What is threat detection?

Threat detection is the practice of analyzing the entirety of a security ecosystem

to identify any malicious activity that could compromise the network. If a threat
is detected, then mitigation efforts must be enacted to properly neutralize the
threat before it can exploit any present vulnerabilities.

What are tactics, techniques, and procedures (TTPs)?

TTP analysis can help security teams detect and mitigate attacks by
understanding the way threat actors operate. Below we define the three
elements of TTPs: tactics, techniques, and procedures.

Tactics

In general, tactics are types of activity that cyber criminals use to carry out
an attack. For example, gaining unauthorized access to sensitive data,
performing lateral movement within a network, or compromising a website.

Techniques

Skills are general methods that attackers use to achieve their goals. For
example, if the goal is to compromise a website, the technique might be
SQL injection. Each tactic can comprise several techniques. 

Procedures

A procedure is a specific series of steps that cyber criminals can use to carry
out an attack. To take the example of SQL injection, the procedure might
involve scanning the target website for vulnerabilities, writing a SQL query
that includes malicious code, and submitting it to an unsecured form on the
website to gain control of the server.

Getting breached is a nightmare scenario, and most organizations that prioritize

their information will put smart people and technologies to work as a defensive
barrier against anyone who might try to cause trouble. But security is an
ongoing process—not a guarantee.

Within the context of an organization's security program, the concept of "threat

detection" is multifaceted. Even the best security programs must plan for worst-
case scenarios, when someone or something has slipped past their defensive
and preventative technologies and becomes a threat.

When it comes to detecting and mitigating threats , speed is crucial. Security

programs must be able to detect threats quickly and efficiently so attackers don’t
have enough time to root around in sensitive data. A business’s defensive
programs can ideally stop a majority of threats, because often they've been seen
before—meaning they should know how to fight them. These threats are
considered "known" threats. However, there are additional “unknown” threats that
an organization aims to detect. This means the organization hasn't encountered
them before, perhaps because the attacker is using brand-new methods or
technologies.

Known threats can sometimes slip past even the best defensive measures, which
is why most security organizations actively look for both known and unknown
threats in their environment. So how can an organization try to detect both
known and unknown threats?

There are several methods available in the defender's arsenal that can help:

Leveraging threat intelligence

Threat intelligence is a way of looking at signature data from previously seen

attacks and comparing it to enterprise data to identify threats. This makes it
particularly effective at detecting known threats, but not unknown. Threat
intelligence is frequently used to great effect in Security Information and Event
Management  (SIEM), antivirus, Intrusion Detection System (IDS), and web proxy
technologies.

Analyzing user and attacker behavior analytics

With user behavior analytics , an organization is able to gain a baseline

understanding of what normal behavior for an employee would be: what kind of
data they access, what times they log on, and where they are physically located,
for example. That way, a sudden outlier in behavior—such as a 2 a.m. logon in
Shanghai from someone who usually works from 9 to 5 in New York and doesn’t
travel for business—stands out as unusual behavior and something a security
analyst may need to investigate.
With attacker behavior analytics, there's no "baseline" of activity to compare
information to; instead, small, seemingly unrelated activities detected on the
network over time may in fact be breadcrumbs of activity that an attacker leaves
behind. It takes both technology and the human mind to put these pieces
together, but they can help form a picture of what an attacker may be up to
within an organization's network.

Setting intruder traps

Some targets are just too tempting for an attacker to pass up. Security teams
know this, so they set traps in hopes that an attacker will take the bait. Within the
context of an organization's network, an intruder trap could include a honeypot
target that may seem to house network services—especially appealing to an
attacker, or “honey credentials” that appear to have user privileges an attacker
would need in order to gain access to sensitive systems or data. When an
attacker goes after this bait, it triggers an alert so the security team know there
is suspicious activity in the network that should be investigated. Learn more
about the different types of deception technology .

