OFFICIAL//COMMERCIAL IN CONFIDENCE

UNSW
CYBERSECURITY
LECTURE
DETECTION AND RESPONSE

OFFICIAL//COMMERCIAL IN CONFIDENCE
 01
WHO IS PARAFLARE?

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 2

 OFFICIAL//COMMERCIAL IN CONFIDENCE

A STRONG NATIONAL SECURITY BACKGROUND

THE NATIONAL SECURITY HERITAGE OF PARAFLARE AND ITS PEOPLE IS IN CYBER OPERATIONS.

PARAFLARE HAS OVER THIS STRONG NATIONAL PARAFLARE’S SECURITY PARAFLARE IS AN THE TEAM, THE
70 STAFF ACROSS SECURITY CULTURE AND OPERATIONS CENTRE AUSTRALIAN EYES OPERATIONS, THE SYSTEMS,
AUSTRALIA AND IS COMMITMENT… HAS BEEN ACCREDITED ONLY 24/7 OPERATION, AND THE TECHNOLOGY
CONTINUING TO GROW. BY THE DEPARTMENT STACK ARE SOVEREIGN TO
…has been extended to protect OF DEFENCE TO A ZONE enabling operators to AUSTRALIA, HOWEVER,
The majority of the team have Australian businesses and provide constant support to PARAFLARE CAN SERVICE
3 STANDARD.
deep expertise in national organisations from constantly customers in the Critical THE GLOBAL MARKET.
security and all the Operations evolving threats and contribute This allows for the handling Infrastructure, FSI and
Team hold active security to our national cyber resilience. Government sectors. Client data and telemetry
of classified information
clearances. stays within the customer’s
along with the ISO 27001
legislative regions, backed by
accreditation which is audited
globally cyber-assured
annually by BSI Group.
Microsoft infrastructure.

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 3

OFFICIAL//COMMERCIAL IN CONFIDENCE
 OFFICIAL//COMMERCIAL IN CONFIDENCE

DEEP EXPERIENCE IN CYBER SECURITY

TEAM BACKGROUND RELEVANT SKILLS QUALIFICATIONS & EXPERTISE

✓ Department of Defence ✓ Chief Technology Officer ParaFlare ✓ SANS 508 Windows Forensics Analyst
Customer ✓ Australian Federal Police ✓ MDR Associate Consultant ✓ SANS FOR 508 Advanced Incident Response, Threat
Experience Team ✓ DXC, Dell, HP ✓ Information Warfare and Offensive Cyber Operations. Hunting and Digital Forensics
✓ Special Operations ✓ 15+ Years Cyber Experience Per individual ✓ Defence SOC Operations Specialists

✓ Department of Defence ✓ Master of Cyber Security (UNSW) ✓ SC-200: Microsoft Security Operations Analyst
✓ Department of Foreign Affairs and ✓ CCIE / CCNP / NSE7 ✓ MS-500: Microsoft 365 Security Administration
Trade ✓ Microsoft Defender ATP Experts ✓ AZ-500: Microsoft Azure Security Technologies
Engineering Team ✓ Department of Prime Minister and ✓ Microsoft Azure Sentinel Engineers ✓ Splunk Architect
Cabinet
✓ Governance, Risk and Compliance ✓ Splunk Advanced System Administrator
✓ The United Nations
✓ Global Banking

✓ Department of Defence ✓ Offensive Security Certified Professional (OSCP) ✓ MS-500: Microsoft 365 Security Administration
✓ Verizon ✓ SANS 610 Advanced Incident Response and Threat ✓ AZ-500: Microsoft Azure Security Technologies
Operations Team ✓ Australian Signals Directorate Hunting ✓ SANS FOR 578 Cyber Threat Intelligence
✓ Lockheed Martin ✓ Microsoft Azure Sentinel Operators ✓ SANS 410 Reverse Engineering Malware
✓ Splunk Administrators
✓ Mandiant Fire-eye ✓ Global Incident Response ✓ SANS GXPM 660 Advanced Penetration Testing
✓ Dell Secure Works ✓ DFIR Experts ✓ SANS FOR 610 Reverse-Engineering Malware:
Consulting Team Malware Analysis Tools and Techniques
✓ ANZ Bank, NBN Co ✓ 15+ Years Cyber Experience Per individual

✓ Federal Government ✓ Security Strategy and Governance ✓ Master of Cyber Security (UNSW)
✓ State Government ✓ Security Project Management ✓ OpenFAIR
Solutions and ✓ Police and Counter Terrorism ✓ Risk and Compliance ✓ ISO27001 Lead Auditor
Delivery Team ✓ Ernst & Young ✓ ISO, NIST, ASD8, E8, ZTA ✓ ICS210 for US Gov
✓ KPMG ✓ Strategic Detection and Response ✓ CISM
✓ ASX Top 200 ✓ +10 Years Cyber Experience Per Individual ✓ CIH 4

OFFICIAL//COMMERCIAL IN CONFIDENCE
 02
WHAT DOES PARAFLARE DO?

