Learn the fundamentals of detecting and responding to cybersecurity threats as well as implementing a threat detection program.
InsightIDR ProductThreat detection and response is the practice of identifying any malicious activity that could compromise the network and then composing a proper response to mitigate or neutralize the threat before it can exploit any present vulnerabilities.
Within the context of an organization's security program, the concept of "threat detection" is multifaceted. Even the best security programs must plan for worst-case scenarios: when someone or something has slipped past their defensive and preventative technologies and becomes a threat.
Detection and response is where people join forces with technology to address a breach. A strong threat detection and response program combines people, processes, and technology to recognize signs of a breach as early as possible, and take appropriate actions.
When it comes to detecting and mitigating threats, speed is crucial. Security programs must be able to detect threats quickly and efficiently so attackers don’t have enough time to root around in sensitive data. A business’s defensive programs can ideally stop a majority of previously seen threats, meaning they should know how to fight them.
These threats are considered "known" threats. However, there are additional “unknown” threats that an organization aims to detect. This means the organization hasn't encountered them before, perhaps because the attacker is using new methods or technologies.
Known threats can sometimes slip past even the best defensive measures, which is why most security organizations actively look for both known and unknown threats in their environment. So how can an organization try to detect both known and unknown threats?
Threat intelligence is a way of looking at signature data from previously seen attacks and comparing it to enterprise data to identify threats. This makes it particularly effective at detecting known threats, but not unknown, threats. Known threats are those that are recognizable because the malware or attacker infrastructure has been identified as associated with malicious activity.
Unknown threats are those that haven't been identified in the wild (or are ever-changing), but threat intelligence suggests that threat actors are targeting a swath of vulnerable assets, weak credentials, or a specific industry vertical. User behavior analytics (UBA) are invaluable in helping to quickly identify anomalous behavior - possibly indicating an unknown threat - across your network. UBA tools establish a baseline for what is "normal" in a given environment, then leverage analytics (or in some cases, machine learning) to determine and alert when behavior is straying from that baseline.
Attacker behavior analytics (ABA) can expose the various tactics, techniques, and procedures (TTPs) by which attackers can gain access to your corporate network. TTPs include things like malware, cryptojacking (using your assets to mine cryptocurrency), and confidential data exfiltration.
During a breach, every moment an attacker is undetected is time for them to tunnel further into your environment. A combination of UBAs and ABAs offer a great starting point to ensure your security operations center (SOC) is alerted to potential threats as early as possible in the attack chain.
One of the most critical aspects to implementing a proper incident response framework is stakeholder buy-in and alignment, prior to launching the framework. No one likes surprises or questions-after-the-fact when important work is waiting to be done. Fundamental incident response questions include:
A great incident response plan and playbook minimizes the impact of a breach and ensures things run smoothly, even in a stressful breach scenario. If you're just getting started, some important considerations include:
To add a bit more to the element of telemetry and being proactive in threat response, it’s important to understand there is no single solution. Instead, a combination of tools acts as a net across the entirety of an organization's attack surface, from end to end, to try and capture threats before they become serious problems.
Some targets are just too tempting for an attacker to pass up. Security teams know this, so they set traps in hopes that an attacker will take the bait. Within the context of an organization's network, an intruder trap could include a honeypot target that may seem to house network services that are especially appealing to an attacker. These “honey credentials” appear to have user privileges an attacker would need in order to gain access to sensitive systems or data.
When an attacker goes after this bait, it triggers an alert so the security team knows there is suspicious activity in the network they should investigate. Learn more about the different types of deception technology.
Instead of waiting for a threat to appear in the organization's network, a threat hunt enables security analysts to actively go out into their own network, endpoints, and security technology to look for threats or attackers that may be lurking as-yet undetected. This is an advanced technique generally performed by veteran security and threat analysts.
By employing a combination of these proactively defensive methods, a security team can monitor the security of the organization's employees, data, and critical assets. They’ll also increase their chances of quickly detecting and mitigating a threat.
Learn About Rapid7's Managed Threat Detection & Response