Double Your Threat Blocking in 90 Days
By Picus Labs • October 09, 2023, 15 min read
With the continuous expansion of the threat landscape, adversaries and their tools are evolving into more complex and sophisticated entities. This evolution is well-documented in the Red Report 2023, where an analysis of the most exploited MITRE ATT&CK tactics, techniques, and procedures (TTPs) reveals that one-third of malware (32%) leverages more than 20 TTPs, and one-tenth employs over 30 TTPs. In such a dynamic environment, security controls are becoming increasingly pivotal as safeguards, protecting organizations from cyber threats.
In this blog, we have delved into the nature of security controls, illustrating their variances in threat response and underscoring the necessity for organizations to evaluate the efficacy of these controls. The assessment is crucial, and utilizing the Picus Complete Security Control Validation platform enables organizations to ensure their security controls are robust and effective in the face of evolving cyber threats.
In the context of cybersecurity, security controls are mechanisms strategically implemented to protect the confidentiality, integrity, and availability of information, computer systems, and other crucial assets from potential threats. Security controls function to avoid, prevent, detect, mitigate, and remediate risks and vulnerabilities within an organization.
Figure 1. Assessing the Prevention and Detection Layer Solutions by Picus Complete Security Control Validation Platform
By employing a balanced combination of policies, procedures, and technologies, security controls enable organizations to enhance their security posture against malicious activities, proactively identify security gaps, and ensure a resilient operational environment. This comprehensive approach ensures the seamless integration of security measures, allowing organizations to operate securely in the ever-evolving digital landscape.
Digital security controls can be divided into two broad categories:
Preventative Layer solutions, and
Detection Layer solutions.
In the upcoming sections, we are going to talk about their differences and functions within an organizational environment.
In this section, we will examine the prevention layer solutions. Below, you will find a list of not all, but some of the most prominently used prevention solutions in organizations.
NGFW (Next-Generation Firewall)
WAF (Web Application Firewall)
IPS (Intrusion Prevention Systems)
DLP (Data Leakage Prevention)
Email Gateway Security Solutions
Web Security Gateway
To have a more solid understanding, we can see an arbitrary organizational structure that shows how these solutions can be placed.
Figure 2. Testing the Effectiveness of Preventative Security Solutions with Picus Complete Security Validation Platform
For instance, we observe that the Next-Generation Firewall (NGFW) is positioned as the first preventative layer solution, interfacing between the Internet and the organizational network, followed by the Intrusion Prevention System (IPS). It’s also noted that the Email Server is fortified by a Mail Security solution. Additionally, the Web Application server, as the name suggests, is shielded by a Web Application Firewall (WAF) solution. Furthermore, HQ Endpoints and the Data Center, which harbor sensitive information, are secured through a robust Proxy solution.
Preventative layer solutions are essential in providing a multifaceted defense against a variety of cyber threats.
It’s imperative that the effectiveness of these security controls be continuously validated and improved to combat both emerging and known cyber threats, ensuring that the organization's information assets remain secure and resilient against the evolving threat landscape.
Detection layer solutions such as
EDR (Endpoint Detection and Response),
XDR (Extended Detection and Response),
IDS (Intrusion Detection System), and
SIEM (Security Information And Event Management)
are essential for maintaining endpoint security.
EDR solutions are deployed to identify and examine anomalous activities at the endpoints, providing immediate response mechanisms to counteract threats. XDR solutions augment EDR capabilities by aggregating and correlating data from diverse security layers, including endpoints, network, email, and more, to detect sophisticated threats. Conversely, IDS solutions systematically monitor network traffic, recognizing and logging malicious activities.
To have a more solid understanding of detection layer solutions, we deeply examine the following scenario that is observed in the attack campaign of Snatch Threat Group in 2023.
Figure 3. Threat ID 48847 - Snatch Threat Group Campaign 2023 in Picus Threat Library
The following attack scenario has been crafted by Picus Security red team engineers, who consistently conduct cyber threat intelligence (CTI) research to stay abreast of the latest attack and malware campaigns in the wild. They study the tactics, techniques, and procedures (TTPs) of adversaries to simulate adversarial behaviors safely and non-destructively, allowing organizations to assess the effectiveness of their security controls.
