Knowing Your Battle Space - Part 5

Part 4 - Review

In part 4 we went into leveraging MITRE ATT&CK and scoring with attacks:

  • Overlaying the Kill Chain
  • Internal Kill Chain vs External Kill Chain
  • Attack Profiling

In the final post of this series we wanted to explore two extensions in DarkFalcon that has really helped leadership with planning, and our goal is to make it easier to prioritize and fund controls with the limitations we all face. The extensions we are covering are:

  • Proof of Concept Modeling - the ability to model control changes and view change in security posture
  • Tomorrow Modeling - ability to look for under under-utilized controls and unaddressed tactics for business planning

As always, this code can be found at our GitHub: https://github.com/security-storm/DarkFalcon

Proof of Concept Modeling

DarkFalcon Proof of Concept Modeling Menu

This is pretty cool because it makes a copy of your scoring then allows you to make changes to evaluate the potential impact on your threat posture.  This came out of a need to quickly illustrate what you happen if we looked at a new vendor solution or make a change to an existing control. How does it help us and how much?

 

First click the darkfalcon_poc_reset link, select Yes then Submit. This setups the copy of your latest tactic scoring entries, all done in the background with Splunk searches.

 

Now you can got to the darkfalcon_tactic_scoring_poc dashboard and make changes to the scores to reflect what you believe to be changed. This is exactly the same as manually scoring tactics like we covered in Part 2.  What's great is rather than have to score all tactics you only need to adjust the tactics you believe are impacted.

 

DarkFalcon POC Reset

After making the scoring changes you can go to darkfalcon_security_posture_poc and view the changes between your current state and the new model. This helps give objective feedback either in a vendor proof of concept or in planning with leadership

 

When you are done you can just hit the reset link again and reset all of the changes.

 

DarkFalcon POC Security Posture

Tomorrow Modeling

DarkFalcon Tomorrow Model Concept

So this may be a bit out there but it started very organically in our room. We had a few questions that we were wondering could we answer them and were they inter connected?

 

Are there controls that we have that are not being used against tactics?

How many tactics do not have any associated controls?

How would tomorrow look different if we removed 2 controls and put a different one in?

 

As we talked we came up with a Venn Diagram to help illustrate what we are talking about and we called it the Tomorrow Model.

 

From this we also named some gaps that we thought we should keep an eye on but wouldn’t it be great if DarkFalcon could just list what falls in each gap? Now it can.

 

Just like the Proof of Concept Modeling, we go to darkfalcon_tomorrow_reset, select Yes then click Submit. This copies the tactic to control links you already have to a new area.

df-tomorrow-menu.PNG

 

Now you can go to darkfalcon_tactic_control_link_tomorrow and adjust the controls. This is done exactly like covered in Part 2 so it should feel familiar and again because it is a copy you only have to change specific entries not all of them.

 

Once you finish making changes you can go to darkfalcon_tomorrow_model. This shows the diagram again for context as well as the number that falls in each category. The numbers are clickable and take you to a detailed list of what comprises it so you can quickly analyze them.

 

DarkFalcon Tomorrow Model in Splunk

 

Conclusion

It has been so much fun working on this effort with our team and we hope others find usefulness with it. It would not have been possible without the inspiration and foundational pieces from others in the community and we are humbled to be able to give back.

Keep fighting the good fight and protecting those around you.

Contra_BlueTeamComment