What is a Threat Detection Framework?

By Tom Kern, Senior Cyber Security Analyst and Researcher at NIL (part of Conscia Group)

In today’s world of increasing complexity and lucrative cybercrime industry, you can only be certain of one thing: you will be hacked – and your exposure is growing. Read on to discover the framework and approaches to protect your business against cyber threats – even in today’s world.

Signature-based prevention is of limited value

Organizations with maturing security programs quickly realize that prevention is simply not enough for addressing information security risks. Many classic preventive security measures such as Intrusion Prevention Systems (IPS) and anti-malware work by the black-listing approach using signatures of malicious traffic and files. There is a fundamental issue with such an approach because the signatures must specifically match the specific threat. An adversary only needs to slightly change the behavior of their toolsets to remain unnoticed and the creation of such variations can be automated.

Heuristic prevention analysis can be tricked

Modern endpoint protection solution vendors have moved to heuristic analysis and are advertised to prevent even yet-unknown threats. Unfortunately, adversaries have adopted and started relying on misusing legitimate tools that are built-in into the modern operating system. With that, it is hard to differentiate between legitimate system behavior and an adversary looking for valuable data. Trying to reliably detect adversarial activity thus becomes nearly impossible, at least without a large number of false positives.

So, how can you protect your business against cyber threats?

So, should you get rid of your anti-malware solution? Absolutely not. Is it going to fail to detect malware that might result in a major data breach? It’s just a matter of time.

To detect the threats which bypass the prevention, the organization should work towards collecting the relevant data and establish a robust threat detection and response program.

Establishing resilient IT-security: SIEM

With increasing resources spent on the various security solutions, the amount of data that needs to be stored and analyzed is increasing dramatically. Generated data is usually sent to a dedicated central logging system such as a Security information and event management system (SIEM) or other log management solutions for long time storage.

While SIEM solutions are widely used by organizations, there is often little effort put into their maintenance and they do not contribute much to a better overall security posture. In Conscia, we often see SIEM projects stop after a few log sources were integrated, effectively transforming expensive SIEMs into pricey log management tools.

The IT-security questions you need to ask

While throwing the data into the SIEM is fairly easy, it can be a real challenge to leverage the collected data to detect possible threats in our environment. Unfortunately, there isn’t a universal recipe about how to tune the SIEM, and it all comes down to corporate risks, industry, technology, business processes, and other specifics. When trying to establish the threat detection program, two questions should be asked:

  • Which threats do I want to detect?
  • What kind of data do I need to detect them?

Understanding your enemy: the MITRE ATT&CK framework

To answer the first question, we first need to understand how an adversary operates, how they gain a foothold to one of the organization’s systems, and what they do after gaining the initial access.

Lately, the MITRE ATT&CK framework is getting a lot of attention from cybersecurity professionals, as it tries to combine the knowledge of all known tactics, techniques and procedures (TTPs) conducted by the adversaries in thousands of security breaches. Furthermore, for every observed technique, ATT&CK tells us how it was (ab)used, and even how to detect it in our own environment. Awesome, right? Well, it (obviously) isn’t that easy…

266 ways to attack you – in general

At the moment of writing, there are 266 different general attack techniques in the ATT&CK framework. On top of that, some of them are really broad and require dozens of SIEM or similar detection rules to successfully detect all variations used by the adversary. Furthermore, the ATT&CK framework does not provide you with the actual detection logic, but rather just a very general guideline.

Multiple IT-security experts needed

To come with a practical detection rule, multiple teams of experts with specific knowledge are needed:

  • First, a penetration testing team develops a test that abuses the technique.
  • After that, appropriate data needs to be gathered and analyzed from our event sources.
  • Next, digital forensics needs to research the gathered data and define the detection logic which will generate a minimal number of false positives, while still being reliable enough to detect the adversarial activity.
  • The results are then passed to a SIEM engineer which will adapt and implement the detection logic into a SIEM system.

Should you start working towards researching and implementing all of the 266 techniques which will likely result in 500+ detection rules? Of course not. Some of the techniques might not be relevant for your environment, some of them were rarely used, some of them you already mitigate and some of them are nearly impossible to reliably detect. For those reasons, prioritization of techniques is a key to success.

Enter the Conscia Security Operations Center – SOC

In the Conscia Security Operations Center (SOC), we have a dedicated team of it-security experts who are researching techniques from the ATT&CK framework. The result is their research is our custom set of detection rules, which go way beyond the detection rules currently available in the community and provide you with significantly expanded detection capability compared to what most organizations are capable of developing in-house.

The Conscia Threat Detection Framework – TDF

Our detection rules are carefully developed in order to detect even the most advanced attacks and curated into a central repository called the Conscia Threat Detection Framework (TDF). The TDF serves as a unified knowledge base containing detection logics, required data sources, and red-teaming tests to deliver the best possible implementation of detection capabilities. Our TDF is also used as a visual aid for our SOC customers to keep track of their current coverage of techniques, based on available customer sensors.

At Conscia, we also use the Threat Detection Framework in the process of SOC customer assessment – to determine the security visibility a prospective customer currently has in their environment. By objectively evaluating customer detection maturity, we can easily propose improvements that will suitably enhance the customer’s detection capabilities, at the same time allowing us to provide the Conscia SOC service at the highest level.

Today, cybersecurity is an elite sport – one in which there’s no prize for second best. Like all elite sports, it is not an endeavor you should undertake without considerable help. Try ours.

Contact us and our cybersecurity experts will be glad to help.