The attack scenario, identified by threat ID 48847 in the Picus Threat Library, mimics the kill chain employed by the Snatch threat actors in their 2023 attack campaign, with a specific focus on targeting Windows endpoints.
Discover a SystemStartOptions Registry Key
Display a list of applications and services using "tasklist /v"
Display a list of configurable services using "Net config" command
View the ARP cache using "arp" command
Display all current TCP/IP network configuration using "ipconfig /all " command
Display information about DNS infrastructure using "nslookup" command
Execute and Gather Information via Batch Script File
Disable Windows Defender Service using sc Utility
Create a New Registry Keys with safe.exe
Remove Self Batch Script File
Create a New Registry Key VSS for Safe Boot
Create a New Registry Key mXoRpcSsx for Safe Boot
Stop Defender via Batch Script
Encrypt File with AES
Write a File that Contains Snatch Ransom Note and Open It
Delete All Shadow Copies by using Vssadmin Variant-2
Detection layer solutions are crucial for identifying threats within systems, designed to detect unauthorized alterations, access, and disabling of services, such as creating new registry keys and disabling Windows Defender.
The use of command-line tools for displaying network configurations and querying DNS infrastructure may trigger alerts due to their reconnaissance nature.
Additionally, execution and removal of batch script files, abnormal termination of security services, and creation of ransom notes are significant indicators of compromise, which modern detection solutions are designed to identify promptly, utilizing network analysis, behavior analysis, and signature-based detection mechanisms.
Given the detailed scenario of the “Snatch Threat Group Campaign 2023”, we can examine the possible behaviors of an EDR solution.
An EDR would generate alerts for the execution of the reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SystemStartOptions command, especially noting abnormal manipulations or creations within the SystemStartOptions Registry Keys, assessing them as part of the overall behavior analysis for potential threats.
Observations and alerts would be generated when “tasklist /v”, “Net config”, “arp”, “ipconfig /all”, and “nslookup” commands are executed as they are indicative of reconnaissance activities.
Service Modification Detection:
An EDR would respond to the command "cmd.exe /c sc stop WinDefend" as it's a direct attempt to halt the Windows Defender service via command-line, which is indicative of malicious intent, particularly as it's utilizing cmd.exe to execute the service control command.
File Behavior Monitoring:
The execution and subsequent removal of a self-batch script file would trigger alerts. Additionally, the creation of files associated with ransom notes would be detected and analyzed.
Encryption Activity Analysis:
EDR would recognize the encryption of files using AES and generate alerts, as this behavior is often associated with ransomware.
Shadow Copy Deletion Monitoring:
Upon detecting the execution of "vssadmin.exe Delete Shadows /All /Quiet", a command that seeks to quietly delete all shadow copies, EDR would swiftly react due to the abnormal and potentially harmful nature of such an operation.
This command is notable for its ability to erase backup versions of files, making it a typical tool in ransomware attacks to hinder data recovery
Any abnormal creation of Registry Keys for Safe Boot (like VSS and mXoRpcSsx) would be monitored and flagged as potential malicious activity.
By correlating the alerts from these activities, EDR solutions could rapidly identify the occurrence of a coordinated attack, allowing security teams to respond and remediate swiftly.
Prevention and detection layer solutions serve distinct roles in an organization's cybersecurity framework.
Prevention layer solutions are designed to stop attacks before they infiltrate the system, primarily through mechanisms like firewalls, intrusion prevention systems, and mail security, aimed at blocking malicious traffic and unauthorized access.
On the other hand, detection layer solutions focus on identifying and alerting to any malicious activities or anomalies that occur within the system or network, such as unauthorized alterations and access, through methods like network traffic analysis and behavior analysis.
While prevention aims to block threats before they breach the first layer of perimeter controls and cause disruption to organizational networks and systems, detection's role is to swiftly identify and respond to threats that have managed to bypass the preventative barriers, thus ensuring comprehensive security.
Access control in security refers to a selective restriction of access to a place or other resource, allowing certain actions to be performed only by entities that are explicitly authorized. It involves the enforcement of policies dictating who or what can view or use resources in a computing environment, aiming to prevent unauthorized access or cyber attacks.
Access control mechanisms typically involve
of individuals or systems and can be physical, such as security doors or logical, such as user permissions on a computer network. It is crucial for protecting sensitive and critical information from unauthorized access and potential breaches, thereby maintaining confidentiality, integrity, and availability of the data.
In the upcoming section, we are going to talk about access control security solutions.
Access Control Security Solutions are crucial components in a comprehensive cybersecurity strategy, focused on managing and regulating who or what can view or use resources in a computing environment. These solutions enforce policy to ensure that users, systems, and devices have the appropriate level of access to resources, aiming to protect sensitive information and configurations from unauthorized access and potential breaches.
Identity and Access Management (IAM) systems are a vital part of access control security solutions, allowing organizations to authenticate and authorize users and entities, ensuring that individuals access only the resources and information pertinent to their roles.
Below, you will find a list of solutions or services that provide Identity and Access Management (IAM).
Microsoft Azure Active Directory (Azure AD)
Amazon Web Services (AWS)
Network Access Control (NAC) solutions are also crucial, determining and enforcing policies on devices attempting to access network resources, thereby preventing unauthorized or non-compliant devices from accessing sensitive portions of the network.
Notable NAC solutions include the following solutions.
Cisco Identity Services Engine (ISE)
Extreme Networks ExtremeControl
Additionally, Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) are widely used models in access control solutions, enabling organizations to assign permissions to specific roles or attributes, ensuring fine-grained and dynamic access control.
Access control mechanisms often work in tandem with both prevention and detection layer security controls to provide layered security, thereby enhancing the overall security posture of an organization.
Security Controls Frameworks are vital constructs that guide organizations in establishing and maintaining a consistent and robust approach to safeguarding their assets, based on widely acknowledged methodologies and best practices.
These frameworks facilitate organizations in aligning their security strategies, policies, and operations, ensuring the effective enforcement of IT security policies, ongoing employee education, and compliance with industry standards and regulations, thereby optimizing operational efficiency and continually addressing and mitigating risks through effective security controls.
Below, you will find a detailed explanation of the NIST Cybersecurity Framework 2.0 .
The NIST Cybersecurity Framework 2.0, by the National Institute of Standards and Technology, serves as a pivotal guide for organizations aiming to enhance their cybersecurity posture. The Framework offers a comprehensive approach to managing and mitigating cybersecurity risks, presenting adaptable solutions.
Core Functions & Profiles:
The Framework encompasses five Core Functions: Identify, Protect, Detect, Respond, and Recover, each with corresponding categories and subcategories.
Figure 4. The NIST Cybersecurity Framework 2.0 Functions 
Figure 5. The NIST Cybersecurity Framework 2.0 Profiles 
It emphasizes integrating cybersecurity risk management with overall enterprise risk management, allowing organizations to balance multiple risk considerations and ensuring continuous communication of risks at all organizational levels.
The Framework Risk Tiers are integral in categorizing the maturity and reliability of an organization’s cybersecurity infrastructure, ranging from Tier 1 (Partial) to Tier 4 (Adaptive).
These Tiers guide organizations in aligning their current and target cybersecurity profiles, facilitating internal benchmarking and enhanced risk management practices. The selection of appropriate Tiers is crucial, involving considerations of existing practices, threat landscapes, legal mandates, organizational objectives, and constraints. Properly utilized, they significantly contribute to achieving balanced and well-informed cybersecurity outcomes.
Figure 6. The NIST Cybersecurity Framework 2.0 Risk Tiers 
Supply Chain Risk Management:
The NIST Cybersecurity Framework 2.0 provides structured methodologies for managing cybersecurity risks in supply chains, emphasizing active collaboration and communication amongst stakeholders. It enables organizations to identify, protect, detect, respond, and recover from vulnerabilities and adverse events associated with suppliers’ products/services.
It integrates Cybersecurity Supply Chain Risk Management (C-SCRM) practices and secure software development considerations, allowing organizations to extend cybersecurity risk management considerations to third parties.
The Framework fosters communication about cybersecurity risks within supply chains, aiding organizations in conveying and aligning expectations at all levels. Framework Profiles delineate cybersecurity standards and practices to incorporate into supplier contracts, providing a common language to communicate requirements and allowing suppliers to express their cybersecurity posture and practices, thereby supporting effective decision-making and alignment on cybersecurity outcomes across the organization.
The Framework highlights the importance of addressing privacy considerations within cybersecurity, showcasing areas where privacy and cybersecurity overlap and providing strategies for addressing privacy risks.
