Hypothetical end-to-end example#
We will consider a hypothetical example to showcase how this process could theoretically proceed.
Details of the hypothetical threat:
RCE vulnerability on Apache servers running on Windows or Linux
Some are targeting AWS servers specifically
Fairly simple with a POC to significantly reduce complexity expected to release soon
Somewhat novel, but also contains a lot of overlap with existing exploits and vulnerabilities
Starting to gain attention
Limited expertise exists on the team with some competing conflicts
Step |
Considerations |
For |
Against |
|---|---|---|---|
Coverage |
TTPs |
1 tactic, 3 techniques overlapping with ATT&CK; 1 additional matching observed technique in exploit |
1 missing technique from ATT&CK overlap; Missing coverage for 2 observed techniques in exploit |
Telemetry |
10 hits across 3 customers |
Missed 20 potential alerts on missing TTPs |
|
Event categories |
Existing detections are all process based |
Need network and file coverage |
|
Data sources |
All detections on endpoint |
Need coverage for AWS and apache server |
|
Platform/OS |
All rules for windows |
Need linux coverage |
|
Infrastructure/cloud |
Need AWS |
||
Technology |
|||
Applications |
Need apache |
||
Fields |
Mostly process based |
Opportunities: response.status, source.address |
|
Industry analysis |
2 vendors have 3 rules |
No net new coverage exists |
|
Prevalence |
Telemetry |
Potential new coverage would cover 100 new alerts across 10 systems across 2 customers |
Rule approaches limited due to legitimate activity which would be noisy FP |
Threat intel |
Several orgs reporting it |
Seems to be only specific configuration scenarios |
|
Trending with many tweets |
|||
Urgency |
Threat complexity |
Very simple to exploit; POC expected to be released |
Very specific setup required to be vulnerable |
Risk to users |
RCE |
||
Prominence |
Medium due to tweets and reports |
No major press reporting yet |
|
Capability |
Features |
Easy to triage with timelines |
|
Approaches |
Detect incoming network event followed by specific file creation |
The variability in hierarchy creates instability of approach |
|
Rule types |
search |
||
Language paradigms |
ESQL or EQL work well |
Sequencing could be expensive |
|
Influence |
Expertise |
1 expert on windows and AWS; Have peer with apache expertise |
Missing apache expertise |
Feedback |
Customers are concerned |
||
Community input |
Community is concerned |
||
Constraints |
Time restrictions |
The exploit POC is coming in 1 day |
Schema change required - ready in 2 days |
Visibility gaps |
No production apache servers on windows |
||
Dependencies |
Maintenance on research tools in 1 day |
||
Performance limits |
Expensive logic for some TTPs |
||
Bugs or blockers |
AWS expert working on another P1 issue |
As it can be observed, there are many compelling reasons to scope this work, with a fairly short window targeted for completion and a high priority. It is not absolute however, as there are some conflicts and issues. Ultimately, this would likely be scoped for a reasonable outcome, such as 2 or 3 days, where other conflicting work may lose priority slightly to account for this.
It should also be obvious that this is not a simple procedural checklist, but rather a process for consideration and comparison. Determining priority and scope can be very complex, and is always changing. All of these considerations are not necessarily static, with updates to each of them having an impact on the overall priority and urgency.
Lastly, these considerations do not happen in isolation, as the threat landscape and protected environments are always changing. This process must be practiced on individual threats in addition to taking a holistic approach, with considerations for: the collective landscape, competing priorities, and respective value of outcomes.