Overview
Blumira creates meaningful, actionable alerts and models detections on known attacker tactics, techniques, and procedures (TTP). We try to limit the noise of alerts that will not uncover threats, but we do provide several detections for non-threat events. During a security testing session, you can expect to see a mix of threat and non-threat detections.
Security tests (including assessments, scans, and hacking sessions) are important discovery and measurement tools for your security posture. Most SIEM users are familiar with “penetration tests” but less familiar with other terms like "red team engagement" or "vuln scans". These are related but do not mean the same thing, and we clarify the differences below so that you know what to expect in each scenario.
Term |
Description |
Goal |
Vulnerability assessment (vuln scan) |
A broad-scope assessment which can be used to identify the adequacy of your security measures, identify security deficiencies, and confirm the mitigations in place. These scans can be wide-reaching but lack the context of risk to your organization. |
Reduce your attack surface. |
Penetration test (pen test, ethical hacking) |
An authorized, explorational attack by a known entity against your system, network, or application that is designed to identify and measure risks associated with the exploitation of the target’s attack surface. More simply, you hire a good entity to try out the bad things that attackers could do to your system and document the vulnerabilities they find during the test in the context of risk to your organization. |
Reduce your attack surface. |
Red team engagement (red teaming) |
A focused process that uses TTP to emulate a real-world threat to test your organization's defensive strategy and execution. This intentional process involves the people, processes, and technology behind your security operations. |
Train and measure the effectiveness of the people, processes, and technology (security operations) used to defend your environment. |
Reference: Red Team Development and Operations (Joe Vest and James Tubberville)
Alerts during a penetration test
Blumira leans most heavily towards developing detection rules that catch real-world TTP like what would be used in a red team engagement or an attack by a threat actor, such as a ransomware gang. Some of our detection rules are related to activity logged during a penetration test, but many techniques used in a standard penetration test can be mitigated with various security hygiene measures and a secure default configuration.
The series of alerts that you are likely to encounter during a penetration test include:
- Null session activity detected - This is the most common detection we see during a penetration test of a Windows environment. Many Windows domains have legacy gear or have not been treated to the latest security best practices. Many testers favor this discovery technique as many environments give the tester network access to begin the test on a device without any of the organization's security tools present on them. This is a great way to begin enumeration without any existing access.
- Internal port scanning - Port scanning is another common enumeration technique in a network, but it is often not detected because the directions require an intrusion detection system and network segmentation to pick up and alert on the scanning activity. If you do not have networks segmented with internal port scanning devices between segments, it is unlikely that you will catch any of this activity.
- Password spraying detected - With unprivileged network access many penetration testers then start with a password spray attack to attempt to locate a user account that has the infamous SeasonYearSpecialChar pattern (ie: Winter2021!). This is often the second most common alert we see during a penetration test.
- The next alerts vary depending on the attack path and level of logging the organization has set up. Recommended: We highly recommend deploying Sysmon for process logging and using the Logmira GPOs to enable the most effective logging options, which are not enabled by default in Windows.
- Administrator Level Account Addition - Most, if not all, penetration tests end with this alert. This is normally the end goal for most testers because access to or creation of a Domain Administrator account is often referred to as the proverbial “keys to the kingdom”.
When the test is complete, ensure that you review the results with your testers and discuss what configuration changes must be made to secure your environment.
Alerts during a vulnerability scan
At Blumira, our detection mindset is to create meaningful, actionable alerts. We have seen the security tools of the past be overly noisy and lead security teams and individuals to become overworked and strained by alert fatigue. This can lead to alerts being missed due to the volume of alerts and an inability to investigate them all.
Vulnerability scanners are a common source of this kind of non-actionable alert. When we are creating new detections, we test the new logic and attempt to remove as many signatures associated with vulnerability scanners as possible.
We recommend creating detection filters for vulnerability scanning activity to avoid alert fatigue.
Reference: Learn how to add filters to stop unwanted findings in Using detection filters in paid Blumira editions.
If you are looking to test Blumira detections, we would recommend not using a vulnerability scanner as the tool to do so. Instead, we recommend the following tools to test your security stack: