Threat detection is the number one priority for cybersecurity teams. If you don’t even see the bad guys in your network, you will not be able to respond appropriately. But with so many potential threats and adversaries, putting in place appropriate threat detection can seem a daunting task. Throw in a bunch of marketing buzzwords and cyber terms of art and it’s even harder to establish a clear strategy. Breaking down threat detection and response to the most basic elements can bring that clarity.
In this post you will learn:
- What is threat detection?
- What are attackers after?
- What are examples of threats?
- How to detect threats
- How to hunt threats
- How to respond to threats
What is threat detection?
As the term relates to computer security, a threat refers to anything that has the potential to cause harm to a computer system or network. Importantly, as Techopedia points out, threats are not the same as attacks. Threats represent the potential for attacks to occur; attacks are the act of breaking in or harming a computer or network. A more advanced form of threat, the Advanced Persistent Threat (APT), emerged several years ago. As the name suggests, the threat is sophisticated and remains in your network for a prolonged period of time, giving attackers a longer window to act.
Threat detection is the process by which you find threats on your network, your systems or your applications. The idea is to detect threats before they are exploited as attacks. Malware on an endpoint, for example, may or may not have been exploited in an attack. For that reason, security teams have been shifting their focus from so-called indicators of compromise (IoC), like a malware infection, to techniques, tactics, and procedures (TTPs). The goal is to catch the bad actor in the process of introducing a threat by watching for telltale techniques versus finding evidence that a threat was already introduced by finding an IoC.
What are attackers after?
Cybercriminals are usually after one of five things. Not surprisingly, the end goal is usually monetary.
- User credentials—cybercriminals are often not after you, but rather after your credentials. They want your username and password to get into systems that you have access to. It’s much easier to open a door with a key then pick a lock or break a window. Some attackers will use a technique called privilege escalation to grant themselves additional privileges by exploiting the underlying operating system. They then use these escalated privileges to get to what they are really after.
- Personally identifiable information (PII)—some criminals want personal information they can use to impersonate you, such as a social security number or driver’s license number. These and other details can be used to apply for credit cards, open bank accounts in your name, and the like.
- Intellectual property or sensitive corporate information—industrial espionage is alive and well. Nation states are looking to steal trade secrets to boost their own economies. Competitors are looking to gain an advantage or fill a gap in their offerings by taking advantage of what their rivals know. Employees are at risk for stealing important secrets for personal gain, or perhaps out of spite for being passed over for a promotion. Companies need to protect their product designs, customer databases, business processes, marketing plans and more.
- Ransom—criminals have been extorting companies and individuals for years online. Their two most potent weapons are ransomware where endpoint or server files are encrypted and a ransom demanded to unlock them and DDoS attacks where traffic floods web servers or networks with bogus traffic until the ransom is paid.
- Revenge—some disgruntled users or so-called hacktivists look to bring down or slow down systems to protest company policy. In some cases, attackers may deface web pages to embarrass companies or government organizations.
What are examples of threats?
Here are some common examples of threats:
- Malware—malicious software that infects your computer, such as computer viruses, worms, Trojan horses, spyware, and adware.
- Phishing—fake emails disguised as legitimate communications that seek to steal sensitive information from an unwitting recipient.
- Ransomware—a malware that encrypts files on an endpoint or server and then displays a message demanding ransom in exchange for decrypting files.
- Trojan horse—a computer executable, sometimes known as a back door, that can be remotely activated to perform a variety of attacks.
The cyber arm of the Canadian government has an excellent summary of basic threat types.
As I mentioned, more advanced teams are moving to the MITRE ATT&CK framework for threat detection and response. ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations of cyber attacks. They’re displayed in matrices that are arranged by attack stages, from initial system access to data theft or machine control. There are matrices for common desktop platforms—Linux, macOS, and Windows—as well as mobile platforms.
How to detect threats
There are many technologies to detect threats at various points on the network. Here is a basic summary.
|Cloud access and security brokers (CASB)||Detect unauthorized access to cloud applications.||Good view of access patterns to cloud applications.||Limited in scope to cloud applications; do not detect threats within cloud applications themselves.|
|Endpoint detection and response||Record suspicious behavior, block malicious access, and suggest responses.||Complete technology for protecting endpoint computers.||Limited in scope and do not detect network or server attacks.|
|Intrusion detection systems||An appliance or service that monitors network traffic for malicious activity.||Good for detecting threats introduced via the network itself.||Limited in scope and will not detect endpoint or cloud threats. Requires an intrusion prevention system (IPS) to block threats.|
|Network firewalls||A physical or virtual appliance that monitors traffic for malicious activity or access and takes appropriate action.||Good for detecting and blocking threats via the network itself.||Limited in scope and will not detect endpoint or cloud threats.|
|Honeypots||A network-attached system set up as a decoy to expose threats against an organization.||Advanced visibility of threats against applications or resources.||Limited in scope the specific honeypots that are deployed. If discovered by an attacker, honeypots can be circumvented.|
|SIEMs||A security information management platform that correlates connected threats and attacks.||Good for a holistic view across the entire threat or attack chain; tie together other detection technologies.||Some SIEMs may have incomplete logs to work with, due to timing or space constraints.|
|Threat intelligence platforms||Services that publish up-to-date information about known threats.||A good repository for known threat information.||Do not take action on their own and require integration with another threat detection technology.|
|Behavior analytics||Detects threats based on behavior.||Able to detect unknown threats by using behavior and machine learning.||Advanced technology that detects unknown threats by creating a baseline that demonstrates behavior and data insights.|
Improving threat detection with behavior analytics
Criminals have become so sophisticated and computer networks so vast – often with no actual perimeter – that traditional methods of detecting individual compromises are simply inadequate. A new approach using behavior to track normal and anomalous behaviors to detect threats has emerged.
User and entity behavior analytics (UEBA) is a new category of security solutions that uses analytics technology, including machine learning and deep learning, to discover abnormal and risky behavior by users, machines and other entities on the corporate network.
UEBA can detect security incidents that traditional tools do not see, because they do not conform to predefined correlation rules or attack patterns, or because they span multiple organizational systems and data sources.
Threat hunting is the practice of actively seeking out cyber threats in an organization or network. A threat hunt can be conducted on the heels of a security incident, but also proactively, to discover new and unknown attacks or breaches. According to a 2017 study by the SANS Institute, 45% of organizations conduct threat hunting on an ad hoc or regular basis. Threat hunting requires broad access which can be provided by a SIEM to security data from across the organization.
Exabeam Threat Hunter is a product that uses a point-and-click interface simplifying the process of creating complex search queries. Below is an example.
Exabeam Threat Hunter search criteria to hunt for lateral movement tactics based on the MITRE ATT&CK framework
How to respond to threats
Ideally, security teams deal with threats before they are weaponized into attacks. Examples of response range from quarantining malware, phishing awareness training, and patching known vulnerabilities with system updates.
Once a threat turns into an incident, a different type of response is required. An incident response plan helps IT staff identify, respond to and recover from cybersecurity incidents. The objective of an incident response plan is to prevent damages like service outage, data loss or theft, and illicit access to organizational systems. Some organizations have formalized a cross-functional incident response team.
Understanding threats allows your organizations to respond appropriately to them. Leveraging advanced frameworks like MITRE ATT&CK improves the sophistication of security teams. With behavioral analytics and threat hunting tools a SOC analyst can proactively apply security solutions. And when threats turn into incidents, automation and an organized incident response team can help speed recovery.