Testing Your SIEM Against Real Threats

A Security Information and Event Management (SIEM) system provides an organization with the visibility to be able to identify and contain threats before they become an incident or an embarrassing headline. A SIEM gathers and analyses data from across a digital environment to detect, investigate, and respond to threats. But just having a SIEM in place isn’t enough; you need to know it actually works when it counts. With a modern cyber range, you can simulate real-world attacks in a realistic, intelligent simulation of your production environment, to test and fine-tune your SIEM’s detection rules, validate your team’s response, and identify weaknesses and vulnerabilities before attackers do. 

In this example, we look at how you can test your SIEM against a typical supply chain attack. 

Why Test Your SIEM in a Modern Cyber Range

You’ve invested in the best SIEM solution on the market, your team knows their roles and responsibilities within it. Why test it in a cyber range?

Model the environment: Create an exact replica of your network architecture and security tech stack, ensuring that training is directly relevant to your production environment.

Emulate real threats: Run full, complex attack chains in a safe, controlled setting, allowing teams to practice and build muscle memory against real-life cyber threats without risking actual systems. 

Validate processes and tools: Test and refine your security team’s tools and incident response playbooks using real data and emulated attacks, confirming that the SIEM rules are tuned to spot the right threats and that your containment measures work.

Performance benchmarking: Assess the readiness of your Security Operations Centre by providing objective data on performance and highlighting any skill gaps.

Compliance drills: Stress-test cyber controls for adherence with any compliance reporting requirements

Improve confidence: Instill confidence in your defenders, validate that your people and not just the tools are truly ready when an incident strikes.

Justify your investments: get measurable performance data that supports the case for security tools like a SIEM. 

Your security team can have the highest rated, most popular tools in its tech stack, but tools need to be sufficiently stress tested and proven to reduce risk in your unique environment to provide the peace of mind that they’ll stand up in a real attack scenario. 

How Your SIEM Should Respond to a Threat

Effective incident response for a SIEM-detected threat typically follows a structured framework such as the PICERL or NIST models. A SIEM itself is crucial in the identification and the investigation phases. Let’s look at how a typical incident response lifecycle for a SIEM works when faced with the example of a supply chain attack and how to set up for success. In this example, based on SimSpace’s training materials, a malicious binary has been introduced to the system, compromising multiple workstations and a core server, ultimately leading to multiple data exfiltration attempts to a foreign server. 

1. Prepare: before an alert is even triggered, preparation is essential. You should have:

• Created a baseline by establishing normal network activity and user behaviour within the SIEM to easily detect anomalies 
• Clearly defined the roles, responsibilities, and procedures of the Computer Security Incident Response Team (CSIRT)
• Ensured incident response playbooks are up to date and validated against real world scenarios

2. Identify and analyze: a SIEM aggregates and correlates data from various sources to detect suspicious activity and trigger the alert. 

• Immediately triage the SIEM alert to validate the threat, determine its severity, and escalate as necessary. 
• Use the SIEM to investigate the full scope of the compromise and identify all affected hosts and collect forensically sound evidence (logs, artifacts)

3. Contain: once you have the details of the incident, you want to stop it spreading and causing further damage, like data exfiltration. Speed is critical at this point

• Isolate the compromised tech, in this example you would isolate the affected server and workstations from the network to halt communication with a malicious server 
• Use network controls like firewalls to immediately block the malicious external IP address
• Ensure short term containment by temporarily disabling the malicious binary across the affected endpoints

4. Eradicate: once contained, you can remove the threat completely from the environment

• Determine how the attack started with root cause analysis to ensure the entry point is secured
• Remove any malicious files and artefacts from compromised systems
• Mitigate any vulnerabilities by applying security patches, resetting compromised credentials and alerting firewall rules as needed to prevent recurrence. 

5. Recovery and lessons learned: restore business operations and improve defenses for future attack attempts

• Restore affected systems from clean backups and ensure they are functioning correctly 
• Post incident, conduct a detailed review to assess how effective the response was, identify any procedural gaps, and update training and SIEM detection rules. 

Putting it into Practice 

SimSpace’s attack catalogues allow you to test your ability to follow the above steps against real examples. Let’s take a look at the “Loan Shark” example:

To do this training you will need experience with a SIEM stack (Elastic or Splunk) and comfort with attack chain analysis. The challenge requires you to examine the artifacts of an intrusion and recreate the steps of the attack chain. You’ll use threat hunting skills to gather the basic facts about the compromise and answer a series of questions about the event. 

The situation: you are a network security analyst in charge of digital forensics and incident response. On 3 Sept 2020, the security team witnessed abnormal traffic leaving the internal network.

1. First, find the name of the malicious binary that has been installed on the Windows workstations with administrator privileges (for example, evil.exe)
   • Examine processes affiliated with the administrator user that are not common to a Windows system
   • Once you limit possible options, take a look at each individual binary to discover which is likely malicious 
2. Find out which workstations installed the compromised binary
3. Find out the hostname of the server inside the internal network on which malware was installed
4. Find out the IP address of the malicious external server that was exfiltrating data from the enterprise network – identify unusual aspects, for example if employees do not normally browse or connect to IPs outside the US or if the host on the enterprise network doesn’t normally communicate with the internet 
5. Look for the timestamp that was the first and last time the internal server connected to the malicious server and how many total attempts have been made
6. Find the name of the file that malware left behind on infected clients 

Finally, with all this information, you have successfully identified the software your company purchased and was infected via its supply chain with malware that was coded to scrape machine and network data and send to a Chinese IP address.

What Does Success Look Like?

Testing your tools, people, and processes means nothing if you can’t measure how effective they are and improvements over time. The questions you need to ask yourself and your teams are: 

• Was there a swift and efficient response? Minimize the time to contain and eradicate the threat to reduce operational downtime.
• Can operations continue as usual? Safeguard sensitive data and maintain essential business operations.
• Are you in line with regulations? Validate and prove the effectiveness of security controls against regulations like FFIEC, SEC Disclosure Compliance, and DORA.
• Have you minimized risk? Proactive and effective defense mitigates damage to customer trust.
• Have you maintained data integrity? Ensure that sensitive customer and corporate data has not been compromised or exfiltrated, or if it was, accurately scope the breach. 

Test Your Team With SimSpace’s Attack Catalog 

SimSpace’s extensive collection of attack scenarios, from sophisticated APT activities to custom simulations, provides invaluable insights into attacker tactics, techniques, and procedures (TTPs). Bolster your incident response capabilities, understand adversary behavior, and prepare for specific threat actor campaigns. Each scenario includes detailed descriptions, complexity levels, and estimated attack durations to help you tailor your defense strategies. 

To see more attack scenarios like these available with SimSpace, check out our Attack Catalog.