Threat Detection and Why You Should Spend More Time Thinking About It

I don’t think anyone would dispute that cyber security has a problem with buzzwords. These are words that start with a fixed?definition but?ultimately are?diluted?over time. One of these so-called buzzwords is?‘threat detection .’ But I am here to tell you that this is one buzzword that we should reclaim and that organizations should spend more time considering.

What is Threat Detection??

Before we go digging into threat detection, let’s first define what it is. You'd be forgiven for wondering why we need to?define?threat detection in the first place. Especially since the term seems very straightforward.?Regardless, because of the aforementioned dilution it is still important. For us, we will say that threat detection is a process that detects malicious activities by observing behaviours?known to be associated with specific malware.??

Threat detection contrasts with?threat protection.?Threat protection?is a process that detects malicious code through signatures. These signatures rely?almost exclusively?on digital?characteristics?of the malware, instead of their behaviours. These could include hash values, strings of text, IP addresses, domains?or other similar things.?

Threat Detection vs Threat Protection?

Simply put, threat?protection?looks are what the threat?is, and threat?detection?looks at what the threat?does. Recall Dave Bianco’s infamous “Pyramid of Pain.” Threat protection aligns to the lower three levels, while threat detection corresponds to the upper three. This means that threat detection is more robust. Especially when faced with?modifications?like code recompilation or infrastructure changes.??

The Advantage?

Threat detection, compared to threat protection, has a lot of real-world advantages for security teams. One of the biggest advantages relates to false positives. False positives for threat protection relate to indicators and are binary in nature.?An analyst spending significant time investigating an alert that is a false positive will?ultimately?have a reductive outcome?for security teams.?This is because?the investigation will?likely?lead to the disabling of the rule or removal of the indicator.?

Threat detection, however, looks for suspicious behaviours. This doesn't mean you won't see false positives. Analysts will find power users leveraging Microsoft Office or batch scripts in?ways you never thought possible. Their analysis, however, will not be wasted. Instead, that behaviour can be whitelisted without losing the protection provided?by the threat detection?content.?This means more reliable detections moving forward.?This also results in security teams?being able to better profile “what is normal”?in their environment.

Threat Detection Pre-requisites?

While some people believe that threat detection requires new and fancy tools, the opposite is actually true. Threat detection only requires the platforms and tools most teams already have. These include a?SIEM ?or data lake platform and an?endpoint agent for logging .?Of course, there are other tools and technologies, such as EDR, that can make security teams’?lives?easier. But these tools aren’t required to get started.?

Threat Detection Content?

With?logging?at the host level ?in place, and a platform to analyze those logs, the next important step is?threat detection content . Content in this context refers to the queries deployed in a SIEM or data lake platform. This content will often be written in a platform-specific syntax. These could include

• SPL (for Splunk),??
• KQL (for ELK stacks),??
• AQL (for?QRadar),??
• ArcSight Keywords (for ArcSight), or?
• YARA (which is a cross-platform content format).??

?As we mentioned, threat detection content differs from traditional threat protection content. Instead of relying on traditional atomic indicators?to detect malicious activity,?it looks for specific behaviors?used by malware and could include things such as:

• Suspicious parent-child process relationships ,?
• Creation or modification of specific files in specific locations,??
• External network connections using odd protocols,?
• Modifications or additions to specific registry hives ,?
• Access to specific Windows APIs, or?
• Specific commands and switches

Where Does Content Come From??

Threat Detection content comes from some different sources. The most common sources are open-source repositories, default platform content, and in-house development. Each of these methods has their own advantages and drawbacks (which we covered?here ).?However, at the end of the day, threat detection content originates from?threat intelligence .?

Effective Threat Detection Leads to More Advanced Capabilities?

Organizations should also consider that mature threat detection capabilities have other advantages.?Specifically, they enable organizations to adopt new and more advanced capabilities, like?threat hunting . This is because capabilities like threat hunting rely?on many of the same prerequisites that threat detection does. This means that time spent developing a solid underpinning for threat detection is not a temporal benefit. Instead, it is one that will continue to pay dividends well into the future.?

Conclusion?

While the?cyber security industry is plagued with buzzwords, it doesn’t mean that those buzzwords don’t have value. Instead, it means that those words must be looked at critically to ensure we see the virtual forest for the digital trees. ‘Threat detection’ is one such concept that has tremendous value for organizations.?

Interested in finding out more about threat detection? Check?out what threat hunters believe are the?free tools that everyone in the infosec industry should be using .?