How to detect a cyber attack or a threat
Hi Medium! Here we are again with a new article, today we will talk about advanced threat detection and the several methods used in defense as follows:
- Threat Detection Concept
- How We Can Detect Threats
1. Threat Detection Team
Facing different attacks is not an easy job, the threat detection team need to act in a fast and efficient way when a hacker slipped past their defenses. Threat detection is where the security guys that work within an organization identify “known” and “unknown” attacks (sophisticated ones). Professionals said that threat detection becomes harder and harder looking at the new technology and tools used by attackers.
2. How We Can Detect Threats
Threat detection needs both human element and good technology, where we define:
+ Human Element
The presence of a human is so important where their presence is crucial, beginning with the configuration of the technical tools used until the analysis of threat behavior. A security analyst analyzes threats, detect patterns, study the malware behavior, and indicate if abnormal data are a threat or a false positive.
+ Technology used
The technology used for detection facilitates the control of data going within the network and gives us the ability to block or allow ingoing/outgoing packets. Managing millions of packets entering the network is not a human job.
The tools that we will list below need to be integrated to detect threats before it becomes a serious problem:
- Security event threat detection technology — is developed to provide full statistics of the network state, collect logs on the network, aggregate data from events across the network, including authentication events, network access, and others. We can integrate this technology by using SIEM (to have more idea about SIEM check this article by Hamza M’hirsi Siem Technology).
- Network Threat Detection Technology — This technology helps to understand traffic patterns, where we can control the traffic and study the difference between benign and malicious traffic.
- Endpoint Threat Detection Technology — This is a host-level technology, where it provides information about possible malicious behavior, an unusual event like privilege escalation, malicious code run with root privilege, and many others that may help in threat investigation. This technology is integrated by using Endpoint Detection and Response devices EDR.
- Network Traffic Analysis NTA — This technology helps to look into anomalous, suspicious, and malicious activity within the network. NTA has a history of security analytics and investigations.
- Malware Sandboxes — This technology helps to study file behavior in an isolated environment, in case the file is infected the malware can not spread.
- Cyber Threat Intelligence CTI — This technology provide IoC (Indicator of Compromise), those indicators help to recognize the occurred attacks. Intelligence, as defined by Edward Waltz, is “the information and knowledge about an adversary obtained through observation, investigation, analysis, or understanding, is the product that provides battle-space awareness”.
- Central Analytics and Management — If we have different detectors on different points on our network, it will be really hard to manage them, especially when the network is under attack, we will get the same alert from the different detectors in a way we can not manage all of them together. The central analytics and management collect all those alerts, where threat detection events can be correlated across endpoints, networks, files, etc. to achieve more accurate and efficient levels of fidelity.
This technology needs to be implemented in a SOC (Security Operation Center), where we can find all the teams needed for detection, response, mitigation, and forensics. if you want to understand SOC check this article by Hamza M’hirsi SOC Tech.
In this article, we discovered threat detection as a concept and what we really need to implement this technique in an environment.
I hope that you enjoyed my article, if you have something to add or to correct please don’t hesitate to write a comment, see you soon ^ ^