Skip to content

erickatwork/threat-detection-engineering-reference

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Threat Detection Engineering Reference

Frameworks, tools, and resources I find useful as a Threat Detection / Incident Response professional. Feel free to contribute.

Table of Contents

Frameworks

Incident Response Lifecycle

sans-incident-response-plan.jpg

SANS outlines the 6 incident phases.

nist-incident-response-lifecycle.jpg

NIST outlines 4 phases.

Cyber Kill Chain

killchain.png

Lockheed Martin breaks down an intrusion into 7 well-defined phases, and can help identify patterns that link individual intrusions into broader campaigns. The 7 phases cover all of the stages of a single intrusion that — when completed successfully — leads to a compromise.

  • Clearly defined linear sequence of phases (as opposed to ATT&CK).
  • Reconnaissance and Weaponization are often ignored but can be valuable.

Courses of Action Matrix

Lockheed Martin

Part of the Cyber Kill Chain. Defenders can measure the performance as well as the effectiveness of these actions, and plan investment roadmaps to rectify any capability gaps

  • Valuable tool in evaluating capabilities and gaps.

Pyramid of Pain

Pyramid-of-Pain-v2.png

David J Bianco shows the relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them.

  • Pain is a two-way street for both the adversary and analyst. For the analyst, hash detections (atomic) are trivial to write, and TTP detections (behavioral) are tough to write.
  • Atomic may offer higher confidence than behavioral detections, but behavioral detections offer more longevity.
  • Useful to keep in mind when prioritizing detection rules.

1-10-60 Rule

CrowdStrike investigated, the average “breakout time” in 2017 was one hour and 58 minutes. Breakout time indicates how long it takes for an intruder to jump off the initial system (“beachhead”) they have compromised and move laterally to other machines within the network.

  • 1 minute to detect, 10 minutes to investigate and 60 minutes to remediate.
  • Useful to keep in mind when discussing ingest lag, working hours, and on-call.

Cybersecurity Defense Maturity Scorecard

defense-maturity-scorecard.jpg

defense-maturity-scorecard-score.png

Not-Sure-Who-Invented-This defines cybersecurity maturity across key domains.

  • Decent tool for board maturity assessment

Detection Engineering Maturity Matrix

detection-maturity-matrix.png

ATT&CK

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. Enough gas been written on this.

DeTT&CT

Rabobank CDC DeTT&CT aims to assist blue teams in using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage, and threat actor behaviors.

Detections-as-Code (DaC)

The principle of infrastructure-as-code but for detections. This allows you to version control detections and apply the same CI/CD principles to your detections as you do to your infrastructure.

  • Carta released their own tool called Krang

Distributed Alerting (DA)

Popularized by Slack in this blog post. The concept is to shift the burden of alert triage from Analyst to the relevant teams. Additional verification can be accomplished with 2FA.

  • Great for misconfiguration-type alerts e.g. internet exposed server, compliance requirements, RBAC.

Risk-Based Alerting (RBA)

risk-based-alerting.png

Risk-based alerting (RBA) provides teams with a unique opportunity to pivot resources from traditionally reactive functions to proactive functions in the SOC.Apr 18, 2023 Detection tagged with observations and metadata to produce a score. Alerts are then correlated by some grouping e.g. user, IP, source. Then alert if the correlated alerts are above a certain score.

Purple Teaming

Purple teaming to create/inspire detections.

Data Science

  • Conference talk by Strip

Threat Modeling

Threat modeling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value.

Threat Inteligence

Threat intelligence is data that is collected, processed, and analyzed to understand a threat actor’s motives, targets, and attack behaviors. Threat intelligence enables us to make faster, more informed, data-backed security decisions and change their behavior from reactive to proactive in the fight against threat actors.

Detection Rules / Signatures

Resources

Notes

  • Indicator types
    • Atomic - Atomic indicators are those which cannot be broken down into smaller parts and retain their meaning in the context of an intrusion. Typical examples here are IP addresses, email addresses, and vulnerability identifiers.
    • Computed - Computed indicators are those which are derived from data involved in an incident. Common computed indicators include hash values and regular expressions.
    • Behavioral - Behavioral indicators are collections of computed and atomic indicators, often subject to qualification by quantity and possibly combinatorial logic. An example would be a statement such as ”the intruder would initially use a backdoor which generated network traffic matching [regular expression] at the rate of [some frequency] to [some IP address], and then replace it with one matching the MD5 hash [value] once access was established.”