This is the third article in a series starting with the critical capabilities of a modern SOC. In the last article, I covered the “data collection and correlation” capability, and in this article, I cover the second capability discussed, namely, “detection.”
The fast detection of a security incident enables the business to quickly respond to contain potential harm to the business and take action to prevent a similar occurrence in the future. It is crucial that SOC analysts are alerted as quickly as possible to security alerts that may represent or otherwise lead to a security incident.
The threats to the organisation that require monitoring by the SOC should be identified and regularly reviewed to keep pace with the organisation’s changing threat profile. Threat modeling (e.g., attack path mapping) can help to understand scenarios of concern.
Use cases describe the threat scenarios that the SOC should look for. A use case should specify the baseline behaviour of relevant systems, the conditions under which certain events may signal abnormal activity, and details for the technical implementation of the use case (e.g., data sources and correlation logic).
There are several detection methods. For instance, anomaly detection techniques—supported by machine learning—may be used to identify rare or unusual activity. At a minimum, organisations should aim to achieve real-time monitoring, whereby data is continuously monitored and analysed to provide up-to-date, actionable alerts.
An alert is triggered when the conditions specified within a use case are met, suggesting that something anomalous may have occurred. This creates a ticket that will be added to the alert queue and reviewed by an analyst to determine whether further steps need to be taken.
In addition to system-generated alerts, incidents may be detected via other means. SOC analysts performing more advanced capabilities, such as threat hunting or trend analysis, may notice a pattern or occurrence indicating a potential incident that is flagged for further investigation. Equally, a user within the organisation (e.g., employee, contractor) or an external source (e.g., supplier, business partner, law enforcement agency) may report a suspicious or unusual event to a service desk, a dedicated call-centre or HR.
Advanced detection capabilities
Advanced detection capabilities typically adopted by more mature organisations include the following:
(A) Threat hunting: a method to proactively search the network for evidence of malicious behaviour that evades discovery through other tools. Whereas a SIEM looks for known knowns, the purpose of threat hunting is to find unknown unknowns.
(B) Trend analysis: a technique to ascertain what may be happening over time or on a regular basis by analysing historical data from a variety of sources (including threat intelligence reports) for evidence of patterns and trends. At LMNTRIX this is our NDR and network forensic sensors namely the LMNTRIX Detect and LMNTRIX Hunt services.
This can reveal anomalous activity or provide insight into the tactics, techniques, and procedures (TTPs) of an adversary to help anticipate future threats.
Additionally, the LMNTRIX reference model relies on the following advanced capabilities related to detection, which you can also consider for your organisation:
- Deception technology: a decoy system (such as a honeypot) combined with breadcrumbs, files and personas, that simulates a production environment by presenting fake applications and information to observe malicious attackers and collect forensic information about their activity.
- Endpoint detection and response (EDR): a tool that collects data from endpoints to detect abnormal behaviour and perform investigations. EDR uses analytics techniques to search for indicators of compromise or deviations from baseline behaviour.
- User and entity behavioural analytics (UEBA): a tool that uses a combination of statistical analysis, machine learning, user profiling and risk scoring to detect anomalous activity that may indicate an insider threat, compromised account or infected system.
- Machine intelligence: also referred to as Technical Threat Intelligence is a platform and threat feeds that provide detailed information on known attack vectors based on the indicators of compromise for each reported security incident. Attack-specific information such as command and control IP addresses, compromised internet addresses, malware signatures, or phishing message content can be used to search for reuse in other previously unrecognized attacks. Machine intelligence is dynamic in nature due to the evolution of attack vectors to prevent detection, with such information having a relatively short period of usefulness before it becomes outdated. Examples of technical threat intelligence include specific IP addresses and URLs associated with attacks.
- Underground intelligence: a threat feed focused on the dark web offers organizations a valuable source of threat intelligence to supplement other data feeds. Monitoring the activities and conversations of attackers and the nature of exfiltrated data they publish can provide an informative insight into attack techniques, current targets, and upcoming plans.
- Purple teaming: red and blue teams collaborate to test whether the alerts generated match the use cases. Threat scenarios are simulated to determine whether alert criteria or logging levels should be modified or if additional alerts need to be created.