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 5

 OFFICIAL//COMMERCIAL IN CONFIDENCE

CYBER DEFENCE

CYBERSECURITY Only passive and active cyber defence together

provide a complete cyber security solution for your business and your reputation.

+
SECURITY POSTURE

SELF DEFENCE PASSIVE DEFENCE ACTIVE DEFENCE

The responsibility of all Includes implementation Highly specialised people,
to protect their systems, of tools and processes to actively detecting, containing
passwords and data. It’s harden networks including and eradicating cyber threats
about an organisation's firewalls, antivirus software within your systems.
attitude, approach and etc with limited human
culture to security. interaction.

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 6

OFFICIAL//COMMERCIAL IN CONFIDENCE
 OFFICIAL//COMMERCIAL IN CONFIDENCE

ACTIVE CYBER DEFENCE CAPABILITY

PARAFLARE ACTIVE DEFENCE

– First Generation or Legacy MSSP Solution Customer and market expectations

are misaligned as to what constitutes
‘true’ Active Cyber Defence.
ParaFlare provides Second Generation
Modern Cyber Operations
cyber defence, with highly specialised
people, actively detecting, containing
SECURITY POSTURE

Platform Based Visibility

and eradicating cyber threats within
Threat Centric Detection Engineering
your systems.
Proactive Threat Hunting
We only focus on active defence to
Organic DFIR Teams ensure our clients have the rich layers
Adversary Threat Modelling underneath the surface to hunt and
detect advanced and persistent
Advanced Deception Capabilities threats.
Native Adversary Simulation

+ Attending Bridges on Incidents

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 7

OFFICIAL//COMMERCIAL IN CONFIDENCE
 OFFICIAL//COMMERCIAL IN CONFIDENCE

WORLD-CLASS CYBER CAPABILITIES

24 x 7 x 365 DEFENSIVE Client systems are monitored by industry leading software and an experienced cyber operations team. If a valid threat is
CYBER SECURITY detected, ParaFlare responds by immediately eliminating it.
OPERATIONS SERVICES This service covers Information Technology and Operational Technology environments using Extended detection and
response (XDR), Endpoint Detection and Response (EDR), EDR and Security Information Event Management (SIEM)
technology.

THREAT This is the proactive search for cyber threats and adversaries that remain undetected in a network despite the tooling
HUNTING or detections in place. ParaFlare conducts frequent threat hunting exercises to challenge the assumption that the
implemented detection strategies are suitable for the ever-changing cyber threat landscape.
Threat hunts are conducted according to industry standards, by humans, and are not merely automated tools.

THREAT ParaFlare believes that good threat intelligence is curated, targeted, actionable, and transparent to our customers.
INTELLIGENCE ParaFlare shifts the focus from tactical threat intelligence (which is abundant in modern and native tooling) to strategic
threat intelligence based on finished reports, data from dark web forums, blogs, technical data, and vulnerabilities, into a
single, finished intelligence experience that drives outcomes.
Our threat intelligence service is focused on taking curated threat intelligence from our Digital Forensics and Incident
Response team, Flashpoint and our working partner – The Australian Cyber Security Centre – and applying this intelligence
(threat actors, tactics, techniques and procedures and indicators of compromise) to our customers environment through
threat hunting.

ADVANCED When you engage the Advanced SIEM Blade ParaFlare goes beyond the SIEM implementation phase and applies a
SIEM SERVICES continuous use case development methodology to your business.
The SIEM gives full coverage of a client’s environment for log sources outside the endpoint. This creates a more tailored
and relevant detection, response and containment capability which adapts to your ever-changing ICT landscape.

