/ System Perspective/
| Lists | Description |
|---|---|
| Phase 1 Reconnaissance | Will track attackers and targets that are conducting research and identification of targets. If the attacker's target can be derived from the event/analysis, then the target will also be tracked. Typically, these indicators and warnings and found by monitoring NIDS, HIPS, firewall ACLs, and web analytics. |
| Phase 2 Weaponization | Weaponization is not normally 'viewable' as the attacker normally creates weaponized packaged on systems that we are not in control of. This category will be used for file analysis tools that detect known IOC. (Mandiant, STIX, Tripwire) |
| Phase 3 Delivery | Indicators and warnings that intercept the transmission of executable code to a target. NIDS/HIPS/Proxies/in-line AV events are sources capable of detecting these events. |
| Phase 4 Exploitation | Execution of the attackers code. This list will track when code is executed either by the user or by exploiting a particular vulnerability. Indicators are warnings are detected at the OS/HIDS level. (SRP/ASLR/DEP) |
| Phase 5 Installation | Installation of remote access code. This can be detected at the OS/HIDS/AV |
| Phase 6 C2 | Track attackers and hosts that are displaying beaconing characteristics. These are often detected by NIDS/FW acl/Honeypots/DNS, and detection can be enriched with external intel data |
| Phase 7 Objectives | Post "pawnage" activities (data exfil, corruption, destruction, pivots). |
Nice Post...
ReplyDeleteRed Hat Training in Chennai
RHCE Training in Chennai
A very good and informative article indeed . It helps me a lot to enhance my knowledge, I really like the way the writer presented his views. 24x7 Security Operations Centre, aims to provide you with the best cyber security solution for your business needs.
ReplyDeleteNice article please do visit my website for cyber security certification training
ReplyDeleteoracle sql plsql online course
ReplyDeletego langaunage online course
azure online course
java online course
salesforce online course
hadoop online course
Data Science online course
Thank you for sharing informative post! You must also know about cyber security Gap Analysis that is a useful technique that enables us to recognize the gap between current situation and the future state of organizations.
ReplyDelete
ReplyDeleteThis post is so helpfull and informative.keep updating more information...
Type Of System Testing
System Tester