WHAT IS THREAT DETECTION?
Threat detection is the repeatable process conducted in near real time, or retroactively, in order to detect and respond to adversary actions or toolsets, typically detected through conventional security controls. It is a process which is often technology, or analyst-driven, and which combines security tools, analysis, and experience.
HOW DOES THREAT DETECTION DIFFER FROM THREAT PROTECTION?
While these two terms are sometimes used interchangeably, the reality is that they are fundamentally different. Threat protection is typically signature-based, and is designed to alert based on indicators of compromise (IOCs) of malware or tools. These artefacts, typically aligning to the lower levels of Dave Bianco’s Pyramid of Pain, could include things such as IP addresses, domain names, hash values, and textual strings in a file. These elements can be used for alerting, but they are “fragile” and signatures using them can break without notice if an attacker modifies their tools or changes their infrastructure, leading organizations to have a false sense of security.
Threat detection, however, aligns more to the upper levels of the Pyramid, and includes more complicated elements of malware and tools. This could include specific behaviours of malware or tools on the system or network as they attempt to establish persistence, exploit specific vulnerabilities, or communicate with their command and control (C2) servers. Detecting on these elements is more reliable, and it takes significantly more effort for adversaries to evade detection.
CHALLENGES OF THREAT DETECTION
To be successful, threat detection should be done in real-time. However, there are many challenges that are associated with to-the-second detection. Analysts are already overburdened by alerts from an overabundance of security tools. Collecting hundreds of log types and analyzing them, even when using more sophisticated techniques including machine learning and behavioral analysis, is unsustainable for the majority of organizations. Even more so, logs lack content and context, making it difficult to parse out true threats. Though once a threat is detected, logs can help SOC teams quickly map timelines and provide analysis of the threat event:
- Best endpoint log sources for threat hunting
- Best network log sources for threat hunting
KNOWN VS. UNKNOWN THREATS
To protect our environments, speed is critical. Security programs that detect threats quickly and efficiently are able to reduce the overall risk to the organization. Ideally, an organization’s defense program can stop the majority of threats because the malicious acts have been spotted in the wild and their signature data in traditional threat protection platforms has been recorded—and the organization has details on how to mitigate the attack. Even still, some of these threats can slip through defensive measures, which is why SOCs should have analysts with hands on keyboards looking for threats. The flip side of the coin is that the threat landscape is constantly changing and introducing new, unknown threats that have not yet been detected.
To detect both known and unknown threats, defenders should use a variety of methods, including:
- Threat Intelligence: Effective threat intelligence is actionable, and consistently shares the traits of contextualization, evaluation, prioritization, customization and decomposition. Often, security programs focus too much on the quantity of threat intelligence, instead of the more important “quality” of the intelligence. When using threat intelligence feeds and solutions that abide by these traits, it empowers security analysts, streamlines the triage and investigative processes, and ultimately, reduces the overall risk to organizations, their members and customers alike through more rapid threat detection and response.
- Threat Hunting: Unlike other forms of threat detection, threat hunting is a proactive process that identifies the presence of malicious actors and their tools before an attack
DISCONNECTED SECURITY TOOLS AND THE PROBLEM WITH AFTER-THE-FACT
Threat detection and response is more difficult than years ago because there is a maze of disconnected point tools for analysts to use. The effectiveness of these tools is limited because each must be deployed, configured, and operated daily. Plus, each provides its own myopic alerting and reporting. This leaves analysts to the impossible work of stitching together a complete image of the threat ecosystem across endpoint security, network security tools, cyber threat intelligence, and more. The bigger issue that organizations are grappling with a manual process that doesn’t scale. And while IT teams are taking their time to piece together the puzzle, malware and adversaries are lurking in the network sometimes months at a time.
The after-the-fact detection is a problem because it generally does not happen within minutes of an attack. Only 22% detect breaches in less than one day. And when there are low detection rates, there are much longer business impacts.
THREAT DETECTION WITH CYBORG SECURITY
Cyborg Security’s new approach to threat hunting and threat detection works to reduce the effort of collecting and correlating data. Instead of bringing together a multitude of security tools to find the bad in your environment, Cyborg Security provides operationalized threat intelligence and threat hunt and detection packages to proactively detect even the most advanced adversaries’ actions.
With Cyborg’s threat hunting and detection, analysts receive:
- Threat hunting and detection content tailored to organizations’ unique environments
- Advanced behavioral hunting and detection content that doesn’t rely on IOCs
- Detailed runbooks and remediations to guide analysts and hunters through the hunt and detection, and ensure consistent analysis
- Customized cyber threat emulation (CTE), allowing organizations simulate advanced threat actors and malware in their own environment to validate the hunt and detection content.
Using the HUNTER Platform, organizations can reduce dwell time of attackers and the mean time to detect (MTTD) in your environment.
Detection Content—The Trouble with Free
Why Artificial Intelligence Can’t Save Your SOC