◼️
General Knowledge
  • Introduction
  • Building a Home Lab
  • Certification Roadmap
  • Basics
    • Basic Networking
    • Basic Gigamon Configuration
  • Firewalls
    • PFSense
    • Cisco ASA
  • Hardware Setup and Device Networking
    • Cisco Device
    • MaxVision Servers
    • Gigamon
  • Reporting
    • Network Activity Report (NAR)
    • Network Change Request (NCR)
    • Redmine
  • DCO Tools
    • Splunk
      • Threat Hunting with Splunk
    • Security Onion 2.4
      • Threat Hunting with Security Onion
    • OsQuery
  • Methodology
    • Gather Information
    • Gather Documents
    • Prepare Equipment and Team Procedures
    • Conduct Network Reconnaissance
    • MITTRE ATT&CK Framework
    • Considerations when Recommending Remedial Action
    • Document Everything
    • Defensive Cyber Operations Checklist
  • Requirements
    • Power Requirements
    • Port Density Requirements
    • Opened Port Requirements
  • Building a Virtual Testing Environment
    • Identify Requirements
    • Gather Equipment and tools
    • Initial Draft
    • Building the Environment
    • Example
Powered by GitBook
On this page
  • Introduction
  • Training and Skillset Limitations of the Local Network Operators (LNO)
  • Effect on the Mission
  • Can Your Recommendations Be Tested?
  • How Effective Will This Recommendation Be?
  • Prevent Knee-Jerk Reactions by the Mission Owner and Local Network Operators (LNO)
  1. Methodology

Considerations when Recommending Remedial Action

Excerpt from "Hunt Methodology" By Christian B.

Introduction

Hunting or conducting blue team operations is often a reactionary job. You see a miss configuration or you see the adversary do something, and then you provide guidance on remedial actions based on what you are seeing. That being said, there are several things to consider when making recommendations to the mission owner.

Training and Skillset Limitations of the Local Network Operators (LNO)

The LNOs will not always know how to implement the corrective actions that you have in mind. Understand that whenever possible, you should be able to provide multiple courses of action (COA) with walkthroughs. Consider the possibility of providing a data-savvy analyst to assist and guide the LNOs in order to ensure that the task is completed as intended. This is not always ideal or even possible depending on where you are located, but know that whatever recommendation you make, you may be asked to assist to some extent.

Effect on the Mission

Sometimes a mission owner will not care about mitigating adversary actions as long as communications are not degraded. It will be up to you to provide the mission owner with well-thought-out input as to mission effects in the event that you choose to remediate the finding or not. If you do not remediate the finding, what access does the enemy have and what are the potential effects of that access? If remediated, what will be the communications downtime and could that downtime cause loss of life, mission failure, or loss of money?

Can Your Recommendations Be Tested?

If the mission owner is hesitant to approve one of your recommended actions, you may be able to sway their decision by proving in a test environment that communications will not be degraded as a result of your actions. This can often be accomplished by simply adding a computer to a test OU, applying the necessary GPOs or settings, and observing the workstation for a period of time to determine whether or not it will still function as desired. If the recommendation is not testable in your current environment, what experience do you have in implementing the recommendation? Sometimes your confidence in the recommendation and your ability to implement it based on positive experience will be enough to sway a mission owner’s decision.

How Effective Will This Recommendation Be?

Sometimes blocking a malicious domain or IP can be an appropriate and sufficient response if your primary concern is users clicking on phishing attempts. However, if an adversary has confirmed access to your network and you have hosts beaconing out to a malicious domain then blocking that domain or IP at that time could result in you just having to start finding the enemy on your network all over again. Hours and maybe entire days of hunting could be lost by implementing halfhearted mitigation at this point. Ensure when you implement mitigation actions that those actions will result in the total removal of the adversary otherwise you could be wasting a significant amount of time.

Prevent Knee-Jerk Reactions by the Mission Owner and Local Network Operators (LNO)

Sometimes, the majority of the SOC Lead’s job will be to reign in the mission owner and the LNOs and prevent knee-jerk reactions. It is a careful balance of keeping everyone as informed as possible while also ensuring that the mission owner doesn’t push their LNOs to implement actions prematurely or implement actions that could unknowingly degrade their own environments based on non-findings or false positives. This makes it extremely important for your team to de-conflict events before passing them up as findings and also develop and brief effective mitigation plans to the mission owner. If they know you have a plan and are proactive, they will have more confidence in you and will be more likely to allow you to implement your plan as intended.

PreviousMITTRE ATT&CK FrameworkNextDocument Everything

Last updated 2 years ago