- Threat Detection: Detecting a Webserver Attack
- Threat Intelligence for SOC
- Detection Engineering vs Threat Hunting
- Yara 101
- Threat Intelligence Tools – Abuse.ch
- Threat Intelligence Tools – URLScan.io
- Custom detection rule with the MITRE ATT&CK framework in Splunk
- Investigate SQLi attacks using Splunk
- Splunk: Search Processing Language (SPL) Basics
- Practical Threat Hunting using Elastic SIEM: Hunting for Stuxbot
- MITRE Framework
- SOC Tools and Useful Links
- ELASTIC SIEM: Kibana Query Language (KQL)
- SOC Home LAB: Elastic SIEM Installation
- MISP (Malware Information Sharing Platform)
Views: 22
DETECTION ENGINEERING: REINFORCING THE KNOWN
Threat detection is the process of identifying threats in an organization that is actively trying to attack the endpoints, networks, devices and systems.
Unlike threat hunting, a threat detection is a reactive approach: threat mitigation mechanisms activate only when the organization’s security system receives alerts on potential security breaches. It uses automated network and system monitoring tools which can detect malicious activity and behavioral patterns related to malware.
Detection Engineering is the practice of augmenting existing threat detection mechanisms, such as Endpoint Detection and Response (EDR), Network Detection and Response (NDR), and Security Information and Event Management (SIEM). The primary purpose here is to combat known threats, which are thoroughly understood through analysis, sandboxing, and reverse engineering.
THREAT HUNTING: SEEKING THE UNKNOWN
One form of cyber counterintelligence (CII), threat hunting refers to finding threats before they attack your networks, systems and devices. Some advanced threats, like file-less malware, can successfully penetrate security layers undetected.
Threat hunting is a proactive approach to threat prevention where threat hunters look for anomalies that can potentially be cyber threats lurking undetected in your systems. Combined with threat intelligence, hunting enables organizations to:
- Better understand the attack surface.
- Expose cyber criminals as early as possible — before they compromise the systems.
Threat hunting content is inherently different from threat detection, employing existing security infrastructure, including SIEM, EDR, NDR, and Extended Detection and Response (XDR) toolsets. The key distinction here lies in the utilization of these toolsets; threat hunters use them to conduct time-bound hunts for unknown threats that have evaded detection.
| Detection Engineering | Threat Hunting |
|---|---|
| Focuses on known threats | Targets unknown threats |
| Centers on detecting specific artifacts or meta-characteristics | Focuses on suspicious behaviors |
| Detection content is designed for automation | Threat Hunting content requires careful interpretation by skilled threat hunters |
| It’s more reactive, as you’ve likely already been alerted to anomalies | It is a proactive approach to preventing threats |
Threat Hunter Responsibilities
- Proactively search for advanced threats that evade traditional security solutions
- Use a variety of techniques, including behavioral analysis, Machine Learning, and data analysis, to identify patterns and anomalies that may indicate a potential threat
- Collaborate with other cybersecurity professionals to investigate and respond to potential threats
- Develop and maintain threat hunting playbooks and procedures
- Stay up-to-date with the latest Threat intelligence and cybersecurity trends
Threat Hunter Skills
- Strong analytical and problem-solving skills
- Knowledge of cybersecurity threats, techniques, and tools
- Experience with threat hunting techniques and tools
- Ability to work independently and in a team environment
- Strong communication and collaboration skills
- Experience with data analysis and visualization tools
- Knowledge of programming languages such as Python and R
Threat Hunter Tools and Software
- Endpoint detection and response (EDR) tools such as Carbon Black and CrowdStrike
- Network traffic analysis tools such as Wireshark and Zeek
- Security information and event management (SIEM) tools such as Splunk, QRadar and ELK Stack
- Threat intelligence platforms such as ThreatConnect and Anomali
- Data analysis and visualization tools such as Tableau and Kibana
Detection Engineer Responsibilities
- Design, implement, and maintain detection systems that can identify and alert security teams to potential threats
- Work closely with Threat Hunters to ensure that the detection systems are effective in identifying and stopping threats
- Use a variety of tools and techniques, including Log analysis, network traffic analysis, and behavioral analysis, to create rules and alerts that can detect potential threats
- Test and refine detection systems to improve their accuracy and effectiveness
- Stay up-to-date with the latest Threat intelligence and cybersecurity trends
Detection Engineer Skills
- Strong analytical and problem-solving skills
- Knowledge of cybersecurity threats, techniques, and tools
- Experience with detection systems and tools
- Ability to work independently and in a team environment
- Strong communication and collaboration skills
- Experience with log analysis, network traffic analysis, and behavioral analysis tools
- Knowledge of programming languages such as Python and SQL
Detection Engineer Tools and Software
- Log analysis tools such as LogRhythm and Graylog
- Network traffic analysis tools such as Bro and Suricata
- Behavioral analysis tools such as Darktrace and Vectra AI
- SIEM tools such as Splunk, ELK Stack and QRadar
- Threat intelligence platforms such as ThreatConnect and Recorded Future
Methods
Both approaches contain a variety of techniques which can be employed to isolate and neutralise threats. For threat hunting, this includes:
- Situation-based – threats are most likely to target high-value areas.
- Hypothesis-based – strategy based on recent tactics and techniques used by attackers.
- In consideration of IoCs and IoAs – indicators of attacks and indicators of compromise are used to gain an understanding of attackers’ actions.
- Data processing-based – large data sets are examined to reveal suspicious patterns.
Threat detectors typically use the following three methods to detect threats:
- Threat intelligence – approach informed by knowledge gained from previous cyber attacks.
- Behaviour analysis – systems analyse current user behaviour looking for irregularities.
- Machine learning-based – systems detect known attack patterns in real time and to a high level of accuracy.
Final Thoughts
Despite their differences, Detection Engineering and Threat Hunting aren’t isolated practices. In fact, they intersect in several areas. For instance, the output from threat hunting activities often informs the development of detection mechanisms. The insights gained from hunting unknown threats can guide detection engineers in refining their detection mechanisms against evolving threats.
In conclusion, while both Detection Engineering and Threat Hunting use similar security infrastructures and tools, they differ significantly in their approaches, focus, and application. Their interplay, however, is undeniable and crucial to a comprehensive cybersecurity strategy. Understanding and leveraging these practices in their distinct capacities can substantially fortify your defense against the ever-evolving landscape of cybersecurity threats.