The message explains the importance of creating and using “use cases” to identify potential cyber-attacks. A use case can be technical rules or conditions that trigger alerts when certain abnormal events occur, such as too many login attempts or malicious traffic hitting critical servers. It is important to have a large set of use cases and playbooks for them to be prepared for handling real cyber-attacks. The message provides several sample use cases for different devices, such as Windows, Unix, router, and anti-virus. These sample use cases can be categorized and mapped to specific MITRE ATT&CK phases to aid in detection and mitigation. The message emphasizes the need for a clear list of use cases, priority ranking for each use case, and the proper log source needed to ingest into the SIEM.
Best practises
1. Ensure to have a clear list of your use cases handy always.
2. The use cases need to be mapped to the MITRE ATT&CK phases so you can know how much the adversary succeeded in his objective. Tagging and mapping to the MITRE ATT&CK Matrix would help detection (what logs to be tapped into) and mitigation. Also helps attribution to an APT group.
3. Each use case to have a clear priority based on your organisation.
4. Each use case to have the log source which must be ingested into your SIEM.
Why it is important to have a large set of use cases and have playbooks for them?
1. Real cyber-attacks are complex. It is actually very hard for the attacker to be invisible to a SOC who has enabled the right set of use cases.
2. Use cases are rules that trigger alerts. You need playbooks or instruction on how to respond to them, steps to analyse and mitigate.
3. The process of creation of playbooks is very important. It helps a lot for you to be prepared for handling a cyber-attack.
Below is a list of sample use cases. You can categorize it in multiple ways and refer to your SIEM-specific documentation to get the list of rules that come bundled.
Windows
• Server Shutdown/ Reboot
• Removable media detected
• Windows abnormal shutdown
• Login attempts with the same account from different source desktops
• Detection of Server shutdown-reboot after office hours
• Administrative Group Membership Changed
• Unauthorized Default Account Logins
• Interactive use of service account
• Remote access login – success & failure
• Windows Service Stop-Restart
• ACL Set on Admin Group members
• Windows Account Enabled Disabled
• Multiple Windows Account Locked out
• Multiple Windows Logins by Same User
• Brute force attempt from same source
• Logins outside normal business hours
• Logins to multiple user accounts from the same source
• Brute force attempt from same source with successful login
• Windows Account Created Deleted
• Windows Hardware Failure
• Failed Login to Multiple Destination from Same Source
• Administrative Accounts- Multiple Login failure
• Detection of user account added/removed in admin group
• Detection of system time changes (Boot time)
• Detection of use of default product vendor accounts
• User Deleted Within 24hrs of Being Created
• Critical service stopped on Windows Servers
• Windows Security Log is full
• Multiple Password Changes in Short time
• Windows group type was changed
• Audit Policy change
• Audit Log cleared
• Windows Security Log is full
• Detection of user account added
• Logon Failure-A logon attempt was made using an expired account
• High number of users created/ removed within a short period of time
• Outbound Traffic observed from Severs to Internet
• Failed Logins/Attempt with Disabled/Ex-Employee/Expired Accounts
• Windows File-Folder Delete
• Windows-High number of users created/removed within a short period of time
Unix
• Unix FTP File Import and Export Events
• Unix File system full
• Server shutdown
• Users Created /Deleted within short period
• Users Group Created /Removed within short period
• Unix-Login attempts with the same account from different source desktops
• led Logins
• Failed Logins with disabled accounts
• Unix FTP Login Access
• Unix multiple SFTP Connection
• Failed logins from root access
• Unix Multiple SU login failures
• Remote Logon Attempts using Root User on Production Node
• Sudo access from Non sudo users
• Detection of use of default product vendor accounts
• Adding or Removing users to the group “root”
• Critical Service Stop
• Unix-High number of login failure for the same account within a short time
• Password Changed
• Adding, removing and modifying cron jobs
• SU login failures
• Detection of change in syslog configuration
• Detection of change in network configuration
Firewall, Antivirus, IPS and VPN
• Administrator Login Failure
• Brute force with Successful Configuration Changes
• Firewall Failover event
• Successful connection from internet IP after repetitive blocks in firewall
• Access attempts on unidentified protocols & port
• Exploit Event followed by Scanning Host
• Outbound access to invalid destination Ips
• Successful logon between Non-Business Hours
• Firewalls reboot
• Detection of user account/group modifications
• User Added/Deleted to Firewall Database
• Detection of insecure traffic like FTP, telnet, on critical servers
• Detection of adding/deletion of a Firewall admin
• Login Denied (Brute Force)
• High number of Denied events
• Configuration Change detected
• The link to peer device is down either because of physical cabling issue or NSRP configuration issue
• Network and Host Port Scan Attempts
• Detection of Primary-Secondary Switch Over
• An admin has allowed/removed access to the firewall from a particular IP
• Detected P2P traffic
• Alerting high CPU utilization on firewall
• Firewall failed to allocate RAM memory
• Detection of any kind of failure related to Standby FW
• Top dropped traffic from DMZ, FW
• Outbound Traffic observed on Important Ports
• Successful Outbound Traffic to Blacklisted Threat IP Address
• Multiple Failed Outbound Traffic to Blacklisted Threat IP Address
Security Device – Checkpoint
• Firewall critical alert observed
• VPN configuration change observed
• Administrator Login Failure detected
• Successful logon between Non- Business Hours
• Successful access from Suspicious Countries
• Checkpoint Service restarts
• Firewall Cluster/Gateway Configuration Change
• CPU Utilization High
• Checkpoint Policy Installed
• High number of denied events
• Smart-Defense Signature Based Alert
• VPN Certificate Verification Failure
• Configuration Change detected
• Firewalls reboot
Email – Example – Exchange
• Top 10 users sending mails to external domains
• Top 10 Email Receivers/Senders
• Data Leakage Identified through
• Large files send via mail
• Malicious/Suspicious attachments identified
• Email Usage Group IDs
• Monitoring mails going out from the company domain to other domains after Office Hours
• High Email Bandwidth utilization by individual users
• Detection of Undelivered Messages
• Mailbox Access by Another user
• User sending a Message as another user
• User Sending a Message on behalf another user
• Detection of Users login to the Mailbox which is not their Primary Account
• Detection of Auto Redirected Mails
• Top 10 users sending mails internally
• SMTP gateway sudden spike in Incoming mails
• High number of rejected mails from single “from” address
• Detection of Users login to the Mailbox which is not their Primary Account
• Detection of Auto Redirected Mails
Wireless/VPN
• Rouge Network Traffic Detected
• Top VPN Account Logged in from Multiple Remote Locations
• Top VPN Account Logged in From VPN and on Local Network
• Wireless unauthorized login attempts
