How Criminals Attack & SIEM Defends
Oct. 6, 2024
Imagine your computer and all the devices you use are like a house. Just like you lock your doors and windows to keep burglars out, we use special tools to protect our computers from villains who want to steal information or cause trouble. One of these tools is called MITRE ATT&CK, and another powerful tool we use is SIEM.
What is MITRE ATT&CK?
The MITRE ATT&CK framework provides a detailed catalog of tactics and techniques used by cyber adversaries. It's like an encyclopedia of cyber villainy. It catalogs all the different tactics and techniques that cybercriminals use to break into computer systems and what they do once they’re inside. This knowledge helps us understand their tricks and develop strategies to stop them.
How Villains Break In
Here are some common tricks they use:
- Phishing: They send fake emails that look legitimate to trick you into giving them your password. For example, you might receive an email that looks like it’s from your bank, asking you to verify your account details.
- Drive-by Compromise: They plant malicious code on legitimate websites. When you visit these sites, your computer gets infected without you even knowing. For instance, simply clicking on a compromised advertisement can download malware onto your device.
What They Do Once They’re Inside
Once they gain access, they try to stay hidden and cause trouble. Here are some things they might do:
- PowerShell: They use PowerShell, a powerful scripting language, to execute commands and control your computer without your knowledge. For example, they might use PowerShell scripts to download additional malware or steal data.
- Registry Run Keys: They modify the Windows Registry to ensure their malicious programs start every time you turn on your computer. This persistence technique helps them maintain control over the system even after reboots.
- Command and Script Interpreter: Cyber adversaries use command-line interfaces and scripting languages to execute arbitrary commands on your system.
- Scheduled Task/Job: They schedule tasks to execute malicious code at specific times or intervals, ensuring continued access.
How SIEM Protects Your Data
Security Information and Event Management (SIEM) systems can play a crucial role in protecting against cyber threats like those mentioned above. At STACK Cybersecurity, we use the SIEM from Todyl because we think it’s the best on the market. Here’s how SIEM works:
- Real-Time Monitoring: SIEM watches for unusual activity on your computer, like someone trying to get in without permission. It uses advanced technology to detect threats quickly.
- Automated Reporting: It keeps track of everything and makes reports to ensure everything is safe and secure. This helps us at STACK understand what happened and how to fix it.
- Advanced Threat Detection: SIEM uses smart technology to recognize and stop threats before they can cause harm. It even uses frameworks like MITRE ATT&CK to stay ahead of the villains.
- Correlation of Events: SIEM correlates data from various sources to identify patterns that may indicate a cyberattack. For example, it can link multiple failed login attempts with unusual network traffic to detect a brute force attack.
- Anomaly Detection: By establishing a baseline of normal behavior, SIEM can detect anomalies that deviate from the norm, such as unusual login times or access to sensitive files.
- Compliance and Security: It helps meet security rules and regulations, to protect your data and secure your systems.
- Audit Trails: SIEM maintains comprehensive audit trails that can be used for forensic analysis and compliance reporting.
Examples of SIEM in Action
- Detecting Phishing Attacks: SIEM can identify phishing attempts by analyzing email logs and detecting patterns associated with phishing campaigns.
- Mitigating Ransomware: By monitoring for unusual file access patterns and rapid encryption activities, SIEM can detect and respond to ransomware attacks early.
- Preventing Data Exfiltration: SIEM can detect data exfiltration attempts by monitoring for large data transfers to external destinations.
By leveraging these capabilities, SIEM provides a comprehensive defense against a wide range of cyber threats, helping organizations detect, respond to, and mitigate attacks effectively.