The importance of threat detection cannot be overstated. A recent Verizon study revealed that the top discovery method (more than 50%) for breaches is in fact disclosure by the threat actor themselves after a successful compromise. As attacks continue to evolve in methods and sophistication, security teams need to prioritize threat detection so they can identify suspicious activity before a breach can occur.
To detect threats today it is not just about which methods to use, but also which data. Endpoint server and workstation logs are a start. But major blind spots exist unless threat detection visibility extends to the network and cloud as well. Teams need to look at what data to use, how the data can indicate suspicious activity, and what to expect. This article will look at three major detection methods – signature, behavioral, and machine learning – and why all are critical for enterprise cybersecurity.
Signature-based threat detection
Signature-based detection methods consist of looking for indicators – hashes, names of files, registry of key names, or strings that show up in a file – of malicious activity. For example: a known file name associated with a dropper malware like c:\windows\system32\bigdrop.exe, or a file with a hash that matches known malware. But there are more generalized signatures, too, such as new values showing up in registry keys frequently used by attackers for gaining persistence, looking for PowerShell scripts with base64 encoding or Microsoft Word kicking off a PowerShell script.
Signature-based methods have been around for a long time and can be used for both endpoint and network based detections. For instance, Snort, an open-source intrusion prevention system (IPS) that uses rules to detect malicious network activity and generates alerts for the analyst to review, is an excellent system of record where detections for attacks dating back 20 years can be found. The vast libraries within signature-based detection systems allow threat hunters to cross-reference indicators of malware.
Signature-based detection methods are great for identifying known attacks, but they cannot help you if your attacker is using new techniques or slight modifications to old ones. Without an element of automation, plus additional context, this method of threat detection can be overwhelming to manage.
Behavior-based threat detection
Behavior-based detection methods are an excellent way to identify abnormal behavior that could indicate malicious attacks on endpoints, devices, etc. The security analyst uses a variety of techniques to establish baselines for users and compare those normal patterns against any nonstandard actions. For example, you might build a baseline of an individual user’s application usage and compare them against themselves, to flag things like the use of an application they have never used before or perhaps logging in from a location they have never visited before.
These detection methods require regular baseline updates with current information to remain relevant. Many of these methods are created from a baseline that is only created once, but user behavior is always changing, so the baseline needs to be updated regularly to account for new, different, non-suspicious behavior. Some tools can automatically build baselines of behavior, whilst others require manual intervention.
ML-based threat detection
Machine learning is one of those industry buzzwords that can mean different things based on which vendor or industry vertical you interact with. But for the purposes of threat detection, machine learning provides a new way to increase cybersecurity efficiency by leveraging more and better structured data through telemetry on network, endpoint and network, as well as from things such as identity services and cloud services.
These large datasets can use supervised or unsupervised learning approaches to surface subtle changes that might be an indicator of malicious activity. This recent development has given us new insight into a host and other entity behaviors by enabling the analysis of massive datasets.
Typically, machine learning alone may not be able to directly surface threats but can be used together with more deterministic detection methodologies to improve fidelity and add important color to alerts. For example, a user who has a high-risk score but is also generating unusual network traffic: either of those things on their own may not be interesting but taken together begin to build up a picture.
Quality and cleanliness of the data being analyzed are critical with this method. It is also important how the results are enriched in communicating them to the analyst since a mathematical output from an algorithm needs to be translated into something consumable by a human analyst.
With the ongoing, persistent rise in cyber threats, it is more important than ever for organizations to have a security monitoring solution that will allow them full visibility into their entire environment – whether on premise, in the cloud, or a combination of both. Cybersecurity platforms that offer automated response capabilities can help thwart these threats by allowing for detection and response capabilities that keep valuable data safe while ensuring that customers and companies alike remain protected.