openaev icon indicating copy to clipboard operation
openaev copied to clipboard
Published 4 days ago verified publisher icon OpenAEV-Platform

Expectation/Outcome for attribution / IR / logging

Open initstring opened this issue 1 year ago • 0 comments

Use case

When we conduct red and purple team activities, one of the outcomes we are very interested in is whether or not specific attack techniques were discovered by the incident responders and whether or not they were captured in log files.

Let's say an attack chain has 10 techniques spanning initial access, execution, lateral movement... to exfiltration. When emulating an APT, it's likely that a detection will trigger only in the later stages of the exerercies. So if a detection is fired by the data exfiltration, the responders need to investigate.

Just like a real breach, the most important things to find out will be - what did did the attackers get to? Are they still in the environment somewhere? Did they leave behind any backdoors? How long were they in the environment for? And other similar questions.

We like to keep score of which attack techniques the responders were able to discover after the initial alert fires. "Attribution" might be a good name for this one, or even "Found in IR".

There's another layer of metric here too - which things are actually logged by a system, and are those logs ingested. We need to know that as it gives us metrics on observability - is it even possible to discover these things in IR, and is it even possible to write detection rules for them in the future?

For "purple team" exercises this process is a bit easier as the defenders can be guided to the solution, but it's still very important - are they even able to use their exisisting tooling to find the IoCs/IoAs in a realistic manner, do their response runbooks guide them to it correctly, etc. For "stealth" red team exercises it's more of a realistic IR process where they look and either they find and attribute the things or they don't.

Current Workaround

I'm not sure there is a current woraround - maybe defining "challenges"

Proposed Solution

I would add at least 1 layer of metrics - "Attribution" or something related to "IR". Attribution sounds nice as it has the CTI connotation and possibly links to OpenCTI, but this is just a quick idea without a ton of thought. Perhaps there could be levels to this. If something was not attributed / not found in IR there could be a tickbox for whether or not logs exist.

Additional Information

If the feature request is approved, would you be willing to submit a PR?

Possibly, we're investigating our resources here.

initstring avatar Oct 15 '24 20:10 initstring