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 8

OFFICIAL//COMMERCIAL IN CONFIDENCE
 OFFICIAL//COMMERCIAL IN CONFIDENCE

WORLD-CLASS CYBER CAPABILITIES

DECEPTION The aim of the Deception capabilities is to detect, deceive, expose and understand adversary behaviour. This goes beyond
CAPABILITIES traditional detection methods, providing insights into the source of threats for higher fidelity detections and focused
response.

ADVERSARY This simulates real world, non-timebound adversary behaviours, providing the ability to mimic likely technical, physical,
SIMULATION social attacks, demonstrating compromise and impact, all of which fully integrated into the ParaFlare MDR service.

DIGITAL FORENSICS INCIDENT Professional services include Tabletop exercises, Threat Modelling workshops, Compromise assessments and Incident
RESPONSE (DFIR) response capabilities. Each member of the team has over twenty years’ experience.
ParaFlare’s experts have global incident response capability, having previously worked at organisations such as Mandiant,
DXC and Verizon. The rapidly growing team has consultants based in Sydney, Perth & Brisbane. Combined with Cyber
Operations staff located in Sydney, Canberra, Brisbane, Perth, and the UK, ParaFlare provides world class consulting
services.

CUSTOMISED SECURITY ParaFlare’s SOAR capability enables a more consistent, efficient, quality and measurable service for both operations staff
ORCHESTRATION, and customers alike.

AUTOMATION AND ParaFlare utilises a SOAR to automate actions that speed our response and lower the risk of missing or making an
RESPONSE (SOAR) incorrect determination of an alert.

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 9

OFFICIAL//COMMERCIAL IN CONFIDENCE
 OFFICIAL//COMMERCIAL IN CONFIDENCE

WORLD-CLASS CYBER CAPABILITIES

REMEDIATION SERVICES ParaFlare’s remediation services are designed to assist customers back on their feet after experiencing a breach or major
incident. As part of our full-circle suite of security services we engage our cross functional teams to assist our clients with
a prioritised approach to restoration. Our services to assist customers with a return to business-as-usual include:
• Remediation activities with respect to implementing recommendations received as part of an Incident Response
Report.
• System recovery, re-build, data restoration and re-architecture to assist with a prioritised return to business as usual,
and
• Wider managed detection and response in place to ensure ongoing monitoring of systems and networks for a
designated period of time after the restoration.

SECURITY ENGINEERING AND ParaFlare’s Security Engineering and Architecture team have a wealth of experience in assisting customers right of bang.
ARCHITECTURE With respect to Incident Response and Post Incident Response our services can assist the team with the following:
• Architecture Advisory on demand – including security architecture.
• Field engineering services to implement specific protective / detective measures, and
• Professional services with respect to our core technology stack that includes Microsoft, Wintel (Active Directory,
Systems Centre etc.), Vmware ESXI / Vsphere, Carbon Black EDR / Cloud / Application Control, Azure, M365, Fortinet,
and Cisco.

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 10

OFFICIAL//COMMERCIAL IN CONFIDENCE
 03
DEEP-DIVE
DETECTION AND RESPONSE

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 11

THE GENESIS FOR
SECURITY CONTINUOUS
MONITORING

12
CENTRALISED LOGGING

• Centralised logging is the process of collecting logs

from networks, infrastructure, and applications into a
single location for storage and analysis.

• Logging and monitoring has existed for a long time,

initially for fault detection and troubleshooting
purposes (i.e., up / down, consumption, errors).

• Central log platforms such as SolarWinds, Logstash,

SumoLogic, Prometheus and Zabbix collected logs all
around the environment in a single place.

• Security threats became a focus for organisations,

and security event logging soon followed

• The alerts became more sophisticated, prompting a

need to monitor and aggregate them in one place Centralised Logging with Azure Monitor

• A core focus of teams was to push as many logs as

possible into the centralised logging platform

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 13

SIEM
• Over time Security professionals realised that
Collection is not Detection, and a separate place was
needed to aggregate and correlate meaningful logs

• SIEM – SECURITY INCIDENT AND EVENT

MANAGEMENT - technology that collects event log
data from a range of sources, identifies activity
across the environment that deviates from the norm
with real-time analysis, and takes appropriate action.

• A SIEM tool has three core functions:

• Log Management: Gather vast amounts of data

in one place, organize it, and then determine if it
shows signs of a threat, attack, or breach.
Overview of security event logs for VPN connections in ELK
• Event Correlation: Data is then sorted to identify
relationships and patterns to quickly detect and
respond to potential threats.

• Incident Monitoring and Response: Monitors

security incidents across an organization’s
network and provides alerts and audits of all CLICK HERE
So what does a SIEM look like??
activity related to an incident. FOR MORE

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 14

SOC AND MDR
• IT and Security resources + Technology was traditionally managed
internally

• Security is expensive, organisations look to look outside for

assistance

• Additionally, the Security skills gap and capability shortage meant

organisations needed to co-source to achieve detection and
response outcomes

• Organisations turned to Managed Security Operations Centres

(MSOCs) - Third party security professional teams that monitor an
organisation’s environment to detect security events in real time

• Traditional SOC focused on maximum telemetry and often

provided black-box detection capabilities with little response
capability.

• Managed Detection and Response extends SOC by proactively

responding to adversaries in a customers network through rapid
containment.

• The argument is that outsourced providers can provide better SOC Responsibilities – RTHM Junior Security Analyst Course
detection outcomes due to the 24x7x365 nature of the threat
landscape, in addition to virtue of managing many environments

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 15

KEY TECHNOLOGIES
SIEM – Security Incident and Event Monitoring

A SIEM provides a central view of threats, real-time threat

identification, advanced threat intelligence and the ability to respond
to these threats.

EDR – Endpoint Detection and Response

Records and stores system-level behaviours in endpoints, uses various

data analytics techniques to detect suspicious system behaviour,
provides contextual information, blocks malicious activity, and provides
remediation suggestions to restore affected systems.

NDR – Network Detection and Response

A SIEM provides a central view of threats, real-time threat
identification, advanced threat intelligence and the ability to respond
to these threats.

Operational Technology Visibility Tools

A SIEM provides a central view of threats, real-time threat

identification, advanced threat intelligence and the ability to respond
to these threats.

+ Alert Management and Automation / Orchestration tools….

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 16

SIEM AND E/XDR CONVERGENCE
• Technology vendors have a history of disrupting one another by
improving and widening the functionality of their tooling and often
growing into adjacent technology sectors.

• As fast as the SIEM grew in capability, so did the sophistication of

attackers which demanded more advanced methods of detection.

• One facet of adversary attacks that grew at an alarming pace was

subversion of the humble operating systems - particularly
Windows and Linux.

• Extended Detection and Response (XDR) was borne out of the

need to provide additional visibility of these operating systems
given they presented such a significant ‘attack surface’ in any
environment.

• Attack surface is the area of opportunity within a technology

environment in which an attacker can take advantage.
TechRepublic – SIEM vs XDR
• If you consider the thousands of users operating on a personal
computer with a 500GB operating system in their device, it’s not
hard to calculate that there is a significant amount of code there
that needs protecting.

CLICK HERE
FOR MORE

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 17

UNDERSTANDING
DETECTION

18
WHAT DO THE FRAMEWORKS SAY? - NIST
• The NIST CSF controls on Detection can be found here.

• NIST detection outcomes include:

• Anomalous activity is detected in a timely manner

and the potential impact of events is understood.

• The information system and assets are monitored

at discrete intervals to identify cybersecurity events
and verify the effectiveness of protective
measures.

• Detection processes and procedures are

maintained and tested to ensure awareness of
anomalous events.

• Using these controls and the informative references we

can understand the intent of the controls and begin to
measure our organisation’s detection capability.

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 19

WHAT DO THE FRAMEWORKS SAY? – MITRE ATT&CK

• MITRE ATT&CK - knowledge base of adversary tactics and

techniques based on real-world observations. These techniques
are indexed and break down into detail the exact steps and
methods that hackers use across the attack chain.

• MITRE D3FEND - Catalog of defensive cybersecurity techniques

and their relationships to offensive/adversary techniques.

• The basic idea behind D3FEND is that the framework will provide
defensive techniques that security professionals can apply to
counter the practices detailed in the ATT&CK matrix

• Ultimately, D3FEND techniques can be linked back to an

organisations Threat and Risk landscape to determine if an
organization has detection techniques aligned to the TTP’s of
threat actors potentially targeting them.

CLICK HERE
FOR MORE

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 20

WHAT DO THE FRAMEWORKS SAY? – MITRE D3FEND
• If we review the top ATT&CK techniques
for healthcare from the Red Canary
Threat Detection Report here we can see
that credential dumping is a technique
used by many adversaries

• Adversaries may attempt to dump

credentials to obtain account login and
credential material, normally in the form
of a hash or a clear text password, from
the operating system and software.
Credentials can then be used to perform
Lateral Movement and access restricted
information.

