A view from the SOC; maintaining detection capabilities during challenging times

The exponential growth in working from home as a result of COVID-19 has presented a number of challenges for SOC teams. 

By Tom Hawcutt

28 Apr 2020

With the exponential growth in working from home as a result of COVID-19, many organisations have scrambled to provision technologies that facilitate remote-working, in order to maintain business continuity. This rapid shift has undoubtedly led to some hastily-conceived infrastructure deployments, which may well have circumvented routine change-control processes and associated risk assessments.  Even for companies that already promoted home-working prior to the outbreak, typically, such solutions did not encompass the entirety of the workforce –both in terms of number of employees, and job role. 

For SOC (Security Operations Centre) teams, both in-house and managed service providers, this has presented a number of challenges. Based on our experience of monitoring a diverse range of businesses spanning multiple sectors, the Context team outline some questions your SOC should be asking your respective IT and infrastructure teams, and highlight some key areas on which detection efforts should be prioritised.

Understand the challenge you’re dealing with; talk to your technical teams! 

Understand the technologies in use at this moment in time; A well-performing SOC should have a comprehensive understanding of the environment being monitored as a matter of course. Now more than ever, keeping knowledge holdings up-to-date is vital. You want to know about any new software products or features that have been rolled out, and any additional servers that have been stood up to handle the increased workload of more employees working remotely. Once you’ve captured new information of relevance, ensure it is shared amongst analysts on the front line, and review your playbooks to ensure they are still valid.

Don’t forget policies and procedures too; if restrictions and red tape governing how people work have been lifted by organisations to aid productivity, this will influence the environmental norms just as much as the technologies in use. For instance, expect existing out-of-hours detection logic to become false-positive prone due to flexible working arrangements. Previous “red flags”, such as administrative activity originating off-premise, might now be null and void. If possible, get copies of key communications sent to the organisations employees, and examine how it will influence the effectiveness of your detection logic.

Recommend mitigations and controls; poor security hygiene and substandard configuration are very often contributing factors to serious cyber breaches. Just because solutions might have been deployed in a sub-optimal fashion to expedite the delivery of an operational capability, it doesn’t mean you shouldn’t try and fix weaknesses retrospectively once the dust has settled. Work with engineering teams and other stakeholders (including the SIRO) to put forward sound and achievable security recommendations. Strive to align to industry best practice where possible, but don’t veto tangible improvements in security posture whilst holding out for the perfect solution – be prepared to compromise – just make sure you understand the shortcomings. 

Pertinent areas where you should seek to prioritise visibility and detection

Authentication activity; most organisations will be utilising some form of Virtual Private Network (VPN) connectivity to provision corporate network access. Capturing and interrogating log data from VPN endpoints will enable you to identify anomalous login attempts, and less subtle activity such as brute force attacks or password spraying. Pay particular attention to authentication attempts originating from outside your geographies of business, as well as duplicate user sessions and activity during abnormal time periods. Utilising a well-configured SIEM toolset with UEBA will give you the best change of identifying atypical activity. 

Pay particular attention to topical phishing campaigns; phishing remains one of the most prevalent attack vectors for a multitude of threat actors, including both financially motivated organised crime groups and nation state adversaries. Threat actors are already seizing the opportunity to capitalise on the fear and uncertainty caused by Covid-19 itself, and the scope for abusing consequential communications relating to IT changes or business continuity is significant. Consider stepping up your efforts to identify malicious emails, focussing on keyword searches and analysis of web proxy logs to spot potential credential harvesting websites. Due to the variance and volume of both legitimate and malicious Covid-19 themed communication, some proactive analysis of data will be required. 

Externally facing infrastructure; irrespective of the current landscape, understanding the public-facing attack surface exposed to an attacker is important – it’s even more vital if remote access solutions and other web services have been opened up to the public internet in an expeditious manner. The first step is to run an external vulnerability scan against all public IP addresses associated with the organisation you’re protecting; the goal is to identify services that could be vulnerable to an unauthenticated threat actor, and the scope should include cloud service providers where relevant. Once you have an understanding of the number and nature of services exposed, determine what visibility you already have, paying particular attention to applications that are newly provisioned. For instance; consider whether any IDS / IPS systems are deployed in the correct place to flag exploit attempts against known vulnerabilities, and work out if you’re collecting data that would enable the identification of a large increase in outbound traffic, and attribute it to a specific user. 

Much of the above should be part and parcel for a SOC that is well aligned to the needs of the business; understanding the monitored environment and being aware of potential weaknesses are key elements to running an effective security monitoring program. However, in this time of heightened uncertainty and unprecedented period of change, now is not the time for a complacent SOC – level up, identify weak spots, and verify your detection rules and playbooks are still cogent. 

Subscribe for more Research like this

About Tom Hawcutt

Tom Hawcutt is a Senior Analyst in the Context Security Operations Team.

Find out more

Book a Meeting

CREST
CREST STAR
CHECK IT Health Check Service
CBEST
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor