I don’t think anyone would dispute that cyber security has a problem with buzzwords. These are words that start with a fixed definition but ultimately are diluted over time. One of these so-called buzzwords is ‘threat detection.’ But I am here to tell you that this is one buzzword that we should reclaimed and that organizations should spend more time considering.
WHAT IS THREAT DETECTION?
Before we go digging into threat detection, let’s first define what it is. You’d be forgiven for wondering why we need to define threat detection in the first place. Especially since the term seems very straightforward. Regardless, because of the aforementioned dilution it is still important. For us, we will say that threat detection is a process that detects malicious activities by observing behaviours known to be associated with specific malware.
Threat detection contrasts with threat protection. Threat protection is a process that detects malicious code through signatures. These signatures rely almost exclusively on digital characteristics of the malware, instead of their behaviours. These could include hash values, strings of text, IP addresses, domains or other similar things.
THREAT DETECTION VS THREAT PROTECTION
Simply put, threat protection looks are what the threat is, and threat detection looks at what the threat does. Recall Dave Bianco’s infamous “Pyramid of Pain.” Threat protection aligns to the lower three levels, while threat detection corresponds to the upper three. This means that threat detection is more robust. Especially when faced with modifications like code recompilation or infrastructure changes.
Threat detection, compared to threat protection, has a lot of real-world advantages for security teams. One of the biggest advantages relates to false positives. False positives for threat protection relate to indicators and are binary in nature. An analyst spending significant time investigating an alert that is a false positive will ultimately have a reductive outcome for security teams. This is because the investigation will likely lead to the disabling of the rule or removal of the indicator.
Threat detection, however, looks for suspicious behaviours. This doesn’t mean you won’t see false positives. Analysts will find power users leveraging Microsoft Office or batch scripts in ways you never thought possible. Their analysis, however, will not be wasted. Instead, that behaviour can be whitelisted without losing the protection provided by the threat detection content. This means more reliable detections moving forward. This also results in security teams being able to better profile “what is normal” in their environment.
THREAT DETECTION PRE-REQUISITES
While some people believe that threat detection requires new and fancy tools, the opposite is actually true. Threat detection only requires the platforms and tools most teams already have. These include a SIEM or data lake platform and an endpoint agent for logging. Of course, there are other tools and technologies, such as EDR, that can make security teams’ lives easier. But these tools aren’t required to get started.
THREAT DETECTION CONTENT
With logging at the host level in place, and a platform to analyze those logs, the next important step is threat detection content. Content in this context refers to the queries deployed in a SIEM or data lake platform. This content will often be written in a platform-specific syntax. These could include
- SPL (for Splunk),
- KQL (for ELK stacks),
- AQL (for QRadar),
- ArcSight Keywords (for ArcSight), or
- YARA (which is a cross-platform content format).
As we mentioned, threat detection content differs from traditional threat protection content. Instead of relying on traditional atomic indicators to detect malicious activity, it looks for specific behaviors used by malware and could include things such as:
- Suspicious parent-child process relationships,
- Creation or modification of specific files in specific locations,
- External network connections using odd protocols,
- Modifications or additions to specific registry hives,
- Access to specific Windows APIs, or
- Specific commands and switches
WHERE DOES CONTENT COME FROM?
Threat Detection content comes from some different sources. The most common sources are open-source repositories, default platform content, and in-house development. Each of these methods has their own advantages and drawbacks (which we covered here). However, at the end of the day, threat detection content originates from threat intelligence.
EFFECTIVE THREAT DETECTION LEADS TO MORE ADVANCED CAPABILITIES
Organizations should also consider that mature threat detection capabilities have other advantages. Specifically, they enable organizations to adopt new and more advanced capabilities, like threat hunting. This is because capabilities like threat hunting rely on many of the same prerequisites that threat detection does. This means that time spent developing a solid underpinning for threat detection is not a temporal benefit. Instead, it is one that will continue to pay dividends well into the future.
While the cyber security industry is plagued with buzzwords, it doesn’t mean that those buzzwords don’t have value. Instead, it means that those words must be looked at critically to ensure we see the virtual forest for the digital trees. ‘Threat detection’ is one such concept that has tremendous value for organizations.
Interested in finding out more about threat detection? Check out what threat hunters believe are the free tools that everyone in the infosec industry should be using.