• Using the ATT&CK Emulator here we can

find corresponding D3FEND techniques
to detect credential dumping.

• Through the D3FEND inferred

relationships we can see that
Administrative Network Activity Analysis
and Credential Compromise Scope
Analysis are two detection techniques we
can use to detect adversaries attempting
credential dumping.

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 21

WHAT DO THE FRAMEWORKS SAY? MITRE / NIST

• MITRE has worked to map D3FEND Techniques back to NIST CSF

controls. These can be reviewed here.

• Using the control label for the relevant D3FEND technique we can
review the related NIST controls. The D3FEND control labels will
point us to further informative references such as NIST
supplementary guidance. We can then review this guidance to
understand what the NIST guidelines say in detail about the higher
level control.

• Ultimately, this would allow security professionals to look deeper

into an organisation’s detection and response capability to make
an assessment over maturity based on an organisations detection
techniques present in their environment.

CLICK HERE
FOR MORE

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 22

WHAT DO THE FRAMEWORKS SAY? – DATA SOURCES

• In the same way, in order to detect these particular techniques we

need to ensure we have the data sources ingested into our tools
(SIEM / EDR).

• A list of common data sources has been put together by MITRE

here.

• Similar to before, when we review the MITRE attack overview for

Credential Dumping we can simply scroll to the detections section
and view the mapped data sources. Therefore, looking at our
threat and risk environment gives us an indicator of what we
should be logging and monitoring.

• As previously stated it is essential to balance log sources with

detection outcomes to avoid cost and analyst noise – for this
reason we need to consider log source quality, visibility coverage
and detection coverage when making decisions around what goes
in our SIEM.

• DeTT&CT is one version of an open-source tool security teams can

use to assess their Detections Capability.

CLICK HERE
FOR MORE

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 23

PEOPLE
Adversary Simulation
Adversary Simulation extends on purple teaming by providing a systematic and pragmatic way to emulate real adversaries targeting
organisations. It is a threat intelligence informed exercise that aims to identify mitigations and detections to prevent and detect adversaries.

Purple Teaming Exercises

The Purple team is the intersection of both Blue / Red team activities. In planning for purple teaming, individuals will create attack hypothesis
with respect to the environment. The red team will attempt to execute on these hypothesis while the blue team attempts to defend against them.

Blue Team White Team Red Team

• The group responsible for defending an • The group responsible for refereeing an • A group of people authorised and
enterprise's use of information systems engagement between a Red Team of organised to emulate a potential
by maintaining its security posture mock attackers and a Blue Team of adversary’s attack or exploitation
against attackers. actual defenders of their enterprise’s use capabilities against an enterprise’s
of information systems security posture.
• The Blue Team and its supporters must
defend against real or simulated attacks • Helps to establish the rules of • The Red Team’s objective is to improve
engagement, the metrics for assessing enterprise cybersecurity by
results and the procedures for providing demonstrating the impacts of successful
operational security for the engagement. attacks and by demonstrating what
works for the defenders in an operational
environment.
CLICK HERE
FOR MORE

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 24

PEOPLE – BLUE TEAM DEFENDERS
• Tier 1 is the primary front line of defence and focuses on high-
speed remediation over a large volume of incidents. Tier 1
analysts respond to a very specific set of alert sources and follow
prescriptive instructions to investigate, remediate, and document
the incidents. The rule of thumb for alerts that Tier 1 handles is
that it can be typically remediated within seconds to minutes, and
the response is so consistent that it can be step-by-step
documented. The incidents will be escalated to Tier 2 if the
incident isn’t covered by a documented Tier 1 procedure, or it
requires involved/advanced remediation.

• Tier 2 is focused on incidents that require deeper analysis and

remediation. Many Tier 2 incidents have been escalated from Tier
1 analysts, but Tier 2 also directly monitors alerts for sensitive
assets and known attacker campaigns. These incidents are
usually more complex and require an approach that is still
structured, but much more flexible than Tier 1 procedures.

• Tier 3 is focused primarily on advanced hunting and sophisticated

analysis to identify anomalies that may indicate advanced
adversaries. Most incidents are remediated at Tiers 1 and 2 (96 Tier 3 SOC Model
percent) and only unprecedented findings or deviations from
norms are escalated to Tier 3 teams. Tier 3 team members have a
high degree of freedom to bring their different skills, backgrounds,
and approaches to the goal of ferreting out red team/hidden
CLICK HERE
adversaries. FOR MORE

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 25

PROCESS

An effective operating model for Managed

Detection and Response includes:

• Ingestion of appropriate telemetry into

security technologies to enhance the
visibility into potential threats.

• Integration of capabilities including threat

intelligence / hunting, Automation and
Orchestration, Detections Engineering,
AI/ML, and Digital Forensics / Incident
Response

• Overlayed and underpinned by specialised

resources executing on repeatable
processes to identify threats early and
containing / eradicating threats swiftly in
order to minimise disruption.

Microsoft Security Operations Model

CLICK HERE
FOR MORE

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 26

WHAT DO I PUT IN MY SIEM?
• There is a delicate balance to getting the
right logs into your SIEM to achieve
Detection and Response outcomes – too
many logs and your costs go up, but you
also create a lot of noise for analysts (low
fidelity alerts and high false positive rates)

• Absence of the correct logs could mean

missing an anomalous event or more time
spent triaging a true-positive alert.

• The rule of thumb is, if I can write a

valuable detection on it, it can go in the
SIEM.

• Threat and Risk Management is a good

start to understand what should go in the
SIEM. Review the Threat Actors in your
industry, understand the techniques,
tactics and procedures they are using Microsoft Guidance on SIEM
(TTPs). For each TTP, ensure you have
coverage across your log sources to
detect anomalies.

CLICK HERE
FOR MORE

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 27

UNDERSTANDING
RESPONSE

28
WHAT DO THE FRAMEWORKS SAY? - NIST
• The NIST CSF controls on respond can be found here.

• NIST response outcomes include:

• Response processes and procedures are executed and

maintained, to ensure timely response to detected
cybersecurity incidents.
• Response activities are coordinated with internal and
external stakeholders, as appropriate, to include external
support from law enforcement agencies.
• Analysis is conducted to ensure adequate response and
support recovery activities.
• Activities are performed to prevent expansion of an event,
mitigate its effects, and resolve the incident.

• Using these controls and the informative references we

can understand the intent of the controls and begin to
measure our organisations response capability.

• NIST has a special publication on response activities

known as the “Computer Security Incident Handling
Guideline. This is largely considered the standard in
response and can be found here. The aim of the
publication is to assist organisations in establishing
computer security incident response capabilities and
handling incidents efficiently and effectively. CLICK HERE
FOR MORE

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 29

WHAT DO THE FRAMEWORKS SAY?

• Similar to what we reviewed in the detection space with MITRE

D3FEND, the catalog also includes techniques to contain and
eradicate a threat from our environment if our prevention controls
fail.

• These align typically to the ATT&CK techniques in the kill chain

post initial access.

• Again, when we develop our Threat and Risk Analysis, we can

effectively map likely adversaries back to response techniques.
The collection of these techniques that are relevant to us helps to
inform our Response capability.

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 30

WHAT DO THE FRAMEWORKS SAY?

• If we review the top ATT&CK techniques for

healthcare from the Red Canary Threat Detection
Report here we can see that Command and
Scripting Interpreter is a technique used by many
adversaries

• Adversaries may abuse command and script

interpreters to execute commands, scripts, or
binaries. Adversaries may abuse these
technologies in various ways as a means of
executing arbitrary commands, often to achieve
remote execution.

• Using the ATT&CK Emulator here we can find

corresponding D3FEND techniques to respond to
Command and Scripting Interpreter.

• Through the D3FEND inferred relationships we

can see that Administrative Network Activity
Analysis and Credential Compromise Scope
Analysis are two detection techniques we can use
to detect adversaries attempting credential
dumping.

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 31

PEOPLE

• CSIRT - A capability set up for the purpose of

assisting in responding to computer security-
related incidents; also called a Computer Incident
Response Team (CIRT) or a CIRC (Computer
Incident Response Center, Computer Incident
Response Capability).

• Responsible for providing incident response

services to part or all of an organisation. The
team receives information on possible incidents,
investigates them, and takes action to ensure that
the damage caused by the incidents is minimised.

• Consists of the people who will handle the

response to an incident. It may include both
internal and external teams, and may differ based
on the nature of the incident.

