Trending Threats in 2024 and Detection Strategies Series

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

The threat landscape is becoming increasingly sophisticated, presenting significant challenges to traditional cybersecurity methods. Each day, cybercriminals, hackers, and nation-state actors develop new evasive and persistence tactics, techniques, and procedures (TTPs), making it difficult for conventional approaches to keep up. Security Operations Center (SOC) teams play a crucial role in identifying malicious activities within the vast array of alerts and logs managed by Security Information and Event Management (SIEM) systems. However, this essential process is often hindered by numerous obstacles and complexities, leading to delays and complications in timely and effective threat detection and response.

Top Three Challenges Faced by SOC Teams

Here are the top three challenges SOC teams encounter:

Challenge 1: Alert Fatigue

SOC teams often face an overwhelming number of security alerts generated by various monitoring tools. This deluge of data can obscure real threats, making it difficult to prioritize and respond to actual security incidents promptly. 

Challenge 2: Rapid Evolution of Cyber Threats

The threat landscape is constantly evolving, with nation-state attackers and cybercriminals rapidly adopting new, sophisticated tactics. 

According to the Red Report 2024, out of 600,000 malware samples analyzed, there has been a 333% increase in the use of hunter-killer malware. This type of malware is designed to identify and disable defensive controls, making it harder to detect. As adversaries move away from conventional attack methods and develop more advanced techniques, it becomes increasingly challenging for security systems to keep up.

Challenge 3: Integration Complexity

Effective threat detection and response depend on the seamless integration and coordination of various security tools and systems, such as SIEM, intrusion detection systems (IDS), and endpoint detection and response (EDR). The complexity of integrating disparate systems and ensuring they work together efficiently can be time-consuming and resource-intensive, potentially delaying response efforts.

Introduction to Continuous Monitoring

In response to these challenges, organizations are turning to continuous monitoring in cybersecurity. Continuous monitoring refers to the ongoing process of observing, assessing, and analyzing an organization's systems to detect and respond to cyber threats and vulnerabilities in real-time or near real-time. By continuously monitoring their digital assets, organizations can detect early problems, mitigate risks, and enhance overall resilience. 

For instance, continuous monitoring helps prioritize and manage security alerts by providing real-time insights into potential threats. Additionally, it enables organizations to adapt to the rapid evolution of cyber threats by promptly identifying and responding to emerging tactics and techniques.

Continuous Monitoring and Picus Detection Analytics

Picus Detection Analytic is an automated module that is integrated with SIEM, EDR, and XDR to identify the difference between expected and existing events. 

Every simulated threat and adversary technique creates a log in the relevant security controls. If detected or prevented, the Detection Analytics module can match the query findings using advanced algorithms with actual threat samples and techniques simulated by the Security Control Validation (SCV) module. 

The Detection Analytics module identifies undetected attacks. Therefore, Picus helps businesses with early problem detection, risk mitigation, and enhancement of overall resilience.

Benefits of the Picus Detection Analytics Module Include:

  • Validating Log Mechanisms Consistently: By consistently validating log mechanisms across the entire network, the Detection Analytics Module ensures the integrity and accuracy of logged events, enhancing overall cybersecurity.

  • Validating Alert Mechanisms Consistently: The Detection Module helps assess and improve the alerting capabilities of SIEM platforms, ensuring that security teams are promptly notified of potential threats.

  • Decreasing Dwell Time: Dwell time, or the amount of time attackers spend undetected within a network, is reduced with the Detection Analytics Module's ability to identify and respond to threats quickly, minimizing potential damage.

  • Increasing Detection Capabilities: By instrumenting the Mitigation Library, the Detection Analytics Module enhances the detection capabilities of existing security controls, enabling organizations to stay ahead of emerging threats.

Example Ransomware Attack Simulation: Dagon Locker Campaign 

In this section, we are going to display an interactive case for a ransomware campaign, run by the Dagon Locker threat group. 

Picus Labs teams are continuously adding attack simulations that mimic the behaviors and tactics, techniques, and procedures (TTPs) of latest threats/malware campaigns. These simulations can be played continuously with the schedule and dynamic template. Detection and prevention analyses are performed after each simulation is played.

This case study will explore the Dagon Locker Ransomware Campaign 2024 and how integrating Picus DA enhances its detection capabilities in SIEM and EDR.

The Dagon Locker Ransomware Campaign began distributing the IcedID malware. Victims were lured to a fake Azure download site to download a malicious JavaScript file, initiating a multi-step attack. This attack involved downloading and executing an IcedID DLL, establishing persistence through a scheduled task, and connecting to a command and control (C2) server. The malware then downloaded and executed a Cobalt Strike beacon.

The attackers used system utilities for discovery operations, accessed credentials via the LSASS process, and escalated privileges using the GetSystem command. Attackers dumped event logs, executed WMIC commands, and prepared and deployed Dagon Locker ransomware across the domain, disabling services and deleting shadow copies.

Let's examine the detection results of the Dagon Locker Ransomware campaign that was played in our lab environment and how to improve them.

 

We strongly recommend simulating the Dagon Locker Ransomware campaign and other emerging ransomware threats using the Picus Complete Security Validation Platform. This proactive approach allows you to thoroughly evaluate the effectiveness of your security controls and uncover any undetected sophisticated cyber attacks within your environment. The platform's extensive and up-to-date threat library enables you to test your defenses against hundreds of ransomware variants, including Phobos, ALPHV, and Play. You can experience these capabilities firsthand with a 14-day free trial of the Picus Platform, providing quick and comprehensive assessments within minutes.
 

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof the Picus Complete Security Validation Platform.