Threat detection is the top element on the priority list for cybersecurity cell. Detection is essential because to eliminate threats, you need to see it first. But with so many adversaries that your dedicated server is likely to have, putting the correct threat detection program and policy at place can be a daunting task.
Given the plethora of marketing buzzword, combined with technicality, detecting threats and identifying the correct tool is no more a child’s play.
This article with tech you –
What is meant by threat detection?
Why it is important
What intents are behind the attacks?
How to respond and hunt these threats
Since the term relates to cyber security, a threat is anything with the potential to cause harm to your network or computer. By harm, we mean cyber harm. A threat has nothing to do with physically harming your computer, though that is also achievable.
World’s first computer virus
Threats represent how likely the attack is to occur. Higher threat means, it is plausible that an attack would take place on your computer. But, one must note than threats and attacks are not the same. Though natives of the same village, threats are, by and large, a different ball game to handle.
A threat that is not inhibited culminated to an attack. The idea is as simple as that.
Threats represent the potential or the loopholes vulnerable enough to be exploited. Attacks are when your network (or computer) is breached, and the data taken.
Yes and no. while some threats can be eliminated by simply changing permissions on your computer, some need serious software upgrades for extrication (elimination).
How sophisticated the threats are depend on where they overlay. A sophisticated threat can remain on your network substantially longer and thus has a longer attack window.
Theoretically, the longer the threats continue to exist, the dangerous it becomes.
You should be able to detect threats as early as you can in the product cycle. Threats aren’t sitting idle in your memory. Some threats are advanced enough to replicate themselves and as they propagate, more and more vulnerabilities will come to light.
Even if the vulnerabilities have persisted on the computer, they aren’t deadly until attacked.
This is also the case with malware. Malware, for example, perhaps may not have been exploited. Its job ends up with exposing system vulnerabilities. The coder who programmed the malware may not have attacked your system. But you cannot certainly say that your network will not be attacked ever.
Microsoft security essentials detection alert screen
Our goal is to catch who the bad actor is. That is to say, catch who introduced the threat in the first place and in what way did he achieve it.
What intents are behind the attacks?
Cybercriminals are not looking for anything specifically. They intend to get hands-on anything that they could use for their advantage. However, saying so would not be completely true. In my opinion, you can categorize hackers under two categories –
|Above is an emblem from Anonymous’ Website. Anonymous is the most feared, and hence popular, hack group that has exposed scams and government conspiracies. The group has its own YouTube channel and are seen wearing Masquerades.
Cybercriminals, in a nutshell, are usually after one (or more) of the six things listed below. In more than half the cases, they yearn monetary benefits.
1) User Credentials – oftentimes, cybercriminals are after your credentials and not you. They want to illicitly gain access to your account and are mostly after your username and password. The malware present on your system can covertly send your saved passwords, which the attackers will then use to monitor your activities without you having a hint of it.
2) PII (personally identifiable information) – identity theft is burgeoning at a rapid pace. Some attackers realized they need not steal directly from you. A more comprehensive and elusive approach would be to steal your identity and then use it to apply for loans and credit card. Not only would it unlock them escalated privilege, it’d also be indescribably subtle.
3) Intellectual property – espionage is not dead yet. A majority of attackers you have so rightly deemed as cybercriminals are but cyber spies. Nation-state want to steal secrets from their rivals to boost their economy. Competitors want to have an insight into what the other is after. Employees can have their passwords stolen and misused out of spite. You never know what your neighbor is plotting against you.
4) Money – the biggest percentage of cyber attackers aim for monetary gains. The two biggest weapons that attackers demanding ransom deploy are ransomware and DDoS. Ransomware encrypts the entire server endpoints and files for which the attackers demand ransom to unlock. DDoS is another sophisticated attack method. The attackers flood your network or website with counterfeit traffic until your server denies service to genuine visitors. A ransom is then demanded against bringing back the server to its normal.
5) Retaliation or revenge – some users are so disgruntled for some reason they sort to attack the victim, thereby breaching user privacy laws. As intriguing as the idea might sound, it is still illicit. You cannot illegitimately vandalize webpages just for the sake for embarrassing the person at the other end.
6) Fun – there is no scale to measure the limit bored technicians would go to have fun. Some cases have been brought to light in the past. The attacker in these cases did not steal credentials not files, but instead left spooky notes some of which said –
We were here
We saw what you did
Great click, Mark
The users were left dumbstruck and, for a moment, could not believe how a note could have been slipped into their computer.
