When it comes to protecting your organisation from cyber-attacks, threat detection can play a critical role in your overall defence strategy. Primarily this is because the earlier you can detect a threat, the earlier you can mitigate it and stop it turning into an attack. A well-executed threat detection capability can also pre-empt attacks before they occur based on a single network log.
However, in the rough and tumble of the day job, where IT security teams are lean and there is a lot of ‘noise’ from potential threats and adversaries, it can be tricky to know what is an actual threat that could lead to a cyber-attack and what is unusual but still legitimate activities of the employee base. As a starting point to simplify this, breaking down threat detection into its fundamental elements can bring clarity and I would recommend setting up any Threat Detection capability in the order listed:
Threat intelligence is evidence-based knowledge sharing about adversaries, usually obtained by analysing previously detected attacks. Most criminal gangs and nation states do things in the same or very similar ways each time. Therefore, being able to detect an action and linking this to known information of previous attacks offers a very quick and reliable way to detect a threat.
Typically, threat intelligence is obtained from many sources around the world such as Government agencies, antivirus vendors, leading technology companies, and other international organisations. By itself this is the biggest single aid to threat detection. Consider a typical scenario of a known internet location being used to launch attacks against businesses. If this location is included in your threat intelligence database, then as soon as just one connection is made from this location, your monitoring capabilities can alert you to the connection and you can look to block it from your network before an attack occurs. Just the fact it is a known malicious host is enough to prompt a response action.
The cybersecurity industry is slowly but surely moving towards increased threat sharing capabilities and some free community driven databases, such as the Open Threat Exchange (OTX), are being utilised by more vendors. Large industry sectors, such as education, are also setting their own threat intelligence capabilities to share their knowledge.
All these changes are very positive and mean that having an intelligence capability, which used to be reserved for those with deep pockets, are allowing all originations of many sizes to build an intelligence capability to help them make more informed decisions. It also allows more Managed Security Service Providers (MSSPs) to offer Threat Intelligence as part of their suite of managed services, where the cost can be split across many customers to make it much more affordable.
User and Entity Behaviour Analytics (UEBA) focuses on user and device activity, such as, when does a user typically log on and log off, where do they connect from, what applications do they use, how much data do they download, and more. The “entity” part refers to similar analysis targeted at devices, endpoints servers etc. Over time, usually after three months, it baselines normal behaviour and then triggers an alert if anomalous behaviour is detected. An example might be a log-in from a different country, or if a user suddenly downloads gigabytes of files. When behaviour that is out of the norm occurs, it can be flagged for inspection by your security team to identify if there is a threat.
Threat actors can go undetected for long periods of time as they gain access to the network and then lay dormant until they are ready to attack but behaviour analytics can help spot otherwise insignificant anomalies and detect a compromise quicker. Take an example of a Domain Administrator connecting to a server at 2 p.m. on a Sunday afternoon – even if the credentials used are valid (so may not be flagged as an alert), just the fact that the account has never been used on a Sunday before is enough to trigger and alert for investigation, which can be the difference in thwarting a well-planned attack, or attackers going unnoticed until they are ready.
Without a UEBA function it becomes much harder to detect anomalies in what is otherwise legitimate looking network traffic and actions.
Threat hunting is a proactive approach to actively searching your network and everything on it for security threats. The objective is to proactively go and seek evidence of threats across your entire network that may otherwise evade security solutions or only be detected once an attack is launched. Skilled threat hunters can add a powerful new dimension to any security programme, helping to pick up many of the threats that manage to slip through. An example may be looking for the presence of certain malicious files, configurations or versions of software known to be vulnerable. It can be proactive as well as reactive; consider a vulnerability being released for a certain version of software, a threat hunting scan can tell you everywhere this exact software is installed to allow you to quickly plan patching or if you find a suspicious change to a configuration of a host, you can run a scan to see if this has been made anywhere else, which may indicate the planning of an attack. The permutations of this are endless. I think of this as a service organisations often think they do not need, but once they have it, they wonder how they ever got by without it.
According to the SANS 2020 Threat Hunting Survey, the number of organisations using threat hunting as a form of compliance has continued to increase and 52% of organisations surveyed claimed to find value in looking for unknown threats.
It can be a daunting thing to implement a Threat Detection capability but as the technology has become more common, it has become more affordable with more suppliers offering some or all the components of it. Having any one of the above three areas will put you in a better place to proactively prevent an attack, and really that is the best outcome we can achieve– stop the attacks before they can be executed or before they do too much damage.
Mark has over 18 years' technical experience and holds a life-long CREST Fellowship award in recognition for his services to the IT security industry. A member of the technical advisory board that founded the CREST, Mark currently leads a large team of hand-picked and highly skilled Penetration Testers, dedicated to helping public and private sector organisations withstand cyber-attacks.