Wednesday, July 8, 2020

Courses of Action Matrix


  • How to Defend With the Courses of Action Matrix and Indicator Lifecycle Management

The seven phases of the kill chain cover all of the stages of a single intrusion that — when completed successfully — lead to a compromise.
Within each of these stages is also an opportunity for defenders to prevent a successful intrusion. 
The weaponization phase, for example, can reveal document metadata or the characteristics of the tools that are used by the attackers. The delivery phase, in turn, can tell you which email infrastructure is used or which web infrastructure has been set up for delivering a browser plugin exploit. 

The information that results from analyzing these phases will include, among other things, IoCs. These indicators describe your adversaries by providing details about the infrastructure they use, fingerprints of their actions and the tactics, techniques and procedures (TTPs) used to attack their victims.


How to Apply the Courses of Action Matrix
The indicators extracted when you analyze the different phases of the Cyber Kill Chain should be put into action to increase your defenses. There are essentially two significant categories of action: passive and active.
This categorization of actions is described in another model from Lockheed Martin: the courses of action matrix. 

passive actions: 
Discover: security information and event management (SIEM) or stored network data.The goal is to determine whether you have seen a specific indicator in the past.
Detect: These actions are most often executed via an intrusion detection system (IDS) or a specific logging rule on your firewall or application. It can also be configured as an alert in a SIEM when a specific condition is triggered.

It’s important to note that these actions are mutually exclusive, and only one can be applied at a time. 

active actions
Deny:Common examples include a firewall block or a proxy filter.
Disrupt: Examples include quarantining or memory protection measures.
Degrade:Degrading will not immediately fail an event, but it will slow down the further actions of the attacker. Throttling bandwidth is one way to degrade an intrusion.
Deceive: One way to do this is to put a honeypot in place and redirect the traffic, based on an indicator, towards the honeypot
Destroy:The destroy action is rarely for “usual” defenders, as this is an offensive action against the attacker. These actions, including physical destructive actions and arresting the attackers, are usually left to law enforcement agencie

https://securityintelligence.com/how-to-defend-with-the-courses-of-action-matrix-and-indicator-lifecycle-management/