{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/detection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["SharePoint"],"_cs_severities":["medium"],"_cs_tags":["soc","metrics","threat-hunting","detection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe National Cyber Security Centre (NCSC) blog post highlights the detrimental effects of using inappropriate metrics to evaluate SOC performance. Focusing on easily quantifiable metrics like \u0026rsquo;number of tickets processed\u0026rsquo;, \u0026rsquo;time taken to close a ticket\u0026rsquo;, \u0026rsquo;number of detection rules written\u0026rsquo;, and \u0026lsquo;volume of logs collected\u0026rsquo; can incentivize analysts to prioritize metric optimization over effective threat detection. These perverse incentives can lead to a high number of false positives, alert fatigue, and a failure to identify genuine security incidents. The blog emphasizes the importance of focusing on metrics that truly reflect a SOC\u0026rsquo;s efficacy in detecting and responding to attacks in a timely manner, using red and purple teaming to simulate attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis attack chain describes how an attacker might evade detection in a SOC environment using ineffective metrics.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Foothold:\u003c/strong\u003e An attacker gains initial access via a vulnerability or credential compromise. This is not directly measured by common SOC metrics.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInternal Reconnaissance:\u003c/strong\u003e The attacker performs internal reconnaissance, such as \u003ccode\u003esearching for passwords in a SharePoint\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses discovered credentials to move laterally within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access:\u003c/strong\u003e The attacker accesses sensitive data, potentially including intellectual property or personal information.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration Preparation:\u003c/strong\u003e The attacker prepares the data for exfiltration, such as compressing or encrypting it.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e The attacker exfiltrates the data to an external server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence mechanisms to maintain access for future operations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their objective, which could be data theft, system disruption, or financial gain. The lack of focus on TTD/TTR means the breach goes unnoticed until significant damage is done.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe use of poor metrics can lead to a significant increase in dwell time, allowing attackers more time to achieve their objectives. Organizations may experience data breaches, financial losses, reputational damage, and regulatory fines. The NCSC observed SOCs with great potential rendered entirely ineffective through poor choice and application of metrics. If \u0026ldquo;time to close a ticket\u0026rdquo; is prioritized, analysts may quickly dismiss alerts as false positives, missing crucial indicators of a real attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement TTD/TTR as primary metrics to measure SOC effectiveness, using red/purple teaming to generate data.\u003c/li\u003e\n\u003cli\u003ePrioritize hypothesis-led threat hunting to proactively identify potential threats and improve detection capabilities.\u003c/li\u003e\n\u003cli\u003eEstablish and maintain hard thresholds for false positive rates to minimize alert fatigue and ensure analysts focus on genuine threats.\u003c/li\u003e\n\u003cli\u003eEvaluate and refine detection rules to maximize true positives and minimize false positives.\u003c/li\u003e\n\u003cli\u003eFocus on the value of collected logs rather than sheer volume to ensure relevant data is available for threat detection.\u003c/li\u003e\n\u003cli\u003eDevelop detection rules based on understanding likely attackers and their techniques mentioned in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-02-soc-metrics/","summary":"Poorly chosen performance metrics can significantly impair a SOC's ability to detect and respond to threats, leading to ineffective security operations and potential compromise.","title":"Impact of Poor Security Operation Center (SOC) Metrics","url":"https://feed.craftedsignal.io/briefs/2024-01-02-soc-metrics/"}],"language":"en","title":"CraftedSignal Threat Feed — Detection","version":"https://jsonfeed.org/version/1.1"}