Conducting threat hunts

Instead of waiting for a threat to appear in the organization's network, a threat

hunt enables security analysts to actively go out into their own network,
endpoints, and security technology to look for threats or attackers that may be
lurking as-yet undetected. This is an advanced technique generally performed by
veteran security and threat analysts.

Ideally, a well-developed security threat detection program should include all of

the above tactics, amongst others, to monitor the security of the organization's
employees, data, and critical assets.

Threat detection requires a two-pronged approach

Threat detection requires both a human element, as well as a technical element.

The human element includes security analysts who analyze trends, patterns in
data, behaviors, and reports, as well as those who can determine if anomalous
data indicates a potential threat or a false alarm.

But threat detection technology  also plays a key part in the detection process.
There's no magic bullet in threat detection—no single tool that will do the job.
Instead, a combination of tools acts as a net across the entirely of an
organization's network, from end to end, to try and capture threats before they
become a serious problem.

A robust threat detection program should employ:

 Security event threat detection technology to aggregate data from events across the
network, including authentication, network access, and logs from critical systems.
 Network threat detection technology to understand traffic patterns on the network
and monitor traffic within and between trusted networks, as well as to the internet.
 Endpoint threat detection technology to provide detailed information about possibly
malicious events on user machines, as well as any behavioral or forensic information
to aid in investigating threats.

By employing a combination of these defensive methods,

you’ll be increasing your chances of detecting and mitigating
a threat quickly and efficiently. Security is a continuous
process, and nothing is guaranteed. It will be up to you and
the resources and processes you put in place to keep your

6 Essential
business as secure as possible.

Elements of Your Managed

Detection and Response
Lifecycle – Part 1
Sara Matzek

We’ve seen a sharp increase in the number of organizations growing their

remote workforces over the last decade. In fact, at the start of 2020, the
number of remote workers in the U.S. stood at 4.7 million, which represents
3.4% of the population.

The advent of cloud, multi-cloud, and hybrid cloud architectures has made
it possible for businesses to rapidly adapt to changing workforces and
working styles. However, these changes have also introduced new
challenges in managing security operations.

The key reasons for this include:

  Workers are accessing organizations’ servers and applications
remotely, which opens up new entry points for cyber attacks
 Employees are relying increasingly on cloud-hosted services to
work and collaborate
 Remote workers are being targeted by more and more
malware sites
 Employees fail to consistently practice good cyber hygiene

As the remote workforce grows and cyber threats stack up, its important
organizations have the capability to manage risks and uncertainty to keep
critical assets secure. Where risks are known, actions are clear. But with
unknown risks, there needs to be a focus on disciplined research and
investigation. This helps generate intelligence to develop detailed use
cases, providing Security Operations (SecOps) teams with a guide to
respond to threats.

By defining known and unknown risk scenarios in your security operations

lifecycle, you can meet the demands of remote workers using cloud and
network services, while ensuring you remain protected.

Let’s explore how to establish a six-phase threat detection and response

methodology that addresses uncertainty.

Managing uncertainty with disciplined security

operations

Identify
Establishing a clear methodology for security operations teams to follow is
a critical element of effective and efficient threat detection and response.

This methodology starts with identifying uses cases.  Uses cases are the
definition and analysis of an attack method.  In addition to the type of
attack, use cases include step-by-step detail on how an attack unfolds, e.g.
exfiltration of data from an organization or compromised privileged login, as
well as possible control points for use in mitigation. Establishing a
methodology that SecOps then leverages to identify and create new use
cases is crucial to ensuring the organization maintains a strong security
posture.

Building a disciplined approach to use case identification and analysis is

the foundation of your detection and response process; providing insights
on use case relevancy and organizational asset protection effectiveness.

Without these insights you will lack the visibility needed to truly maximize
the value of follow on process steps such as developing, evaluating, and
enhancing.

Organizations that follow a defined methodology to discover, collect, refine,

validate, and apply changes to use cases address a critical weakness in
“set it and forget it” programs. These programs assume the security
policies and use cases developed at the time of implementing advanced
operations tools remain static – an assumption that can create broad gaps
in your threat visibility.

