NCSAM: Acknowledging October as the National Cybersecurity Awareness Month (NCSAM), let’s highlight the three-part series on incident response, insider threat and threat detection, with top 10 threat detection geekspeak for the Security Practitioner.
Putting together the top 10 geekspeak as a refresher for enterprise security practitioner staff who deal with them on a daily basis. Each term is linked to previous articles or posts and educational resources that provide greater detail on the topic.
This post is also a good resource to share with CISOs and security leaders who, before finalizing the annual IT budget, might need more information about cybersecurity with respect to their organization’s needs.
The Bits And Bobs Of Threat Detection In The Event Of National Cybersecurity Awareness Month (NCSAM).
- Anomaly – Unusual behavior by a person or device. Not all anomalies are malicious, but all malicious activity is anomalous. To be more thorough in its automated threat detection, adding context (what is normal behavior for each person and device) and risk (how dangerous an anomalous behavior might be). This combination allows analysts to understand the impact of an incident very quickly.
- Data Loss Prevention (DLP) – Either a strategy or innovation element employed to avoid the leakage or theft of sensitive information by malicious insiders or scammers. DLP products scan emails, files, and other assets, as they move through the network. In this way they’re able to determine if any, given assets contain confidential information and if so, block them. DLP tools on their own can be quite “noisy.” DLP profile behavior determines if such an alert is normal noise (i.e., a false positive) or if the matter is of a serious nature that requires analysts’ attention.
- Indicators Of Compromise (IOCs) – An indicator that provides high confidence of malicious activity. The challenge is that IOCs are static. For example, advanced persistent threat (APT) groups use specific malware. Once it’s discovered, they modify their malware so as to continue to remain unknown. IOC examples can include hashes, IP addresses, domains, URLs, email addresses, and other assets.
- Incident Response (IR) – An organized approach to receiving, reviewing, and responding to a cybersecurity breach or attack. Leveraging incident workflows and playbooks, SOAR (security orchestration, automation, and response) combines operations, analytics, and reporting technologies in automating an organization’s incident response procedure.
- UEBA (User and Entity Behavior Analytics) – A data-driven approach to security through a user and entity behavioral analysis. With the addition of entities, a user and entity behavior analytics is a more recent extension of the former UBA term. UEBA acknowledges that servers (i.e., entities) often hold embedded account credentials and can access sensitive databases and other resources when compromised. For example, a threat actor can use an endpoint to infiltrate and compromise an entity, then use its credentials to access and steal information.
- Insider Threat – A.K.A., malicious insider. A person who is using their access permissions to steal confidential information. It’s often difficult to detect such behavior until it’s too late. But UEBA profiles each person’s and device’s normal behavior to create benchmarks. This information is used to flag users who are anonymously accessing sensitive data.
- Tactics, Techniques, and Procedures (TTPs) – A threat actor’s behavior. A tactic is the high-level description, while techniques provide a more detailed, contextual description of the behavior. A procedure is a lower-level, highly detailed methodology in the context of a given technique. Threat detection, content maps to 51 techniques identified by the MITRE ATT&CK framework.
- Threat Hunter – A cybersecurity professional who sufficiently understands the enterprise to be able to identify anomalous network behavior. For example, a threat hunter might identify a large amount of traffic to AWS, but knows that the organization doesn’t have an authorized presence with that cloud provider. Threat hunters leverage MITRE ATT&CK in their hunt for TTPs.
- Threat Intelligence – Information relevant to protecting an organization from internal and external cyber threats. Threat intelligence also includes the processes, policies, and technology used to gather and analyze that information. The focus around threat intelligence includes sharing IOCs and contextual information of adversaries with partner organizations.
- SIEM (Security Information and Event Management) – A technology which enables incident response (IR), analytics, and threat detection through the collection and correlation of security events from a number of data sources. SIEMS correlate log sources to identify potentially malicious activity and generates alerts for security analyst to investigate.
Threat detection and remediation have become increasingly complex in the face of threat actors who grow more sophisticated. Relying only on a signature-based approach leaves gaps in your security and continuing to rely on yesterday’s time-consuming, manual methods is a hit-or-miss proposition – mostly the latter.
In the event of National Cybersecurity Awareness Month (NCSAM) making a pledge and applying modern threat detection technologies with a multi-dimensional approach is the most efficient way to effectively reduce business risk, remain in full regulatory compliance, and ease the burden placed on over-taxed security analysts.