Threat Detection and Why You Should Spend More Time Thinking About It

Josh Campbell|January 26, 2021
Blog

I don’t think anyone would dispute that cyber security has a problem with buzzwords. These are words that start with a fixed definition but ultimately are diluted over time. One of these so-called buzzwords is threat detection. But I am here to tell you that this is one buzzword that we should reclaimed and that organizations should spend more time considering.

What is Threat Detection? 

Before we go digging into threat detection, let’s first define what it is. You’d be forgiven for wondering why we need to define threat detection in the first place. Especially since the term seems very straightforward. Regardless, because of the aforementioned dilution it is still important. For us, we will say that threat detection is a process that detects malicious activities by observing behaviours known to be associated with specific malware 

Threat Detection compared to Threat protection on Dave Bianco's Pyramid of Pain

Threat detection contrasts with threat protection. Threat protection is a process that detects malicious code through signatures. These signatures rely almost exclusively on digital characteristics of the malware, instead of their behaviours. These could include hash values, strings of text, IP addresses, domains or other similar things. 

Threat Detection vs Threat Protection 

Simply put, threat protection looks are what the threat is, and threat detection looks at what the threat does. Recall Dave Bianco’s infamous “Pyramid of Pain.” Threat protection aligns to the lower three levels, while threat detection corresponds to the upper three. This means that threat detection is more robust. Especially when faced with modifications like code recompilation or infrastructure changes.  

The Advantage?

Threat detection, compared to threat protection, has a lot of real-world advantages for security teams. One of the biggest advantages relates to false positives. False positives for threat protection relate to indicators and are binary in nature. An analyst spending significant time investigating an alert that is a false positive will ultimately have a reductive outcome for security teamsThis is because the investigation will likely lead to the disabling of the rule or removal of the indicator. 

Threat detection, however, looks for suspicious behaviours. This doesn’t mean you won’t see false positives. Analysts will find power users leveraging Microsoft Office or batch scripts in ways you never thought possible. Their analysis, however, will not be wasted. Instead, that behaviour can be whitelisted without losing the protection provided by the threat detection content. This means more reliable detections moving forward. This also results in security teams being able to better profile “what is normal” in their environment.

New call-to-action

Threat Detection Pre-requisites 

While some people believe that threat detection requires new and fancy tools, the opposite is actually true. Threat detection only requires the platforms and tools most teams already have. These include a SIEM or data lake platform and an endpoint agent for loggingOf course, there are other tools and technologies, such as EDR, that can make security teams’ lives easier. But these tools aren’t required to get started. 

Threat Detection Content 

With logging at the host level in place, and a platform to analyze those logs, the next important step is threat detection content. Content in this context refers to the queries deployed in a SIEM or data lake platform. This content will often be written in a platform-specific syntax. These could include

  • SPL (for Splunk),  
  • KQL (for ELK stacks),  
  • AQL (for QRadar),  
  • ArcSight Keywords (for ArcSight), or 
  • YARA (which is a cross-platform content format).  

 As we mentioned, threat detection content differs from traditional threat protection content. Instead of relying on traditional atomic indicators to detect malicious activity, it looks for specific behaviors used by malware and could include things such as:

Where Does Content Come From? 

Threat Detection content comes from some different sources. The most common sources are open-source repositories, default platform content, and in-house development. Each of these methods has their own advantages and drawbacks (which we covered here). However, at the end of the day, threat detection content originates from threat intelligence. 

Effective Threat Detection Leads to More Advanced Capabilities 

Organizations should also consider that mature threat detection capabilities have other advantages. Specifically, they enable organizations to adopt new and more advanced capabilities, like threat hunting. This is because capabilities like threat hunting rely on many of the same prerequisites that threat detection does. This means that time spent developing a solid underpinning for threat detection is not a temporal benefit. Instead, it is one that will continue to pay dividends well into the future. 

Conclusion 

While the cyber security industry is plagued with buzzwords, it doesn’t mean that those buzzwords don’t have value. Instead, it means that those words must be looked at critically to ensure we see the virtual forest for the digital trees. ‘Threat detection’ is one such concept that has tremendous value for organizations. 

Interested in finding out more about threat detection? Check out what threat hunters believe are the free tools that everyone in the infosec industry should be using. 

New call-to-action

Blog

Josh Campbell

Threat Intelligence Lead
Follow Cyborg
  • Twitter
  • linked in

DISCOVER EVEN MORE

White Paper

March 3, 2021

Threat Hunting Maturity Model: A New Approach for Structured Hunting
Read more
White Paper

February 23, 2021

XDR is the Rorschach Test of Cyber Security
Read more
White Paper

February 19, 2021

Social Engineering: It’s Not as Difficult as You Think!
Read more

SUBSCRIBE TO OUR NEWSLETTER

Continue the Hunt
No thanks, maybe later.