Home Work With Me Articles About Contact
Join Us
Cyber Security Insights with Brad Mecha Disrupting Cybersecurity

Alert Fatigue: Let’s break down an alert from a fairly known security tool

Yet another reason why security analysts and network defenders suffer from alert fatigue.

Let’s break down an alert from a fairly known security tool (I won’t be calling out the vendor) :

“ <Time> <IP Address> <Malware: Async RAT> <Mitre Code: T1566.001, T1566.002, TA0011> “

First impressions :

What the f$%K am I supposed to do with this alert?
Who the f$%K wrote this alert output and who is the intended audience? This clearly wasn’t written by anyone involved in incident detection or response.
 
Building good detections is about establishing relationships and narratives typically using different types of data.

Can the alert stand on its own and can it tell me any part of a story? It’s actually OK for the answer to be ‘no’ but I’ll explain why in another post.

Let’s break down this alert:

Time - Good! I know when it happened.
IP Address - IOC based detection. Not a great start. The rest of this alert better be overflowing with metadata and descriptors. 
Malware - Wow! This is good! The actual tool. Dealing with a Remote Access Trojan. A RAT can be a pretty dangerous tool. Priority = Critical

This is where it breaks down

Mitre Code(s) - Not one but three T-Codes. I unfortunately have not yet memorized all 227 techniques and sub-techniques so now I have to spend 15 minutes researching what they do at attack.mitre.org/#

TA0011 - Command and Control. No sub-technique! This IP is a command and control server? for Async RAT? How does it communicate? Port? Protocol? Custom Protocol? Encoding? Encryption? Nothing.

T1566.001 - Spearphishing Attachment. At least we got the sub-technique. We already  have a C2 technique now we have a phishing related technique against an IP address? Where does the IP come in to play?

T1566.002 - Spearphishing Link. Another sub-technique. But which one is it? A link or an attachment. Does the adversary double up and give the email recipient both? So is the IP address used in a hard coded link?


What’s the story?

Something was observed at <Time> interacting with an IP that was associated with Async RAT. It could be C2? It could've been used somewhere involving an email with spearphishing attachment or a spearphishing link?


Takeaways :

  • An infinite amount of time could be spent trying to figure out what is going on with this IP Address
  • I had to leave your tool to do more research on Mitre T-Codes and even with that it was incomplete. My SOAR will have to eventually pick up the slack if I ever plan on operationalizing this alert.
  • Mapping IOCs, especially building relationships from IPs to Mitre T-Codes (techniques, multi-step behaviors) is near impossible to pull off without tons of context and metadata.
  • As an analyst if I see this type of an alert again it’s indefinitely sitting in the incident queue
  • Officially fatigued. 

I write about the not-so-obvious in cybersecurity to help you pave your own way in the field.


Join the growing readership of cybersecurity professionals for free.
 

No spam. Ever. Unsubscribe anytime.

BRAD MECHA

Cybersecurity Craftsman & Industry Expert

Disrupting the way we do cybersecurity.

CATEGORIES

All Categories

READ MORE

What makes a good security workflow great

Is your security team thinking differently?

Alert Fatigue: Let’s break down an alert from a fairly known securi...

With zero experience, how do I crack into the security industry?
All Articles