Detection Analysis Hurdles and Trends in Cybersecurity

Introduction

It is important for organizations to understand the significance of detection analysis and the methods that may be used to enhance their cybersecurity processes that coincide with detection activities. Organizations are bound to encounter difficulties when performing detection analysis. As a result, it is necessary to address some of the core issues that are encountered and the approaches to consider when detection analysis tactics are lacking. The role that evaluated solutions, such as MDR, XDR, and EDR appliances managed by an MISSP, may play in conversations about effective detection and threat management is an area that merits further review and is also incorporated into the topic of detection analysis.

Expanding the Associations and Value Attached to Detection

Detection analysis is one component that unites several cybersecurity functions. An organization may be asked numerous questions to understand their detection measures and the maturity of their resources such as: “Who are your detection engineers? How has a playbook been established to address your detection and response and threat intelligence protocols? When was the last time you produced a report charting a successful or failed attack against your infrastructure?” If the organization’s responses to any of the questions above is silence or an answer like ‘an IT associate handles that’, then it’s time for them examine their cybersecurity posture and take the action needed to improve it.

Cybersecurity operations which fall under ‘detection and response’ are intricate and can feel limitless; however, they are manageable if a guided and measured approach is taken. When the phrase detection analysis comes up in a conversation amongst business executives, some of the first resources that are itemized in a conversation on their capabilities are anti-virus solution and intrusion detection system. It is rare that two or even three tools can adequately cover the scope and breadth of data needed to fulfill detection/attack discovery objectives and trigger the type of alerts that are appropriate to initiate investigative analysis. Installing a Security Information and Event Management (SIEM) tool and an anti-virus solution or managed detection and response product (MDR) are not sufficient for an organization to be cyber ready. A multitude of monitoring and analysis tools should be in use, tested and continuously enhanced to address not only data collection and the separation of devices at risk, but also data enrichment, threat intelligence correlation, and the synthesis of indicators of compromise (IOCs).

Mapping an Attack, Preparing for the Worst, and Recognizing Analysis Methods 

Aside from ensuring that a multitude of sources may be referenced to analyze events that occur impacting devices, the network, configurations, and other systems, there’s another fundamental strategy that an organization may adopt. One of a few strategies an organization can adopt to better its cybersecurity protocols is to select an attack model or mapping and incorporate it into their incident response and threat mitigation workflow. Implementing an attack model can make the data received and analyzed more serviceable to both the organization and any stakeholders who may support risk management processes. Attack models are beneficial and differ from the elements found in conventional incident response tickets in that they chart out the stage of an attack, measures that may be taken by the victim, and the end results, e.g. data deletion, denial or disruption of operations, or data exfiltration. Lockheed Martin’s Cyber Kill Chain and the MITRE ATT&CK Framework are just a few examples that may be utilized for mapping attack patterns and detection and preventive efforts.

It is worth noting that maintaining a strong security posture requires a shift not only in the technologies utilized but also the operational mindset. Some organizations may subscribe to a limiting or misinformed belief such as the following: “Our organization does not produce or share any information that’d be worthwhile for an attacker. And, it’d be hard for them to break our defenses.” Forget about any news stories that have aired about government operations and military tech being stolen for a moment. Consider the everyday information that businesses use to complete financial transactions, save personal identifiable information, generate customer lists (widening the amount of opportunities an attacker may consider), etc. When that information is stolen, it paints a bad picture for the victim. Add in system resources, patents, and trade secrets to the list of stolen items, and the picture is bleaker.

Intent combined with motivation can makeup just one vector of a threat matrix. All organizations must consider themselves targets; if an opportunity exists, it will be taken regardless of an attacker’s ultimate aim or success rate. In the long run, it is best that an organization does not make assumptions about a threat actor’s’ competency. That is a mistake that can result in a great cost, both economically and socially if the organization’s reputation is tarnished due to a major cyberattack.

