How to detect a cyber threats

Source

How to detect a cyber attack or a threat

  1. Threat Detection Concept
  2. How We Can Detect Threats

1. Threat Detection Team

Source

2. How We Can Detect Threats

+ Human Element

+ Technology used

The tools that we will list below need to be integrated to detect threats before it becomes a serious problem:

  • Security event threat detection technology — is developed to provide full statistics of the network state, collect logs on the network, aggregate data from events across the network, including authentication events, network access, and others. We can integrate this technology by using SIEM (to have more idea about SIEM check this article by Hamza M’hirsi‍ Siem Technology).
  • Network Threat Detection Technology — This technology helps to understand traffic patterns, where we can control the traffic and study the difference between benign and malicious traffic.
  • Endpoint Threat Detection Technology — This is a host-level technology, where it provides information about possible malicious behavior, an unusual event like privilege escalation, malicious code run with root privilege, and many others that may help in threat investigation. This technology is integrated by using Endpoint Detection and Response devices EDR.
  • Network Traffic Analysis NTA — This technology helps to look into anomalous, suspicious, and malicious activity within the network. NTA has a history of security analytics and investigations.
  • Malware Sandboxes — This technology helps to study file behavior in an isolated environment, in case the file is infected the malware can not spread.
  • Cyber Threat Intelligence CTI — This technology provide IoC (Indicator of Compromise), those indicators help to recognize the occurred attacks. Intelligence, as defined by Edward Waltz, is “the information and knowledge about an adversary obtained through observation, investigation, analysis, or understanding, is the product that provides battle-space awareness”.
  • Central Analytics and Management — If we have different detectors on different points on our network, it will be really hard to manage them, especially when the network is under attack, we will get the same alert from the different detectors in a way we can not manage all of them together. The central analytics and management collect all those alerts, where threat detection events can be correlated across endpoints, networks, files, etc. to achieve more accurate and efficient levels of fidelity.

This technology needs to be implemented in a SOC (Security Operation Center), where we can find all the teams needed for detection, response, mitigation, and forensics. if you want to understand SOC check this article by Hamza M’hirsi SOC Tech.

Summary

I hope that you enjoyed my article, if you have something to add or to correct please don’t hesitate to write a comment, see you soon ^ ^

Cyber Security Architect