Forge Threat Detection Success at the Pyramid Apex

Discussion Topics

Sequenced behavioral-based detectionsSingular atomic-based detections have been the foundation for threat detectionin security operation centers (SOCs); however, atomic-based detectionsalone are not enough the concept has proven unreliable, yielding noisydetections with short operational lifespans. The pyramid of paincategorizes the various detection levels with threat actor tactics,techniques, and procedures (TTPs) being the goal of detection. The apexis where threat detection should move since understanding threatadversary objectives help to eliminate the focus on chasing dynamic andeasily changeable indicators.Reliance on a single identifier is no longer enough; instead, the atomiccomponents should be structured in sequences to enable behavioral-baseddetection. Anvilogic is putting our detections deep in the fire to forgea strong security framework. The framework is sequence behavioral-baseddetections that can help to hone in on the attacker’s core objectivesto provide a threat detection model that has been designed to hold itslong-term strategic value, making it largely future-proof with theflexibility to modify as new TTPs are identified, while also givingsecurity teams the ability to expand and easily detect for any unknowns. INTRODUCTION A practical threat detection framework has been lacking in an industrythat has been struggling to keep pace with threat adversariesoutmaneuvering frazzled security practitioners. Organizations thatadopted signature and heuristics-based defense strategies prove to havelimitations inadequately stopping threat adversaries and malware frompenetrating organizations. This happens because detection capabilitiesthat focus on the lowest levels of the pyramid of pain, with identifiersaccurately categorized as “Trivial,” “Easy,” and “Simple”, quickly losevalue. Due to the ease in which threat actors can change the associatedindicator can result in a security posture that is constantly degradingand will only hold the short-term strategic value, causing securitydefenders to chase a constantly moving target.In addition to having a SOC that is a mad hatter tea party of chaoticdisarray, these detections are often noisy and unreliable, contributingto security analysts’ burnout and dilution of confidence when trying todiscern malicious activity in a sea of alerts. It’s an unintentionalcycle of operational chaos that is ineffective when a detectionstrategy is based on low-level atomic indicators. Sincethe threat landscape continually evolves at a pace antivirus systemscan’t; the focus on delineating the malicious and/or benign threatsthrough code hasn’t seemed to be the answer for the security industry. Organizationsmust change their reliance on antiquated methods many still think work,or as an industry, we’ll continue to go in circles talking aboutskills-shortages, how to keep up alert-fatigue, and all the rest of thethings that hold us back. The AnvilogicThreat Detection and Incident (TDIR) Platform approach to better threatdetection embraces using research focused on threat actor tactics,techniques, and procedures (TTPs) to create detections based on patternsof attack behaviors. Leveraging this threat detection approach can helpteams establish a security framework that makes the attacker’s mainobjectives the core focus of alerting.The Anvilogic TDIR Platform aims to create a behavioral-based frameworkthat can help teams stabilize and modernize their security operations bybreaking away from the more traditional chaotic operational cycle. Withreliance no longer placed on a single identifier as alerts, teams canshift to sequenced-based threat behaviors composed of multiple threatidentifiers. A detection crafted from the apex of the pyramid classifiedas “Tough” enables detections to operate at a level that isn’tmalleable, with applicability to various threat activities, eliminatingthe need to focus or spend time on one-off events.