Detection Content — The Trouble with Free


Cyborg Security recently conducted a poll of nearly two hundred organizations to see where those organizations were deriving their detection content from. The results are below, and they may surprise you.


Let’s be very clear: that security researchers donate their time, cycles, and knowledge to building detection content is an example of what makes the infosec community an amazing group of people. So, when we talk about the trouble with free detection content, we are not, in any way, detracting from their work, nor doubting their abilities.


One of the major problems with free detection content is that it can quickly become out-of-date or stale. Malware authors are continuously motivated to improve their existing “products,” both to add new features as well as to help their creations remain undetected. This means that malware will likely change and frequently. However, a lot of freely available detection content is maintained as a “best effort,” if at all. The result is that out-of-date content may detect older versions of a malware but leave organizations exposed to newer variants and give organizations a false sense of security.


Another, similar problem, that organizations which rely heavily on free content can face, is that there may be an assumption that thorough testing and validation was done to ensure the detection content performs — and detects — as one would expect. For example, if a researcher looks to detect a particular strain of malware, they may write detection content for it. However, they may be unaware that other versions of it even exist. This again can lead organizations to adopt a false sense of security that their content can detect everything they think it can.


Perhaps one of the most common problems with free content is simply re-engineering. Even if the content was engineered for an environment nearly identical to another organization, there is likely to be subtle, yet impactful, differences in the data. This means that organizations must spend considerable time and resources — if those resources even exist — to re-engineer the content to tailor and optimize it to the environment. This can mean delays of days, weeks, or even longer depending upon priorities, exposing organizations to additional risk.


Lastly, another extremely common problem with relying on exclusively free content is that often it was written with a particular analyst skillset in mind, namely the author, and with little accompanying documentation. However, the reality is that analysts’ abilities and competencies will differ, and this means that analysts may have to “fill in the blanks,” and different analysts may fill in the same blank differently. This can result in a lot of extra work, as more skilled analysts have to create procedural documentation for this free content if they want their triage and analysis to be rigorous and repeatable.


Again, it is important to note how fortunate the infosec community is to have such talented minds as those that contribute to the security of the whole. However, it is concerning that so many organizations still rely so heavily on free detection content, especially when those same organizations would be leery of relying on open source projects in other production environments.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyborg Security

Cyborg Security


Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.