Most organizations have some form of Security Information and Event Management (SIEM) solution they trust to monitor their infrastructure for signs of hackers, malware, and insider threats. The SIEM may be managed internally, outsourced to an MSSP (Managed Security Solutions Provider), or a combination of both. Early warning of a security incident is critical and allows incident response teams to quickly contain the threat and investigate the root cause of the breach.
The threat landscape is constantly changing as hackers improve their attack methods and malicious tools, so how do organizations validate the effectiveness of their security systems against these emerging threats?
STLF helps organizations locate and close the gaps in their security defenses through a SIEM Tuning by Live Fire exercise.
Breakdown
The STLF process is broken down into two phases: Tuning and Threat Simulation.
Phase 1 - Tuning
Phase 2 - Threat Simulation
Although a SIEM is an important component of an overall security solution, it is not mandatory for an STLF engagement. STLF can run simulated attacks on any infrastructure with networked components accessible over a TCP/IP network.
The STLF Platform
STLF is not a penetration test as there is no exploitation component. It is a platform that uses simulations to mimic real-world attacks. The simulated attacks are updated frequently to keep pace with emerging threats.
The platform consists of a management console, dashboard, STLF engine, and several specialized virtual machines. The management console allows the STLF team to configure and launch simulated attacks while the blue team uses the dashboard to monitor the progress of the engagement in real-time.
The engine coordinates scheduling and execution of the attacks via the appropriate virtual machine and tracks progress. The virtual machines can be managed separately to facilitate testing of isolated networks.
Playbooks can be created to encompass multiple attacks to simulate a breach from initial entry, lateral movement, to post exploitation activities. Custom attacks can be created on the fly for environments that use unique or specialized devices such as industrial control systems.
Framework and Classifications
Each attack that is run during STLF is categorized under a classification. The core classifications incorporate detection rules mapped to the MITRE ATT&CK® framework. MITRE ATT&CK is a regulatory body dedicated to adversary tactics and techniques. This framework provides the testing team a comprehensive knowledge base, including tactics to vet security controls and methods to train internal teams on strategies, techniques, and events used by real-world attackers. It also assists in the development of existing threat intelligence and gives stakeholders the ability to make critical decisions based on the data analytics collected.
Conclusion
Without validation and tuning, most security solutions perform well below optimal efficiency and accuracy. STLF helps organizations maximize the efficacy of their SIEM and other security solutions while providing valuable training to their incident response team or MSSP.
Please contact info@digitalboundary.net or your sales representative for more information about STLF.