Figure 7. The NIST Cybersecurity Framework 2.0 Privacy Risk 
Adaptability & Continuous Improvement:
This update in the Framework provides organizations with enhanced tools, guidelines, and practices to evaluate and address their cybersecurity risks effectively, in alignment with their broader organizational and risk management strategies.
Assessing the effectiveness of security controls is critical as it provides precise insights into the actual security posture of an organization, enabling the identification and validation of existing vulnerabilities and gaps in security defenses.
Without continuous assessments, organizations may operate under a false sense of security (based on assumptions), unaware of unaddressed vulnerabilities and ineffective controls, leading to increased risk of security breaches and compromises. Therefore, continuous and automated security control assessment practices ensure that the implemented security controls of an organization are operating as intended and allow organizations to make informed decisions to allocate resources efficiently for remediation and improvement, thereby strengthening the overall security posture.
Recognizing the importance of adopting a data-driven approach for security validation and mitigations, the Picus Complete Security Validation Platform offers its customers ready-to-run attack templates. These are specifically designed to assess the effectiveness of the security controls implemented within an organization. Additionally, the platform provides vendor-based preventive mitigation signatures to enhance organizational security posture.
Here are some of the, but not all, ready-to-run attack templates that the Picus Complete Security Validation Platform provides its customers.
IPS / IDS & Firewall Testing
Web Application Firewall (WAF) Testing
Web Security Gateway Testing
Windows, Linux and macOS Endpoint Testing
Email Gateway Testing
Data Leakage Prevention (DLP) Testing
In this section, we will present a selection of ready-to-run threat templates available for conducting attack simulations, noting that this is not an exhaustive list
In Figure 8 below, you will see a dynamically updated template that provides ready-to-run attack simulations specifically designed to test
Intrusion Prevention Systems (IPS),
Intrusion Detection Systems (IDS), and
This template includes the 100 most recent network infiltration attack scenarios, each meticulously analyzed by our dedicated red team engineers to safely replicate the attack paths or kill chains employed by the corresponding threat actors.
Figure 8. IPS, IDS and Firewall Testing Attack Templates by Picus Complete Security Validation Platform
This template consists of the most recent 100 e-mail infiltration attacks, which you can simulate to test your Email Gateway.
Figure 9. Email Gateway Testing with Picus Threat Library
For instance, examining the Bifrose trojan email threat reveals that this threat involves downloading variants of the Bifrose trojan. The Bifrose attempts to list itself as an allowed program in the firewall and creates counterfeit system processes. Additionally, it employs prolonged sleep tactics to evade sandbox detection. The downloaded trojan then establishes contact with several Command and Control (C&C) servers.
How does performing an attack simulation against your email gateway solution would help organizations to improve their security posture?
Running, for instance, the Bifrose trojan in an attack simulation allows organizations to meticulously assess their email gateways by observing whether the malicious activities, typical of the trojan, are identified and blocked effectively. By simulating the tactics, techniques, and procedures (TTPs) of this threat, organizations can gain valuable insights into the robustness of their existing security controls and the potential vulnerabilities within their email security infrastructure.
This proactive approach ensures that organizations can refine and bolster their defensive measures, reinforcing the resilience of email gateways against sophisticated infiltration attempts.
This template consists of the threats of the Data Exfiltration Attacks module, which you can simulate to test your Data Loss Prevention controls.
For instance, this attack includes uploading a document that contains the following Payment Card Industry (PCI) data and Personally Identifiable Information (PII) specialized for ITALY in .ODT format. PCI data includes Full Credit Cards.
This file also contains PII, which is any data that could potentially identify a specific individual. This file includes the following information for 25 arbitrary persons:
Nome, Cognome, Indirizzo email, Codice fiscale, Nascita, Indirizzo, Numero di telefono, Carte di credito, Marchio di carte, Banca, BIN. Sample data ZAIRA, CAMPANILE, z.campanilecommercialistisalerno.it, CMPZRA67H49C361Z, 1967, NAPOLI VIA M.CATONE 2, 0818181186, 371771890526665, AMERICAN EXPRESS, AESEL - ITALY CONSUMER CHARGE, 371771
The list ranges from both preventative and detection level controls as well as DLP and WAF testing.
Understand the 4 trade-offs limiting security teams in managing their organization's threat exposure.