Threat detection is the repeatable process conducted in near real time, or retroactively, in order to detect and respond to adversary actions or toolsets, typically detected through conventional security controls. It is a process which is often technology, or analyst-driven, and which combines security tools, analysis, and experience.
While these two terms are sometimes used interchangeably, the reality is that they are fundamentally different. Threat protection is typically signature-based, and is designed to alert based on indicators of compromise (IOCs) of malware or tools. These artefacts, typically aligning to the lower levels of Dave Bianco’s Pyramid of Pain, could include things such as IP addresses, domain names, hash values, and textual strings in a file. These elements can be used for alerting, but they are “fragile” and signatures using them can break without notice if an attacker modifies their tools or changes their infrastructure, leading organizations to have a false sense of security.
Threat detection, however, aligns more to the upper levels of the Pyramid, and includes more complicated elements of malware and tools. This could include specific behaviours of malware or tools on the system or network as they attempt to establish persistence, exploit specific vulnerabilities, or communicate with their command and control (C2) servers. Detecting on these elements is more reliable, and it takes significantly more effort for adversaries to evade detection.
To be successful, threat detection should be done in real-time. However, there are many challenges that are associated with to-the-second detection. Analysts are already overburdened by alerts from an overabundance of security tools. Collecting hundreds of log types and analyzing them, even when using more sophisticated techniques including machine learning and behavioral analysis, is unsustainable for the majority of organizations. Even more so, logs lack content and context, making it difficult to parse out true threats. Though once a threat is detected, logs can help SOC teams quickly map timelines and provide analysis of the threat event:
To protect our environments, speed is critical. Security programs that detect threats quickly and efficiently are able to reduce the overall risk to the organization. Ideally, an organization’s defense program can stop the majority of threats because the malicious acts have been spotted in the wild and their signature data in traditional threat protection platforms has been recorded—and the organization has details on how to mitigate the attack. Even still, some of these threats can slip through defensive measures, which is why SOCs should have analysts with hands on keyboards looking for threats. The flip side of the coin is that the threat landscape is constantly changing and introducing new, unknown threats that have not yet been detected.
To detect both known and unknown threats, defenders should use a variety of methods, including:
Threat detection and response is more difficult than years ago because there is a maze of disconnected point tools for analysts to use. The effectiveness of these tools is limited because each must be deployed, configured, and operated daily. Plus, each provides its own myopic alerting and reporting. This leaves analysts to the impossible work of stitching together a complete image of the threat ecosystem across endpoint security, network security tools, cyber threat intelligence, and more. The bigger issue that organizations are grappling with a manual process that doesn’t scale. And while IT teams are taking their time to piece together the puzzle, malware and adversaries are lurking in the network sometimes months at a time.
The after-the-fact detection is a problem because it generally does not happen within minutes of an attack. Only 22% detect breaches in less than one day. And when there are low detection rates, there are much longer business impacts.
Cyborg Security’s new approach to threat hunting and threat detection works to reduce the effort of collecting and correlating data. Instead of bringing together a multitude of security tools to find the bad in your environment, Cyborg Security provides operationalized threat intelligence and threat hunt and detection packages to proactively detect even the most advanced adversaries’ actions.
With Cyborg’s threat hunting and detection, analysts receive:
Using the HUNTER Platform, organizations can reduce dwell time of attackers and the mean time to detect (MTTD) in your environment.