Enhancing Cybersecurity: How the SOC is Tackling Phishing, AiTM, and Business Email Compromise Attacks

In the ever-evolving landscape of cybersecurity, organizations face a myriad of threats, with phishing, Account takeover (AiTM), and Business Email Compromise (BEC) attacks being among the most prevalent. The Security Operations Center (SOC) plays a crucial role in defending against these threats, and its Technical Advisor recently shared insights into innovative strategies being employed to enhance threat detection and response. This article delves into the methods the SOC is using to combat these attacks, focusing on composite scoring rules, the use of specific indicators, and the importance of client collaboration.

Composite Scoring Rule: A New Approach to Threat Prioritization

One of the most significant advancements in the SOC’s approach to threat management is the development of a composite scoring rule. This method involves creating multiple queries within an alert rule that pivot off known bad tactics, techniques, and procedures (TTPs). These TTPs are meticulously gathered from various threat intelligence sources, the Digital Forensics and Incident Response (DFIR) team, and the SOC’s own logs.

As the DFIR team encounters phishing, AiTM, and BEC cases, they provide the SOC with specific indicators of compromise (IoCs). These IoCs can include user agents, IP addresses, and other markers that signal malicious activity. By aggregating this information, the SOC can create a robust database of known bad TTPs, which serves as the foundation for their composite scoring system.

Once the SOC has a comprehensive grouping of these TTPs, the team assesses and rates the severity of alerts based on multiple indicators. This scoring system allows the SOC to prioritize events effectively. For instance, an alert scoring 20 may not warrant immediate action, while one scoring 50 could be classified as a priority 3 event, prompting analysts to address it promptly. Alerts with scores of 175 or higher are marked as priority 1, indicating an urgent need for intervention, as they likely signify a compromised account. This structured approach enables the SOC to address threats in order of importance, ensuring that clients remain protected against the most severe risks.

Identifying Attacker Activity with Axios

Another innovative tactic employed by the SOC involves the use of Axios, a user agent frequently utilized in AiTM campaigns. Axios can serve as a critical indicator of an ongoing attack, particularly when combined with specific behaviors exhibited by attackers. For example, the "Keep Me Signed In" (KMSI) feature is often exploited by attackers to maintain persistence on compromised systems. When the SOC detects KMSI activity, it raises a red flag, indicating a potential threat.

Additionally, compromised session IDs are another valuable indicator of malicious AiTM activity. When the SOC identifies KMSI or a session ID appearing in Axios, this information is factored into the composite score, further refining the prioritization of threats. By leveraging these specific indicators, the SOC can hone in on attacker activity and respond more effectively.

The Importance of Client Collaboration

While the SOC employs advanced techniques and tools to combat phishing, AiTM, and BEC attacks, collaboration with clients remains a cornerstone of effective cybersecurity. The SOC encourages clients to share critical information about their networks, including significant IP addresses, VIP lists, and any unique identifiers that can aid in threat detection. This collaborative approach not only enhances the SOC’s ability to protect clients but also fosters a proactive cybersecurity culture.

By understanding the unique aspects of a client’s network, the SOC can tailor its strategies to better defend against potential threats. This partnership is essential in an era where cyber threats are becoming increasingly sophisticated and targeted.

Conclusion

As cyber threats continue to evolve, the SOC’s proactive measures to address phishing, AiTM, and BEC attacks are crucial for maintaining robust cybersecurity. Through the implementation of composite scoring rules, the identification of specific indicators of compromise, and a strong emphasis on client collaboration, the SOC is well-equipped to prioritize and respond to threats effectively. By staying ahead of the curve and adapting to the changing landscape, the SOC not only protects its clients but also contributes to a safer digital environment for all.