• The core team will usually be IT or Cyber Security

staff. The extended team may include other
capabilities, such as PR, HR, and Legal &
Compliance.
NCSC CSIRT Structure
CLICK HERE
FOR MORE

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 32

PROCESS
• The NIST Computer Security Incident Handling
Guideline has standardised the approach to
responding to a cyber event.

• The initial phase involves establishing and

training an incident response team and acquiring
the necessary tools and resources.

• Detection of security breaches is thus necessary

to alert the organisation whenever incidents
occur.

• The organisation can mitigate the impact of the

incident by containing it and ultimately recovering
from it. During this phase, activity often cycles
back to detection and analysis—for example, to
see if additional hosts are infected by malware
while eradicating a malware incident.

• After the incident is adequately handled, the

organisation issues a report that details the cause
and cost of the incident and the steps the
organisation should take to prevent future
incidents.

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 33

***5 MINS BREAK***

DETECTION AND RESPONSE

CAPABILITIES

34
SIEM & SIEM Engineering is the process of
architecting and maintaining SIEM platforms
Detections engineering is the process of
identifying threats before they can do

DETECTIONS and auxiliary technology. The SIEM Engineer is

responsible for configuring the collection,
significant damage. It is a process of
developing, evolving, and tuning detections to

ENGINEERING parsing, correlation, and visualization of events

for a critical operational system. SIEM
defend against current threats. It aligns
content developers, threat hunters, threat
Engineering includes: intelligence, red teams, risk management, and
so forth, to build a threat-informed defense
• Solutions Architecture: Work with the system. Detections engineering includes:
business to develop the technical
components of security logging and • Threat Modelling: Detection engineers work
monitoring infrastructure that will ultimately with Threat Intelligence and Threat Hunters
execute on the organisations identified to write detections off the back of expected
detection and response outcomes. or past adversary activity.

• Data Assurance: Undertake ongoing data • Detections Requirements (i.e. data

quality processes to put good quality logs in sources): Work with the wider SOC and IR
the hands of SOC Analysts. team to understand the end-to-end of how
an alert should fire and what should happen
• Platform Health: Routinely apply a when it does.
standardized framework across the security
logging and monitoring infrastructure to • Detection implementation: Write and test
ensure it is up to date and working as the detections inside the available toolsets.
expected.
• Detection Tuning: Revisit and improve
detections over time to increase their
accuracy, validity and fidelity.

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 35

SECURITY Security Automation, Orchestration and
Response (SOAR) refers to a collection of

AUTOMATION, software solutions and tools that allow

organizations to streamline security

ORCHESTRATION operations in three key areas: threat and

vulnerability management, incident response,

AND RESPONSE
and security operations automation.

The SOAR augments the SIEM by combining

comprehensive data gathering,
standardization, workflow and analytics to
provide organizations the ability to implement
sophisticated defense-in-depth capabilities.
SOAR typically helps with the following:

• Automation assistance with manual,

recurring, time-intensive tasks.

• Streamlining operational tasks and

customizing security workflows with your
team.

• Extensibility through integrations with other

software such as service management tools

• Automating responses to threats through

playbooks (i.e. isolation of endpoints)

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 36

THREAT Threat intelligence, often synonymous with
open-source intelligence (OSINT) is knowledge

INTELLIGENCE that allows you to prevent or mitigate those

attacks. Rooted in data, threat intelligence
provides context — like who is attacking you,
what their motivation and capabilities are, and
what indicators of compromise in your
systems to look for — that helps you make
informed decisions about your security.

Threat intelligence is evidence-based

knowledge, including context, mechanisms,
indicators, implications and action-oriented
advice about an existing or emerging menace
or hazard to assets. This intelligence can be
used to inform decisions regarding the
subject’s response to that menace or hazard.

Threat intelligence improves an organisations

situational awareness and is typically
underpinned by a Threat Intelligence Platform
(TIP), threat feeds, and processes / procedures
to contextualize the intelligence to make it
meaningful for the business.

