Threat Detection and Response

Learn the fundamentals of detecting and responding to cybersecurity threats as well as implementing a threat detection program.

Explore InsightIDR

What is Threat Detection and Response?

Threat detection and response is the practice of identifying any malicious activity that could compromise the network and then composing a proper response to mitigate or neutralize the threat before it can exploit any present vulnerabilities.

Within the context of an organization's security program, the concept of "threat detection" is multifaceted. Even the best security programs must plan for worst-case scenarios: when someone or something has slipped past their defensive and preventative technologies and becomes a threat.

Detection and response is where people join forces with technology to address a breach. A strong threat detection and response program combines people, processes, and technology to recognize signs of a breach as early as possible, and take appropriate actions. 

Detecting Threats

When it comes to detecting and mitigating threats, speed is crucial. Security programs must be able to detect threats quickly and efficiently so attackers don’t have enough time to root around in sensitive data. A business’s defensive programs can ideally stop a majority of previously seen threats, meaning they should know how to fight them.

These threats are considered "known" threats. However, there are additional “unknown” threats that an organization aims to detect. This means the organization hasn't encountered them before, perhaps because the attacker is using new methods or technologies.

Known threats can sometimes slip past even the best defensive measures, which is why most security organizations actively look for both known and unknown threats in their environment. So how can an organization try to detect both known and unknown threats?

Leveraging Threat Intelligence

Threat intelligence is a way of looking at signature data from previously seen attacks and comparing it to enterprise data to identify threats. This makes it particularly effective at detecting known threats, but not unknown, threats. Known threats are those that are recognizable because the malware or attacker infrastructure has been identified as associated with malicious activity.

Unknown threats are those that haven't been identified in the wild (or are ever-changing), but threat intelligence suggests that threat actors are targeting a swath of vulnerable assets, weak credentials, or a specific industry vertical. User behavior analytics (UBA) are invaluable in helping to quickly identify anomalous behavior - possibly indicating an unknown threat - across your network. UBA tools establish a baseline for what is "normal" in a given environment, then leverage analytics (or in some cases, machine learning) to determine and alert when behavior is straying from that baseline. 

Attacker behavior analytics (ABA) can expose the various tactics, techniques, and procedures (TTPs) by which attackers can gain access to your corporate network. TTPs include things like malware, cryptojacking (using your assets to mine cryptocurrency), and confidential data exfiltration. 

During a breach, every moment an attacker is undetected is time for them to tunnel further into your environment. A combination of UBAs and ABAs offer a great starting point to ensure your security operations center (SOC) is alerted to potential threats as early as possible in the attack chain.

Responding to Security Incidents

One of the most critical aspects to implementing a proper incident response framework is stakeholder buy-in and alignment, prior to launching the framework. No one likes surprises or questions-after-the-fact when important work is waiting to be done. Fundamental incident response questions include:

  • Do teams know who is responsible at each phase of incident response? 
  • Is the proper chain of communications well understood? 
  • Do team members know when and how to escalate issues as needed? 

A great incident response plan and playbook minimizes the impact of a breach and ensures things run smoothly, even in a stressful breach scenario. If you're just getting started, some important considerations include: 

  • Defining roles and duties for handling incidents: These responsibilities, including contact information and backups, should be documented in a readily accessible channel. 
  • Considering who to loop in: Think beyond IT and security teams to document which cross-functional or third-party stakeholders – such as legal, PR, your board, or customers – should be looped in and when. Knowing who owns these various communications and how they should be executed will help ensure responses run smoothly and expectations are met along the way.

What Should a Robust Threat Detection Program Employ?

  • Security event threat detection technology to aggregate data from events across the network, including authentication, network access, and logs from critical systems.
  • Network threat detection technology to understand traffic patterns on the network and monitor network traffic, as well as to the internet.
  • Endpoint threat detection technology to provide detailed information about possibly malicious events on user machines, as well as any behavioral or forensic information to aid in investigating threats. 
  • Penetration tests, in addition to other preventative controls, to understand detection telemetry and coordinate a response. 

A Proactive Threat Detection Program

To add a bit more to the element of telemetry and being proactive in threat response, it’s important to understand there is no single solution. Instead, a combination of tools acts as a net across the entirety of an organization's attack surface, from end to end, to try and capture threats before they become serious problems.

Setting Attacker Traps with Honeypots

Some targets are just too tempting for an attacker to pass up. Security teams know this, so they set traps in hopes that an attacker will take the bait. Within the context of an organization's network, an intruder trap could include a honeypot target that may seem to house network services that are especially appealing to an attacker. These “honey credentials” appear to have user privileges an attacker would need in order to gain access to sensitive systems or data.

When an attacker goes after this bait, it triggers an alert so the security team knows there is suspicious activity in the network they should investigate. Learn more about the different types of deception technology.

Threat Hunting

Instead of waiting for a threat to appear in the organization's network, a threat hunt enables security analysts to actively go out into their own network, endpoints, and security technology to look for threats or attackers that may be lurking as-yet undetected. This is an advanced technique generally performed by veteran security and threat analysts.

By employing a combination of these proactively defensive methods, a security team can monitor the security of the organization's employees, data, and critical assets. They’ll also increase their chances of quickly detecting and mitigating a threat.

Keep Learning About Threat Detection

Learn About Rapid7's Managed Threat Detection & Response

Detection & Response News from the Rapid7 Blog