Detection in Cyber Security (sector 2).pdf

Full Transcript

Detection in Cyber Security
When it comes to cyber security, detection definition is stated as a process and action
of identifying concealed threats inside a network or system and responding to them.
Cyber-attacks are becoming more complex day by day. Organizations can no longer
rely on reactive security measures because the reactive approach is costly. There is no
need to wait for an attack to happen. To prevent data loss and intrusion, you'll have to
rely on tools that help in threat detection.
so this cybersecurity operation sector depends on monitoring stage.

Cybercriminals are employing different tactics to enter your business system and harm
it in one way or another. Since attacks are becoming quite sophisticated, there is a need
to use advanced threat detection tools. Let's dive in to understand detection's meaning
in the cyber security world.

The Role of Detection in Cyber Security
When it comes to creating an excellent defense mechanism, detection plays a vital role.
You can only defend your enterprise fully against a cyber-threat by initiating a process
of detection. Detection comprises some advanced threat detection and system screening
tools. The purpose of these tools is to identify potential threats beforehand.
In simple words, effective detection tools empower organizations to know about and
prevent a potential attack. Once an organization knows about its threats, it becomes
easy for them to respond to threat effectively. Besides, it lets them limit their exposure
time, avoid breach costs and prevent data loss.

As example “On average, the cost of a Ransomware Breach is 4.5 million”
Without powerful detection tools, your organization is vulnerable to threats. And if a
ransomware attack happens, it puts your organization's resources at risk. Thereby, you'll
have to pay the high cost of the breach. Depending on your organization's scale and
size, breach costs vary. You can avoid this cost by relying on advanced threat detection
tools.

Types of Detection in Cyber Security
Regardless of what cyber security tool you use to detect a threat; they will rely on the
following two types of detection.
 1- Anomaly-Based Detection
It is a process where behavioral analytics is combined with machine learning algorithms
to identify abnormal behavior or suspicious activity inside a system or network to
indicate a potential threat.

2- Signature-Based Detection
It is another type of detection in which a tool uses signatures and patterns associated
with malware, virus’s and other malicious activities. Malware is detected based on its
specific signature.
Threat detection tools rely on one or both types of detection to ensure network and
system security. When getting protection against malicious actors, organizations need
to rely on advanced threat detection tools.

What is Threat Detection?
It analyzes a system or network to identify suspicious activities that may comprise a
system or network. When it comes to creating a powerful cyber security strategy, your
organization needs to invest money in tools that help not only in threat detection but
also in threat prevention. Fortunately, multiple threat detection and prevention tools are
available to create an excellent line of defense against threat actors.

Threat Detection Tools
Every organization has a security team that analyzes the system manually for threats.
Since threats are becoming complex, security analysts use detection tools to automate
the threat detection and response process.
In the past, the organization used security information and event management (SIEM)
and network traffic analysis (NTA) for threat detection. Since these traditional
techniques had some shortcomings. Today, businesses invest more in Endpoint
detection and response (EDR) and Extended Detection and Response (XDR) Solutions.

SIEM
This security solution collects security data across enterprises to detect system
vulnerabilities and potential threats before they disrupt business operations. This
solution is still used among organizations for cyber security, but since it doesn't perform
an in-depth analysis of security events. And also never provide a meaningful attack
story; organizations need more powerful solutions. Enterprises with traditional SIEM
don't have any threat response tool.
NTA
It is a process of monitoring network availability and activity to detect anomalies related
to operation and security. Organizations need NTA for getting history and real-time
analysis of network data. NTA also detects malware and viruses in the network. NTA
effectively detects threats only in a specific silo like a network. It won't be able to detect
threats that move between silos.

EDR
Endpoint detection and response is an advanced threat detection and prevention tool.
EDR helps an organization to do real-time monitoring of all endpoints connected to an
organization.
It lets security analysts keep an eye on the endpoints, and if there is any suspicious
activity, EDR starts a response mechanism. It automatically contains threat and prevent
an attack from happening on one side. On another side, it also alerts security
professionals to look into a potential threat on an endpoint and respond to it.

XDR
It stands for Extended Detection and Response is a new cyber security tool that
combines features of all traditional security solutions such as NTA and SIEM. It collects
data from the network, cloud, system, endpoints, network, email, and other resources.
XDR employs and used artificial intelligence and threat intelligence to detect threats
and highlight the full attack story.

Threat Detection and Response
Threat detection and response is the practice of identifying any malicious activity that could
compromise the network and then composing a proper response to mitigate or neutralize the
threat before it can exploit any present vulnerabilities.

Within the context of an organization's security program, the concept of "threat detection" is
multifaceted. Even the best security programs must plan for worst-case scenarios: when
someone or something has slipped past their defensive and preventative technologies and
becomes a threat.

