Most organizations try to stay ahead of threats and enhance their security posture with limited resources. This includes implementing a threat detection program into the company’s security strategy—and, if this hasn’t been done yet I strongly suggest looking into developing this capability.
Threat detection has become a powerful tool for organizations to stay ahead of emerging threats, and a well-developed threat detection program will help enterprises identify and ultimately disrupt malicious attackers. However, many threat detection programs are missing important components, hindering their ability to experience all potential benefits. Let’s dive into the four steps companies should take to have the right components on-hand for developing a successful threat detection program:
- Invest in behavioral detections.
Historically, indicators of compromise (IOC) have been the mainstay of threat intelligence and detection strategies. They let companies become fast followers in blocking low-hanging widespread attacks by using basic fingerprints like IP addresses, domain/URLs, and file hashes. Unfortunately, IOCs are trivial for hackers to evade and are only effective at blocking well-known threats, and that’s why they live at the very bottom of the “Pyramid of Pain” detection maturity graph developed by David Bianco .
The industry has shifted towards adopting more robust behavioral detections of threats. Behavioral detections target bottlenecks in attacker tactics, techniques and procedures (TTPs), allowing just one well-crafted and tuned analytic to defend against the equivalent of thousands of IOCs and help defend against unobserved or future variations of the attack. This is a critical step in maturing a threat detection team from a reactive to proactive state.
- Facilitate collaboration among threat intel, red, and blue teams.
Too many organizations silo the threat intelligence, red (offensive) and blue (defensive) teams. While no company ever sets out to intentionally construct teams that aren’t collaborating, this has become a natural result and tendency because most of these teams are incentivized in ways that reward the independent missions. As a result, it’s often the default behavior until proper culture and shared technology are put in place.
In the Art of War, the side that best understands their enemy, wins. This becomes especially true in cybersecurity and the best way to know the enemy is through continuous collaboration among your red, blue and threat intelligence teams. The best threat hunters are the ones who understand the real threat. So, as an enterprise, it's important to build a culture of prioritization, regular collaboration, and idea/feedback sharing sessions as well as empirical automated and manual testing of the organization's security controls.
When constructing this cross-team, shared purpose mindset, teams often relegate red/blue collaboration to only a single formal exercise per quarter. Teams that have more regular informal interactions tend to immediately see the value of their shared goals and responsibilities, namely to increase the efficiency and effectiveness of their overall detection program.
Encouraging red and blue teams (known collectively as purple teaming) to work collaboratively on the properly prioritized threats will optimize the company’s threat detection program. Purple teaming can help the organization increase the efficiency of cyber defenses, and validate true-positive attack behavior faster, leading to increased productivity among the security team.
- Share knowledge.
We’ve likely all heard something akin to the phrase “power of community” at some point in our lives. And, it's true, having a robust group of connections can have numerous benefits and positive impacts, especially with threat intelligence. Leveraging the diversity of a community can help the organization create and share powerful behavioral analytics. In instances where there are highly publicized, widespread threats, such as SolarWinds and Log4j, security teams are pressed for time and there’s no need to reinvent the wheel by thousands of companies. In these scenarios, sharing immediately actionable threat intelligence can help other organizations bolster their defenses and thwart potential incidents. There isn’t a company out there that hasn’t benefited from a useful threat intelligence blog post or shared community analytic in the past year of constant cyber threats.
While we acknowledge companies face many hurdles to sharing, companies that do share stand out in the crowd as great places to work. The free company advertising and display of company culture can become an advantage in the cyber war for talent. Secondly, as anyone who has subscribed to sharing can attest, they receive 10 times in return for their efforts. Companies that share can build and tap into trusted networks where sharing is currency to an open threat sharing community.
- Verify and validate detections.
Simply put, when companies measure processes they improve. To truly reduce risk and threat actors across the cyber kill chain, the security team needs to track detection coverage, identify gaps, and manage detection backlog. We need to go beyond analytic creation, to actually making sure that the analytics in place are detecting and providing the right coverage. Without this confidence, the threat detection program remains incomplete and may not truly provide ongoing protection against future attacks.
By running simulated attacks on the network, the team can validate detections and the security controls the team has in place. Both interactive red teaming as well as automated security controls testing are valuable here, but each has its own strength. Security controls testing platforms let the company test numerous detections weekly whereas red teaming allows the company to simulate more realistic threat profiles as well as multi-stage attacks that are often tough to script. The team will emulate the attacker’s movements and TTPs confidently determine if the security controls and analytics pass the test. There are breach and attack simulation (BAS) vendors that can assist with this, as well as community resources such as Atomic Red. Just remember to track and measure progress over time. Every team player loves seeing a simple to read score and knowing if they are improving over time.
With these four components, the organization will create a robust threat detection program. Security postures are ever-evolving, meaning that the team may be fairly secure one moment and the next face a critical vulnerability. These changes can take place over the course of a few months, days or even minutes. That’s why it’s important to build out a comprehensive threat detection program. All of these components are critical aspects as they can help ensure that the company has the necessary detection capabilities to thwart attacks now, and in the future.
Fred Frey, chief technology officer, SnapAttack