Various threat types
Depending upon how the threats invade and breach your computer privacy, we can summarize them as –
The more advanced security teams are migrating to a robust framework called MITRE ATT&CK for detection and planning response against the threat.
ATT&CK is a globalized, accessible knowledge base of tactics that can be implemented to observe and plan against attacks in the global front. The framework is displayed in a matrix so arranged that the attack stages are encapsulated. Thus, the first element in the matrix should be the initial stage, which then spans out to the middle and final attack stage.
We cannot emphasize enough on being vigilant. You cannot detect a vulnerability unless you know what a vulnerability is in the first place. You must always have antivirus protection active on your computer. Antivirus that is installed and inactive is owning a gun but no bullets to shoot. There are, however, applications that you can make use of, to prevent unnecessary programs from invading your computer.
|CASB – Cloud access and security brokers
|Unauthorized apps access in cloud.
|Comprehensive access pattern view of all cloud applications.
|Limited to cloud apps. Cannot detect threats inside the apps.
|EDR -Endpoint detection and response
|Suspicious behavior. Will block malicious access, thereby suggesting responses.
|Entire technology for protecting endpoint computers at one place.
|Limited scope. Cannot detect attack on network or server.
|(IDS)Intrusion detection systems
|Great for detecting network-introduced threats.
|The scope is limited. Cannot detect endpoint threats in the cloud. An external IPS (intrusion prevention system) is required to block threats.
|Malicious activity or access. Undertakes actions appropriately.
|Great for threat blocking and detection via the network.
|Limited scope and will not detect endpoint or cloud threats.
|A network-attached system set up as a decoy to expose threats against an organization.
|Advanced visibility of threats against applications or resources.
|Limited in scope the specific honeypots that are deployed. If discovered by an attacker, honeypots can be circumvented.
|A security information management platform that correlates connected threats and attacks.
|Good for a holistic view across the entire threat or attack chain; tie together other detection technologies.
|Some SIEMs may have incomplete logs to work with, due to timing or space constraints.
|Threat intelligence platforms
|Services that publish up-to-date information about known threats.
|A good repository for known threat information.
|Do not take action on their own and require integration with another threat detection technology.
|Detects threats based on behavior.
|Able to detect unknown threats by using behavior and machine learning.
|Advanced technology that detects unknown threats by creating a baseline that demonstrates behavior and data insights.
Source – Exabeam
You can bring down the possibility of an attack just by being vigilante. If you closely follow your system’s behavioral pattern, you would instantly discern when programs are not performing the way they should be.
Cybercriminals have become increasingly more aware and proficient and there is no perimeter these attackers cannot cross. The traditional methods are now highly inaccurate and risky, no matter how effective these techniques were once.
It is for this reason that behavioral analysis is being watched upon as the torchbearer of computer security.
UEBA – User and Entity Behavioral Analytics – is a new way of implementing security solution that makes use of analytics, ML and deep learning. It then discovers anomaly and abnormality in the system.
System deviating from its normal way of functioning is what triggers UEBA into action. Users can then choose from a list of things they deem fit for the scenario.
UEBA can detect vulnerabilities that even traditional tools fail to see. The algorithms of UEBA do not conform to the correlation rules or attack patterns. This is because these tools are robust enough to span several data sources at once. This helps detect cases that are unidentifiable even with an austere antivirus at place. The system can be considered to act like a well-taught human with the capability to detect malware when it sees one.
Threat hunting is the practice involving seeking out threats in an organization or network. Threat hunt can be conducted right after a breach or done routinely to discover novel, anonymous threats that may have entered the system.
Around almost half of the organizations hunt on a regular basis, while the remaining conduct impromptu threat hunts.
It is advisable to routinely conduct a hunt. This not only helps eliminate problems but it eliminates them at an early stage. Prevention is better than cure, after all.
Typically, the network security teams get done away with threats before they become lethal. Response to the threats ranges from patching loopholes, tracking down vulnerabilities, deleting files to moving items to the chest.
Response varies depending upon the level to which the vulnerability has caused damage. Once a threat is weaponized and an attack is planted, a different response is planned. Ideally, the response is to mitigate the damages like outage, data loss, and/or illicit access to the network (if any). Organizations that store user sensitive data have also erected separate incident response pillars.
Yes, absolutely. Understanding threats can help your organization to appropriately plan a response without missing out on essential steps. You can leverage highly advanced frameworks such as MITRE ATT&CK to enhance the way your security teams respond to threats.
Behavioral analysis can further up your defence against vulnerabilities by making your security teams more sophisticated and advanced.
The bottom line is, you should learn about threats because you will be fighting against them someday.