By Ivan Vinogradov, Solution Architect, LogPoint
Threat detection is typically described as an activity relating to the identification of threats within an organization. Often this task is at least partially automated and involves big data processing – especially in larger environments. In fact, in most modern organizations, automation is becoming a necessity for advanced threat detection.
When looking for threats, it helps to know and keep in mind which resources are the most valuable to you and which are most vulnerable to attack. Often one does not have the luxury of having sufficient intelligence to recognize threats from the top, so one has to search from the “bottom-up”.
Attackers tend to be opportunistic and often look for outdated devices as an entry point. Usually, this will occur after major updates that reveal these vulnerabilities to the public. The other primary vector remains human – clicking on malicious links is a reliable way to compromise one’s network as ever. Once on the network, the attacker activity can vary – from harvesting data and credentials – to the basic yet effective ransomware. This is especially the case with non-targeted, highly opportunistic attacks. Not surprisingly, a staggering 86% of breaches are financially motivated (Verizon, 2020 Data Breach Investigations Report).
Often, the motivation of cybercriminals are one of four things:
- Financial: While rather self-explanatory, this is the most common motivation. Organized criminals target companies and individuals for their financial gain. Often by using ransomware to encrypt files, or flooding networks with DDoS attacks until the ransom is paid
- Personal Identifiable Information (PII): When criminals are looking for personal information it is often to use it for impersonation. Valuable PII includes social security numbers, which can be used to open bank accounts, create credit cards and other critical assets.
- Intellectual Property: Organized criminals can also be nation states or even competitors looking to gain an advantage in the market. Valuable intellectual property includes customer databases, product roadmaps, trade secrets and other information only known to the company itself.
- Revenge and amusement: Criminals can be disgruntled ex-employees seeking revenge, or political opponents seeking to deface their opponents for their own gain. And sometimes the motivation is not rooted in anything particular, other than for the amusement of adversaries.
Of course, it does not stop there. There are currently groups that stand out due to their large reserves of resources. These which tend to come from a government, enabling them to perform highly sophisticated, targeted, and strategically advanced attacks. For these cases, automated detection is insufficient. One can only recommend establishing a Threat Hunting program and keeping up with intelligence. This especially concerns organizations in highly targeted industries.
Common examples of cyber threats include:
- Malware: Malware breaches the network through vulnerabilities, and includes spyware, ransomware, viruses, and worms.
- Privilege misuse: Utilize the privileges associated with a particular account to do harm in the company network.
- Social Engineering: Attackers deceive users into divulging confidential information that can be used for fraudulent purposes.
- Denial of service (DoS): DoS floods systems, servers or networks with traffic to exhaust resources and bandwidth, making systems unavailable to legitimate requests.
- Human error: Unintentional actions – or lack of action – by users that cause or allow a breach to occur, usually misconfigurations, misdeliveries or publishing errors.
- Advanced persistent threats: An adversary gets access to the network and remains there undetected for an extended period of time – giving them time to plant their attack.
- Ransomware: Encrypts the victim’s files, and demands a ransom to restore access to the data.
Read more about each threat, and how advanced threat detection can help to identify these threats.
Successful threat detection is highly reliant on the maturity of the local cybersecurity capabilities. It’s relatively simple to know the landscape, keep up with intelligence and sector-related resources, and have an internal program for identifying vulnerabilities. However, the larger an environment grows – the higher the demand for solutions that can assist in advanced threat detection, at least in part automatically, becomes necessary. Furthermore, sophisticated actors that are targeting your organization might not be so easy to identify. For example, you can never be entirely sure if a state actor has taken an interest in your research. Which has been a cause of many high-profile breaches.
Threat response before an actual incident always involves preparation. Preparation is useful for almost any discipline in cybersecurity. However, organizations have limited resources. Therefore, one should identify their critical assets, budget for security controls, and place them appropriately to mitigate the threats’ risk. There is no one-fits-all solution. However, a good start would be educating the workforce on their immediate work’s security issues and implementing at least the most basic patching program.
Ideally, security teams and security operations centers (SOC’s) can detect and respond to cyber threats before they get active and impact the organization. However, once an incident occurs, it is crucial to have an incident response plan for your team to identify, respond, and recover from cybersecurity incidents. To orchestrate an appropriate and timely response, SOC staff must understand the specific cyber threat. Leveraging frameworks like MITRE ATT&CK can help the security team understand the adversary and how they operate – making threat detection and response even faster.
Lastly, SOC analysts can benefit significantly from having sophisticated tools such as behavioral analytics (UEBA) and threat hunting capabilities available to aid in advanced threat detection.