What Is a Threat Detection Framework?

In today’s world of increasing complexity and lucrative cybercrime industry, you can only be certain of one thing: you will be hacked – and your exposure is growing. Read on to discover the framework and approaches to protect your business against cyber threats – even in today’s world.

Preventing known threats is just a small part of the solution

By maturing their security system, organizations quickly realize that threat prevention is simply not enough to manage risks connected to information security. Many classic preventive security measures, such as Intrusion Prevention Systems (IPS) and the antivirus software work on the basis of searching for malware and malicious network traffic. Such approaches are deemed ineffective because the signature has to match the specific threat. To remain unnoticed, the attacker just has to somewhat change the behavior of their tools.

Prevention using the heuristic analysis can be tricked.

Providers of modern endpoint protection solutions have now chosen the heuristic analysis and often claim that it prevents unknown threats. Unfortunately, the attackers have adapted and started to rely on the abuse of legitimate tools that are built into the modern OS. Considering this, it is difficult to differentiate between the expected behavior of the system and the attacker searching for valuable data. Reliable detection of malicious activity becomes nearly impossible without a large number of falsely positive detections, which can also cause an outage of services.

So, how can you protect your company from cyber threats?

Should you get rid of your antivirus solution? Absolutely not. Will your antivirus solution fail and accidentally let malware that could cause a severe data loss pass through? It is just a matter of time.

For threat detection that bypasses the antivirus, the organization should start collecting appropriate events and set up a program for detection and response.

Setting up IT-security: SIEM

By increasing the funds allocated to different security solutions, the amount of data needed to be saved and analyzed is rapidly increasing. The data gained is usually sent to the dedicated central system of registering, such as the SIEM system, or other long-time data saving journal managing solutions.

While SIEM is often used by organizations, little effort is put into the solution, so it does not contribute to greater security of the organization. In NIL, the SIEM projects stop when there are data sources included, so the SIEM solutions are changed into expensive syslog servers.

Questions you need to raise

While entering data into SIEM is quite simple, the real challenge lies in using the collected data to discover potential threats in the environment. Unfortunately, there is no universal how-to when adjusting the SIEM. Everything depends on business risks, the industry, technology, business processes, and other special features. Two questions need to be raised when trying to set up the threat detection program:

  • Which threats do I want to detect?
  • Which data do I need to detect threats?

Understanding the attacker: MITRE ATT&CK knowledge base

If you want to answer the first question, you need to understand the opponent, how they are implemented in one of the organization’s systems, and what they do after the initial IT-environment entrance.

Lately, MITRE ATT&CK is getting a lot of attention from cybersecurity specialists, as it is trying to combine the knowledge of all tactics, techniques, and procedures (TTP) which the attackers performed in the thousands of security violations. Moreover, ATT&CK tells us how each noticed technique was used and detected in your own environment. Great, right? Unfortunately, it is not that simple.

266 ways to attack you – in general

Currently, there are 266 different general attack techniques in the ATT&CK knowledge base. Additionally, some of them are really wide and demand tens of SIEM or similar rules for effective detection of all technique variants that the attacker uses. ATT&CK also does not guarantee the logic of detection, but just the general guidance to the detection.

More IT specialists are needed

Many specialists with specific knowledge are needed to develop a practical rule for detection:

  • First, a team of ethical hackers develops a test that abuses the technique.
  • All events need to be collected and analyzed.
  • Then, a digital forensic needs to read into the collected data and determine the logic of detection, which will create a minimal number of falsely positive results, while still being reliable for detecting malware activity.
  • The results will then be forwarded to a security engineer, who will then implement the logic of detection into the SIEM system.

Should all 266 techniques be researched and implemented, which would lead to over 500 rules of detection? Of course not. Some techniques might not be important for your environment, some were rarely used, some you are already preventing, and some are almost impossible to detect. Because of that, priority technique sorting is the key to success.

NIL Security Operations Center – SOC

In the NIL Security Operations Center (SOC), there is a dedicated group of security experts researching the ATT&CK knowledge base techniques. The result of their research is a set of rules for threat detection, which ensures crucially expanded capabilities compared to those that can be developed by most companies internally.

The NIL Threat Detection Framework – TDF

Our detection rules are thoughtfully developed in order to detect even the most advanced attacks. The rules are collected in the central warehouse called NIL Threat Detection Framework (TDF). TDF serves as a unified knowledge base which includes the detection logic, the required data source, and the attacker emulation tests. TDF is also used as a visual aid for SOC clients to track their current technique coverage on the basis of available data sources.

In NIL, TDF is also used for the process of implementing an organization into SOC – to determine the safety detection of the potential client in their environment. By evaluating the maturity of detection objectively, NIL can suggest improvements for a higher level of detection more easily. Moreover, the NIL SOC service can be performed at the highest level.