Some organizations fall into the trap of assuming that if a file originates from a real, known site like Box or Google Drive, then it must be trusted. However, this belief positions the organization to accept and download files that are malicious, potentially infecting their environment. Why trust what you can verify? Incorporating file analysis into business processes and not just eyeballing sender names and host sites or relying on user reports is important. Any HTTP traffic associated with a file transfer that is captured and decoded, should remain available for an Analyst to extract the file and review it for malicious markers,

An overreliance on traditional anti-virus services is a widespread issue that organizations encounter. Anti-virus tools that perform a comparative analysis to search for n-days (or known and reported malware attacks) are bound to omit classes of new and updated malware. Threat actors adapt as their tactics, techniques, and procedures (TTPs) are published and malware variants are developed to counteract immediate detection. While the variants may exist within like families, their signatures are typically altered. Obfuscation of malicious code, another challenge in analysis, may deter an organization from identifying malware or performing adequate countermeasures.

Evaluation of Detection Resources

In the past few months, the evaluation of detection analysis has become a topic of contention. An organization seeking the latest technology may purchase a product that has undergone an evaluation, receiving high marks in detecting threats, e.g. intrusions and service-based attacks. MDR, EDR, and XDR (Managed, Endpoint, and Extended Threat Detection & Response) juggernauts in the industry, including SentinelOne, Rapid7, and CrowdStrike have undergone evaluations through MITRE. This leaves some asking: “What role should an evaluation such as MITRE’s Engenuity ATT&CK Evaluation play in my organization building a mature monitoring-detection and response system?” They may be surprised to learn the answer.

The MITRE Engenuity ATT&CK Evaluation was developed to emulate an adversary’s capabilities (which are not disclosed to the vendor participating in the evaluation) and test the functionality and processes that an MSP or third-party support team may execute in the detection/attack discovery phase. This type of evaluation was launched in an effort to gather data about the technologies used to identify attacks and generate threat intelligence and use that information to strengthen the use of these technologies in the industry and government affiliated organizations. Variables that are evaluated include detection quality and visibility, analytic coverage, and detection validation. Preventive configurations are left inactive during the evaluation exercise. This leaves the vendors and third parties managing the detection product with fewer options available to automatically offset the types of purple team and attack behaviors being performed. With this issue identified it is necessary to acknowledge that MITRE’s Egenuity ATT&CK Evaluation prioritizes detection and detection errors over the assessment of both detection and response actions.

False positives are also a significant challenge to address. It is an issue that is not considered in MITRE’s Engenuity ATT&CK Evaluation. When attack-detection evaluations are not yet designed to distinguish the difference between anomalous behavior and true cyberattacks, it weakens the perceived effectiveness of the evaluation. It is vital for organizations to understand that MTRE’s Engenuity ATT&CK Evaluation is not the only factor that should be considered when searching for a threat detection solution. Evaluation results vary based on the attack techniques utilized and the feature-specific tools that are tested for each solution.

Closing

Organizations must bear in mind that detection analysis is a central part of operational cybersecurity. An organization tasked with fulfilling detection analysis and management objectives must develop a detection plan, demonstrating great knowledge of the interconnected systems that generate data on system, network, and user activities and the means available to extract different datasets from it. In addition, maintaining guidelines to chart potential attacks and/or crises by type is essential. Taking steps to maintain these guidelines and maps aids Incident Handling and Threatt Intelligence teams in characterizing attacks and establishing workflows to investigate and resolve them; these can later be used to work through future incidents of a similar type should they occur.

Organizational biases about malware and how it can operate should be reduced to minimize any miscalculations or judgments that may result in worsening an infection or system compromise. While the evaluation of detection resources by third parties like MITRE is a subject that has evolved in 2023, using such evaluations and endorsements as the primary basis for acquiring a threat detection and management technology is not taking a calculated, balanced stance. Other factors such as the types of attacks that are tested within an evaluation, the presence of false positives, and the capabilities of the detection/response solution must be accounted for when determining its strengths and suitability for or an organization.

CONTACT VESTIGE to help your organization efficiently sift through your cybersecurity resource options,  set up a comprehensive Detection Analysis / DBIR, custom Cybersecurity Risk Mapping and more.