Detection and response is where people join forces with technology to address a breach. A
strong threat detection and response program combines people, processes, and technology to
recognize signs of a breach as early as possible, and take appropriate actions.
Detecting Threats

When it comes to detecting and mitigating threats, speed is crucial. Security programs must
be able to detect threats quickly and efficiently so attackers don’t have enough time to root
around in sensitive data. A business’s defensive programs can ideally stop a majority of
previously seen threats, meaning they should know how to fight them.

These threats are considered "known" threats. However, there are additional “unknown”
threats that an organization aims to detect. This means the organization hasn't encountered
them before, perhaps because the attacker is using new methods or technologies.

Known threats can sometimes slip past even the best defensive measures, which is why most
security organizations actively look for both known and unknown threats in their
environment. So how can an organization try to detect both known and unknown threats?

Leveraging Threat Intelligence
Threat intelligence is a way of looking at signature data from previously seen attacks and
comparing it to enterprise data to identify threats. This makes it particularly effective at
detecting known threats, but not unknown, threats. Known threats are those that are
recognizable because the malware or attacker infrastructure has been identified as associated
with malicious activity.

Unknown threats are those that haven't been identified in the wild (or are ever-changing), but
threat intelligence suggests that threat actors are targeting a swath of vulnerable assets, weak
credentials, or a specific industry vertical. User behavior analytics (UBA) are invaluable in
helping to quickly identify anomalous behavior - possibly indicating an unknown threat -
across your network. UBA tools establish a baseline for what is "normal" in a given
environment, then leverage analytics (or in some cases, machine learning) to determine and
alert when behavior is straying from that baseline.

Attacker behavior analytics (ABA) can expose the various tactics, techniques, and procedures
(TTPs) by which attackers can gain access to your corporate network. TTPs include things
like malware, crypto jacking (using your assets to mine cryptocurrency), and confidential data
exfiltration.

During a breach, every moment an attacker is undetected is time for them to tunnel further
into your environment. A combination of UBAs and ABAs offer a great starting point to
ensure your security operations center (SOC) is alerted to potential threats as early as possible
in the attack chain.

Responding to Security Incidents
One of the most critical aspects to implementing a proper incident response framework is
stakeholder buy-in and alignment, prior to launching the framework. No one likes surprises
or questions-after-the-fact when important work is waiting to be done. Fundamental incident
response questions include:

 Do teams know who is responsible at each phase of incident response?
 Is the proper chain of communications well understood?
 Do team members know when and how to escalate issues as needed?

A great incident response plan and playbook minimizes the impact of a breach and ensures
things run smoothly, even in a stressful breach scenario. If you're just getting started, some
important considerations include:

 Defining roles and duties for handling incidents: These responsibilities, including contact
information and backups, should be documented in a readily accessible channel.
 Considering who to loop in: Think beyond IT and security teams to document which cross-
functional or third-party stakeholders – such as legal, PR, your board, or customers – should be
looped in and when. Knowing who owns these various communications and how they should be
executed will help ensure responses run smoothly and expectations are met along the way.

What Should a Robust Threat Detection Program Employ?
 Security event threat detection technology to aggregate data from events across the network,
including authentication, network access, and logs from critical systems.
 Network threat detection technology to understand traffic patterns on the network and monitor
network traffic, as well as to the internet.
 Endpoint threat detection technology to provide detailed information about possibly malicious
events on user machines, as well as any behavioral or forensic information to aid in investigating
threats.
 Penetration tests, in addition to other preventative controls, to understand detection telemetry and
coordinate a response.

A Proactive Threat Detection Program
To add a bit more to the element of telemetry and being proactive in threat response, it’s
important to understand there is no single solution. Instead, a combination of tools acts as a
net across the entirety of an organization's attack surface, from end to end, to try and capture
threats before they become serious problems.

Setting Attacker Traps with Honeypots

Some targets are just too tempting for an attacker to pass up. Security teams know this, so
they set traps in hopes that an attacker will take the bait. Within the context of an
organization's network, an intruder trap could include a honeypot target that may seem to
house network services that are especially appealing to an attacker. These “honey credentials”
appear to have user privileges an attacker would need in order to gain access to sensitive
systems or data.

When an attacker goes after this bait, it triggers an alert so the security team knows there is
suspicious activity in the network they should investigate.

Threat Hunting

Instead of waiting for a threat to appear in the organization's network, a threat hunt enables
security analysts to actively go out into their own network, endpoints, and security technology
to look for threats or attackers that may be lurking as-yet undetected. This is an advanced
technique generally performed by veteran security and threat analysts.

By employing a combination of these proactively defensive methods, a security team can
monitor the security of the organization's employees, data, and critical assets. They’ll also
increase their chances of quickly detecting and mitigating a threat.