STLF™: Moving from Trust to Validation

Most organizations have some form of Security Information and Event Management (SIEM) solution they trust to monitor their infrastructure for signs of hackers, malware, and insider threats. The SIEM may be managed internally, outsourced to an MSSP (Managed Security Solutions Provider), or a combination of both. Early warning of a security incident is critical and allows incident response teams to quickly contain the threat and investigate the root cause of the breach.

The threat landscape is constantly changing as hackers improve their attack methods and malicious tools, so how do organizations validate the effectiveness of their security systems against these emerging threats?

STLF helps organizations locate and close the gaps in their security defenses through a SIEM Tuning by Live Fire exercise.

The STLF process is broken down into two phases: Tuning and Threat Simulation.

Phase 1 - Tuning

  • Verify audit settings in Microsoft Active Directory
  • Audit policy
  • Sensor placement
  • Log forwarding
  • Review SIEM rules and log sources
  • Forward simulated events directly to the SIEM by becoming a log source

Phase 2 - Threat Simulation

  • Reconnaissance
  • Active Directory Enumeration
  • Exploitation and System Compromise
  • Data Exfiltration
  • Password Guessing
  • Lateral Movement
  • Privilege Escalation
  • Account Lockout
  • Content Inspection
  • System Control
  • Credential Theft
  • Spoofing
  • Command-and-Control

Although a SIEM is an important component of an overall security solution, it is not mandatory for an STLF engagement. STLF can run simulated attacks on any infrastructure with networked components accessible over a TCP/IP network.

The STLF Platform

STLF is not a penetration test as there is no exploitation component. It is a platform that uses simulations to mimic real-world attacks. The simulated attacks are updated frequently to keep pace with emerging threats.

The platform consists of a management console, dashboard, STLF engine, and several specialized virtual machines. The management console allows the STLF team to configure and launch simulated attacks while the blue team uses the dashboard to monitor the progress of the engagement in real-time.

The engine coordinates scheduling and execution of the attacks via the appropriate virtual machine and tracks progress. The virtual machines can be managed separately to facilitate testing of isolated networks.

Playbooks can be created to encompass multiple attacks to simulate a breach from initial entry, lateral movement, to post exploitation activities. Custom attacks can be created on the fly for environments that use unique or specialized devices such as industrial control systems.

Framework and Classifications
Each attack that is run during STLF is categorized under a classification. The core classifications incorporate detection rules mapped to the MITRE ATT&CK® framework. MITRE ATT&CK is a regulatory body dedicated to adversary tactics and techniques. This framework provides the testing team a comprehensive knowledge base, including tactics to vet security controls and methods to train internal teams on strategies, techniques, and events used by real-world attackers. It also assists in the development of existing threat intelligence and gives stakeholders the ability to make critical decisions based on the data analytics collected.

  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Command-and-Control
  • Exfiltration
  • Impact

Without validation and tuning, most security solutions perform well below optimal efficiency and accuracy. STLF helps organizations maximize the efficacy of their SIEM and other security solutions while providing valuable training to their incident response team or MSSP.

Please contact or your sales representative for more information about STLF.