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 37

THREAT Threat hunting is the proactive and iterative
process of detecting malicious activity within a
• The IOC sweeps and threat hunting activities
will scan the environment for indicators

HUNTING network that has evaded detection. One

method of achieving this is by sweeping the
such as:

• Filenames and SHA256/MD5 hashes of

environment using indicators of compromise
(IOCs). ParaFlare have developed an archive of known malicious binaries
IOCs from all previous DFIR engagements,
• Persistence indicators in the Windows
including host-based and network-based
Registry, services, and start-up programs
indicators, and the tools, tactics, and
techniques (TTPs) used by adversaries. • IP addresses and domains of known C2
infrastructure
Once endpoint technology has been deployed
within the client’s environment, and analysis • Running processes and network
has started, ParaFlare will commence the connections
sweeps using the endpoint agents. At the point
where ParaFlare have analysed enough hosts • Command line execution and arguments
to understand attacker TTPs, ParaFlare will (PowerShell, WMI etc.).
add these to the sweeps to determine the
scope of the breach.

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 38

DECEPTION Deception technology is a cybersecurity
defense practice that aims to deceive
attackers by distributing a collection of traps
and decoys across a system's infrastructure to
imitate genuine assets. If an intruder triggers
a decoy, then the server will log and monitor
the attack vectors utilized throughout the
duration of the engagement.

As attack vectors become increasingly

complex, organizations need to be able to
detect suspicious activity earlier in the attack
chain and respond accordingly. Deception
technology provides security teams with a
number of tactics and resulting benefits to
help:

• Decrease attacker dwell time on their

network

• Expedite the average time to detect and

remediate threats

• Reduce alert fatigue

• Produce metrics surrounding indicators of

compromise (IOCs) and tactics, techniques,
and procedures (TTPs).

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 39

DIGITAL Digital Forensics and Incident Response
(DFIR) is an aspect of cybersecurity focused

FORENSICS on identifying, investigating, and fixing

cyberattacks. Digital forensics refers to

INCIDENT collecting, preserving, and analyzing forensic

evidence in cyber security incidents..

RESPONSE
DFIR has two main components:

• Digital Forensics: A subset of forensic

science that examines system data, user
activity, and other pieces of digital evidence
to determine if an attack is in progress and
who may be behind the activity.

• Incident Response: The overarching process

that an organization will follow in order to
prepare for, detect, contain, and recover
from a data breach.

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 40

ADVERSARY Adversary simulation, also known as
adversary emulation, is the practice of

SIMULATION security experts impersonating the actions

and behaviors of skilled cyber threat actors to
attack an organization's information
technology or operational technology
environment..

It is a goal-based activity, where the team will

work as an attacker to evade detection while
pursuing the identified goal. Adversary
Simulation teams use real-world attacker
breach techniques and have a feedback loop
from the organization’s security stack that
helps test and improve cyber resilience.

Adversary Simulation then in turn links back to

the organisations threat and risk management
capability to inform the security strategy by
answering the question “how would real
attackers hack us, and what capabilities do we
need in place to prevent them?”.

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 41

SO YOU WANT TO WORK IN DETECT AND RESPONSE?
• Attacker Methodologies • Network Detections

• Cyber Kill Chain • Antivirus Alerts and Evasion

• MITRE ATT&CK Framework • Network Evasion and Tunnelling

• Windows Endpoint • Active Directory Enumeration

• Windows Server-Side Attacks • Windows Lateral Movement

• Windows Client-Side Attacks • Active Directory Persistence

• Windows Privilege Escalation • SIEM

• Windows Persistence

• Linux Endpoint

• Linux Server Side Attacks

• Linux Privilege Escalation

CLICK HERE
FOR MORE

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 42

NOTES
RTHM – SOC LVL1 RTHM – Cyber Defense SC-200

Today

Offensive Security – Security

Certified Blue Team Level 1
Operations and Defensive Analysis

Tomorrow

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 43

04
ASSIGNMENT

44
 Here are some helpful hints for the group
assignment:

GROUP • Research: Start by undertaking a threat and

risk analysis / threat modelling based on

ASSIGNMENT what you know of the target orgnaisation.

There is a wealth of information available on
healthcare.

• Focus: Based on likely threats that would

impact the business, understand the
techniques, tactics and procedures used by
these likely attackers.

• Link back to Detection and Response: Align

these TTP’s to the relevant frameworks and
compare the results to the information
provided in the case (use ATT&CK and
D3FEND)

• Current and Future state: What is the gap?

What exists and doesn’t exist in the
organisation's detection and response
capability?

• Roadmap: What capabilities does the

organization need to improve their Detection
and Response capability?

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 45

QUESTIONS

PARAFLARE // UNSW - DETECTION AND RESPONSE LECTURE 46