Uso di un socaas cover Giacomo Lanzi

Use cases of a SOCaaS for companies part 2

Estimated reading time: 5 minutes

In the previous article we have seen the most common use cases of a SOCaaS , explaining how it can be useful for companies to use this tool to prevent cyber attacks and also explaining which are the most common Threat Models .

In this article, however, we will take a closer look at some of the more common indicators of compromise (IOC). First we will briefly look at the malware threat models that the use of a SOCaaS can prevent and block. As it works, a SOCaaS can be very flexible and analyze a lot of data at the same time, thus providing in-depth and accurate results.

use of a socaas network

Malware Threat Models

It is important to know how to distinguish and classify the different types of malware to understand how they can infect systems and devices, the level of threat they represent and how to protect against them. We at SOD recommend adopting the use of a SOCaaS in order to be able to classify the entire range of malware or potentially unwanted objects. Malware is categorized based on the activity they perform on infected systems.

Wannacry Malware Detection

Thanks to this threat model it is possible to detect the behavior of the well-known malware Wannacry.
Wannacry malware is a
ransomware that attacks the system by encrypting files of particular importance to an organization in order to make them illegible.

Early detection of ransomware is probably the most effective action you can take to defend yourself. There are also services that are able to block the action of the malware and restore any files already encrypted with those of a backup, for example Acronis Cyber Protect Cloud .

Network anomaly followed by data infiltration

Identifies successful network data aggregation attempts, followed by signs of data infiltration. Below we see some of the anomalies and how the use of a SOCaaS can identify important clues to counter threats.

During a network scan you may notice enumerations of AD accounts and privileges, count of LDAP services outside the corporate network and a suspicious number of ticket requests to Kerberos protocol . In addition, other indicators can be a spike in LDAP traffic and the enumeration of SMB services.

As regards the anomalies of the network drive , the use of a SOCaaS is able to control access to the sharepoint in order to identify an unusual number of accesses to shared elements. This also in relation to users and their level of access.

In terms of Data Aggregation and data infiltration, the quantity of bytes downloaded from the server ports and via FTP protocols are monitored, as well as an unusual quantity of bytes transmitted to the external.

Petrwrap / Goldeneye / Amalware detection

This threat model aims to detect malware Petrwrap . The use of a SOCaaS can detect network scanning activity by monitoring the number of SMBv1 activities, as well as anomalies in these activities. Attempting to reach a never-before-reached host may also be an indicator.

Another way in which these threats can be detected with the use of SOCaaS is by auditing of suspicious privileged activity. For example, it is verified that there is no escaletion of privileges, unusual access to an admin zone or even tampering with log files.

Risk indicators in general

Risk indicators are metrics used to show that the organization is subject to or has a high probability of being subject to a risk.

These indicators are used to classify the type of behavior or threat for a policy and can be used in multiple policies for different functionality based on the data source. Risk indicators can be chained with threat models to identify sophisticated attacks across multiple data sources.

In essence, these are clues or alarm bells that indicate events that a company’s security operators should pay particular attention to. The use of a SOCaaS can help identify these clues by analyzing large amounts of data and logs in a short time.

Below is a non-exhaustive list of some of the most common threat indicators that are identifiable through the use of a SOCaaS. We will divide them into different areas, for clarity.

As for accounts, obviously, blocking an account is an alarm bell, as well as an unusual number of accounts created or a disproportionate number of failed authentication. Finally, the use of a SOCaaS could indicate an IOC as a suspicious number of accounts running concurrently .

Access

The anomalies concerning the access or in any case the account include the detection of access to the anomalous administrative sherepoint but also the loading times of the anomalous applications. Applications that use an unusual amount of memory may also be indicators of compromise.

As for accounts, obviously, blocking an account is an alarm bell, as well as an unusual number of accounts created or a disproportionate number of failed authentication. Finally, the use of a SOCaaS could indicate an IOC as a suspicious number of accounts running concurrently .

Use of a socaas cover

Networks

Network alarm bells are, of course, the most common. Since networks are like “roads” of a corporate infrastructure, it is normal that anomalous behaviors in these are particularly relevant.

Common indicators are abnormal DNS zone transfers or failed requests to the firewall. But also an abnormal number of running hosts or ICMP connections. Traffic in general is also controlled through the use of SOCaaS, so that any suspicious data movement is analyzed or otherwise verified. Examples of this are packet movements to critical ports, RDP, SSH, or connection attempts to a DHCP server. These events often indicate abnormal attempts to connect to objects or network shares.