Prioritize

Prioritizing use case development is very important given it directly impacts

how fast your organization is ready to respond to specific threats.  It is often
debated which use cases to do first, which are most important, and how to
assess the lifecycle for additional use cases. While prioritization could be
based on importance, you’re likely to be more effective balancing
importance with feasibility (e.g. how complex and risky is the use case to
implement) and the speed at which a particular business operates.

Establishing a model to prioritize use cases will help you manage this
balance. One approach is to create relative categories. For example:

 ‘Control’ based use cases relate to a regulatory objective, such

as Payment Card Industry Data Security Standard (PCI DSS)
 ‘Threat’ based use cases leverage threat intelligence related to
Tactics, Techniques, and Procedures (TTPs)
  ‘Data or Asset’ based use cases relate to specific datasets or
assets that represent additional risk to the business

Reviewing new use cases in each of these categories with a balance

between importance and feasibility provides a great strategy for new use
case prioritization.

Develop
As we discovered previously, establishing and documenting a procedure
for identifying and prioritizing threat scenarios allows you to maintain rigor
and discipline throughout the security operations lifecycle.

Here’s an example of steps SecOps teams could follow when developing a

use case:

 Step 1: Review and refine the description of the threat and the
requirements for addressing it
 Step 2: Ensure monitoring tool deployment and configuration
 Step 3: Validate data sources
 Step 4: Validate context sources
 Step 5: Perform a gap analysis against security operations
procedures

Evaluate
Once a use case is developed, you’ll need to determine what will trigger a
review or reevaluation of its function.   This will help avoid the “set it and
forget it” approach that often leads to security operations teams losing sight
of the need for this critical part of the lifecycle.

The better approach is to define clear notification criteria, so SecOps teams

can ensure each use case stays relevant. This way, when thresholds are
met – or when there is a change or update to the available context data –
use cases can be reevaluated.

For example, age/duration, changes in compliance, threats, and data

security can require a reevaluation of threat definitions, monitoring tools,
contexts, validation metrics, and performance – or they could make a use
case redundant entirely. Having a clear set of metrics that trigger reviews
ensures necessary evaluations are not overlooked.

Deploy
The deployment phase involves the following practical tasks:
  Training security operations teams to respond to new alerts
with clear actions
 Updating and publishing runbooks, ops guides, and process
documents
 Promoting code through testing, staging, and production
environments
 Reporting threat validation metrics

Once deployed, use cases must be continuously incorporated into the

evaluation and enhancement workflows.

Enhance
Unlike the evaluation phase, fine-tuning a use case is not driven by network
or business changes. Rather, it is driven by the evolution of threat tactics,
techniques, and procedures, as well as changes in data and context. The
purpose of this phase is to provide clear actions and remove any
uncertainty.

Like other phases in this lifecycle, a defined process will allow teams to
successfully address the rapidly expanding threat landscape.

Elements that could justify a reevaluation include:

 Event generation settings, thresholds and metrics

 Outputs, such as impact and urgency
 Environments leveraging automation
 Additional response options

Similar to the previous phase, you need to address operational processes,

update runbooks, and provide training to Security Operations Center
analysts.

Overlooking these activities or handing them over to operations analysts is

a recipe for losing ground in the fast-paced threat landscape. It can lead to
analysts being unable to effectively manage the overwhelming number of
alerts, and increase the risk of human error, which in turn prolong
investigations and increase workloads.

Taking a disciplined approach to structuring responsibilities and

expectations for your teams will ensure continuity, while supporting the
continued growth and maturity of your security operations program.

Learn from the experts

If you don’t have the resources to keep pace with the evolving threat
landscape and manage security operations comprehensively, consider a
solution like Cisco’s Managed Detection and Response (MDR). Our team
of security investigators and responders utilize the unmatched threat
research of Talos, and proven playbooks to guard your organization’s IT
around the clock.

Learn how Cisco MDR can enhance your security operations and give you
the freedom to focus on what matters most. Get in touch today.