Table of Content
True Positive ? False Positive?
- In a Security Operations Center (SOC), a Security Information and Event Management (SIEM) system aggregates security events from various devices.
- Detection rules analyze these events, triggering alerts for potentially malicious activity. SOC analysts then investigate these alerts, classifying them as :
- True Positives (actual malicious activity)
- False Positives (triggers because of an activity that is not actually malicious).
Distinguishing between True Positives (TPs) and False Positives (FPs) is critical in cybersecurity. Misclassifying a TP as an FP can result in missed attacks, while treating an FP as a TP wastes time and diverts attention from real threats. To ensure accuracy and effectiveness, follow these key guidelines.
TP vs FP
| Aspect | True Positive (TP) | False Positive (FP) |
|---|---|---|
| Definition | A security alert correctly identifies a real threat or attack. | A security alert incorrectly flags a benign event as a threat. |
| Impact | Helps in identifying and responding to actual threats. | Wastes resources and time investigating non-existent threats. |
| Consequence of Misclassification | Missed TPs can lead to undetected attacks. | Excessive FPs can cause alert fatigue and reduced efficiency. |
| Focus | Ensures the security team acts on real incidents. | May divert attention from real threats. |
| Goal in SIEM | Maximize TPs for effective threat detection. | Minimize FPs to avoid unnecessary distractions. |
SOC superpower
The SOC has a unique advantage: they can verify suspicious activities by directly confirming with users, a privilege attackers lack. SOC analysts can contact users via email or phone to confirm specific actions. In mature organizations, changes that trigger alerts often require approved Change Requests (CRs) through IT change management. The SOC team can request CR details to verify legitimate and approved activities.
While the SOC’s ability to confirm activities with users is a powerful tool, it’s not foolproof. Certain situations can undermine this advantage, including:
- Lack of a formal change request process.
- Activities performed outside the scope of an approved change request.
- Alerts triggered by actions like file transfers, uploads, or failed logins.
- Insider threats performing unauthorized activities.
- Users executing malicious actions under the influence of social engineering.
In such cases, SOC analysts must rely on their judgment, context analysis, and security expertise. Reviewing past user behavior and the prevalence of specific activities within departments can provide valuable insights. For instance, tools like Wireshark might be typical for the network team but unusual for HR or finance, warranting further investigation.
Correlation
- SOC analysts correlate multiple events to build a comprehensive timeline of activity. This involves linking various artifacts (IP addresses, usernames, file paths, etc.) to reconstruct the sequence of events.
- Hypotheses are formed and tested using this evidence. For example, a hypothesis about malware download from a spoofed site would be supported by proxy logs and suspicious file downloads.
- Further analysis, such as examining the parent process of malware execution, helps determine whether execution was intentional or due to a vulnerability (e.g., Windows Explorer suggests intentional execution, while a web browser suggests a vulnerability exploit). This process enables informed decision-making and effective threat response.
LAB
“According to the alert sent by the Mayor’s office, the activity occurred on Dec 1st, 2024, between 0900 and 0930. We can set this as our time window by clicking the timeframe settings in the upper-right corner. Note that we need to click the Absolute tab and set the exact timeframe we want to view. Lastly, click the Update button to apply the changes.”
So Go to the discover section and change the date and time to relevant time duration
“Since we are looking for events related to PowerShell, we would like to know the following details about the logs.
- The hostname where the command was run. We can use the
host.hostnamefield as a column for that. - The user who performed the activity. We can add the
user.namefield as a column for this information. - We will add the
event.categoryfield to ensure we are looking at the correct event category. - To know the actual commands run using PowerShell, we can add the
process.command_linefield. - Finally, to know if the activity succeeded, we will add the
event.outcomefield.
Once we have added these fields as columns, we will see the results in a format like this.”
It seems that the same encoded PowerShell command was executed across multiple machines. Notably, each execution of the PowerShell command was preceded by a successful authentication event.
Our suspicions are rising. It seems that someone tried a brute-force attack on December 1st, as shown by the same filters applied above.
“The results also showed that they succeeded with the brute-force attempt because of the successful authentication attempt and quickly ran some PowerShell commands on the affected machines. Once the PowerShell commands were run, we didn’t see any further login attempts. This looks like a TP, and there needs to be an escalation so that McSkidy can help us respond to this incident.”
Since we didn’t looks about the encoded base64 string on the PowerShell command we gonna have a look into that rn:
encoded base64: SQBuAHMAdABhAGwAbAAtAFcAaQBuAGQAbwB3AHMAVQBwAGQAYQB0AGUAIAAtAEEAYwBjAGUAcAB0AEEAbABsACAALQBBAHUAdABvAFIAZQBiAG8AbwB0AA==
Decoded : Install-WindowsUpdate -AcceptAll -AutoReboot
bla bla blaaa… just follow the given. steps for the Machine.
Questions
-
What is the name of the account causing all the failed login attempts? Answer: service_admin
-
How many failed logon attempts were observed? Answer: 6791
-
What is the IP address of Glitch? Answer: 10.0.255.1
-
When did Glitch successfully logon to ADM-01? Answer: Dec 1, 2024 08:54:39.000
-
What is the decoded command executed by Glitch to fix the systems of Wareville? Answer: Install-WindowsUpdate -AcceptAll -AutoReboot