Through the use of a SOCaaS it is also very simple to control the behavior of the accounts that often show alarm bells in themselves . For example, an account logging into a host for the first time, creating an account, or adding privileges.

Conclusions

Relying on luck to catch threats is madness , as demonstrated by SolarWinds attack .

Create your luck with our SOCaaS solution , making sure you spot threats before incidents happen and that you are “lucky” enough to counter them.

Contact us to find out how our services can strengthen your company’s defenses, we will be happy to answer any questions.

Useful links:

Share


RSS

More Articles…

Categories …

Tags

RSS darkreading

RSS Full Disclosure

  • Stored XSS with Filter Bypass - blogenginev3.3.8 December 19, 2024
    Posted by Andrey Stoykov on Dec 18# Exploit Title: Stored XSS with Filter Bypass - blogenginev3.3.8 # Date: 12/2024 # Exploit Author: Andrey Stoykov # Version: 3.3.8 # Tested on: Ubuntu 22.04 # Blog: https://msecureltd.blogspot.com/2024/12/friday-fun-pentest-series-16-stored-xss.html Stored XSS Filter Bypass #1: Steps to Reproduce: 1. Login as admin and go to "Content" > "Posts" 2. On […]
  • [SYSS-2024-085]: Broadcom CA Client Automation - Improper Privilege Management (CWE-269) December 19, 2024
    Posted by Matthias Deeg via Fulldisclosure on Dec 18Advisory ID: SYSS-2024-085 Product: CA Client Automation (CA DSM) Manufacturer: Broadcom Affected Version(s): 14.5.0.15 Tested Version(s): 14.5.0.15 Vulnerability Type: Improper Privilege Management (CWE-269) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2024-10-18 Solution Date: 2024-12-17 Public Disclosure:...
  • [KIS-2024-07] GFI Kerio Control <= 9.4.5 Multiple HTTP Response Splitting Vulnerabilities December 17, 2024
    Posted by Egidio Romano on Dec 16--------------------------------------------------------------------------- GFI Kerio Control
  • RansomLordNG - anti-ransomware exploit tool December 17, 2024
    Posted by malvuln on Dec 16This next generation version dumps process memory of the targeted Malware prior to termination The process memory dump file MalDump.dmp varies in size and can be 50 MB plus RansomLord now intercepts and terminates ransomware from 54 different threat groups Adding GPCode, DarkRace, Snocry, Hydra and Sage to the ever […]
  • APPLE-SA-12-11-2024-9 Safari 18.2 December 12, 2024
    Posted by Apple Product Security via Fulldisclosure on Dec 12APPLE-SA-12-11-2024-9 Safari 18.2 Safari 18.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/121846. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Safari Available for: macOS Ventura and macOS Sonoma Impact: On a […]
  • APPLE-SA-12-11-2024-8 visionOS 2.2 December 12, 2024
    Posted by Apple Product Security via Fulldisclosure on Dec 12APPLE-SA-12-11-2024-8 visionOS 2.2 visionOS 2.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/121845. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Crash Reporter Available for: Apple Vision Pro Impact: An app may […]
  • APPLE-SA-12-11-2024-7 tvOS 18.2 December 12, 2024
    Posted by Apple Product Security via Fulldisclosure on Dec 12APPLE-SA-12-11-2024-7 tvOS 18.2 tvOS 18.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/121844. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. AppleMobileFileIntegrity Available for: Apple TV HD and Apple TV 4K (all […]
  • APPLE-SA-12-11-2024-6 watchOS 11.2 December 12, 2024
    Posted by Apple Product Security via Fulldisclosure on Dec 12APPLE-SA-12-11-2024-6 watchOS 11.2 watchOS 11.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/121843. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. AppleMobileFileIntegrity Available for: Apple Watch Series 6 and later Impact: A […]
  • APPLE-SA-12-11-2024-5 macOS Ventura 13.7.2 December 12, 2024
    Posted by Apple Product Security via Fulldisclosure on Dec 12APPLE-SA-12-11-2024-5 macOS Ventura 13.7.2 macOS Ventura 13.7.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/121842. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Apple Software Restore Available for: macOS Ventura Impact: An […]
  • APPLE-SA-12-11-2024-4 macOS Sonoma 14.7.2 December 12, 2024
    Posted by Apple Product Security via Fulldisclosure on Dec 12APPLE-SA-12-11-2024-4 macOS Sonoma 14.7.2 macOS Sonoma 14.7.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/121840. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Apple Software Restore Available for: macOS Sonoma Impact: An […]

Customers

Newsletter

{subscription_form_1}