How threat detection and response approaches work

Detection involves real-time monitoring of the enterprise’s digital systems for any evidence of malicious activity. This may include (and is not limited to): anomalous user behavior, unauthorized attempts to access secured accounts or files, unusual network traffic or system log activity, file modifications, suspicious DNS requests, unauthorized VPNs and remote access software, and unknown applications in use.

Once detected, evidence of a threat will generate an alert or, if it is the product of analyst threat hunting, may warrant additional analysis of the findings. The process may entail analysis of several indicators of compromise (IOC), TTPs or alerts generated by different tools in the threat detection and response systems.

Response actions may include immediate defensive actions, such as host isolation, network segmentation, blocking domains or access to compromised files, forced re-authentication or other actions that can limit the blast radius of the suspected or actual threat.

However, threat response can also include forensic and remedial actions such as patching vulnerabilities, restoring systems, and updating security settings and protocols to prevent additional adversary actions.

What threats can a threat detection and response approach address

In theory, any IOC or TTP related to any type of cyber attack could fall under the purview of a threat detection and response system, including ransomware, phishing attacks, and malware downloads.

However, TDR typically focus on uncovering malicious network traffic that does not match known signatures, threats that evade EDR detections, and activity that evades perimeter defenses. They also can search for evidence of advanced persistent threats (APTs), in which adversaries move slowly and deliberately through an enterprise’s system after establishing initial access.

It can also be useful to think of threat detection and response in terms of its potential to disrupt adversaries. Sophisticated tools and methods have the potential to detect IOC and TTP that are more valuable in terms of the adversary’s effort, such as software tools or activity in the network. From this perspective, hunting and response is more successful the more it wastes an adversary’s time and resources. (For a detailed description of this concept, view David Blanco’s “Pyramid of Pain” approach).

What tools and techniques are common to threat detection and response

Several categories of cybersecurity systems can create the technical foundation for enterprise-level threat detection and response, including intrusion detection systems, NDR, EDR, XDR, and MDR. Some or all of these platforms will operate in concert with SIEM, security orchestration, automation, and response (SOAR), data lakes, and other solutions that collect and integrate data and alerts within the security stack.

However, security teams that rely solely on technology may be confined to a reactive posture that does not anticipate how adversaries may change their tools and behaviors and does not help to prioritize alerts or contextualize IOCs and TTPs.

Automation through machine learning tools is a necessary component of detection and response. However, security teams, and solution vendors, are far from automating the process; it is therefore critical to put sufficient weight on the human element of the equation. Without the necessary skills, experience, and access to quality threat intelligence, much of the value in ML and automation will be unrealized.

Effective threat detection and response, therefore, also depends on other factors, including:

• Threat intelligence. Threat intelligence refers to any information that helps security teams understand the nature of the cyber threats they face and pivot to a more proactive, data-driven approach to detection and response. It can include IOCs collected from existing security tools and platforms, threat intel feeds with updated information about new vulnerabilities and exploits as well as feeds from open-source traffic analysis platforms, such as Zeek and Suricata, and knowledge bases such as MITRE ATT&CK Some vendors generate threat intelligence from partnerships with select customers (such as Corelight’s Polaris Program).
• Threat modeling. This is a process that helps an organization assess the complexities and potential vulnerabilities of its systems. While threat modeling has applications beyond detection and response, it can be helpful for analysts who must assess the potential risk of compromise within their systems, and help them prioritize alerts. Threat modeling can also support pen testing and other methods of gauging the strength of system elements.
• Threat hunting. Threat hunting is a proactive, human-led process in which security teams use automated, ML-based, and manual tools to uncover evidence of stealthy adversary activity. It assumes adversaries can and will evade intrusion prevention defenses, and that they will continue to develop evasive techniques.

Threat hunting does not focus on known threats. As new evidence of adversary activity is discovered, threat hunters can formulate a hypothesis about the presence of threat and find the compromise by doing the hunt to validate the hypothesis. Threat hunts usually result in creation of rules that automate threat indicator matching. It is an iterative process that depends on automated tools to handle detection of known threats, while strategically using analysts’ creativity, knowledge, and limited time to mount informed hunts for new evidence of threats and adversary activity.

Threat hunting can work off a variety of frameworks and models, and hypotheses. Here again, the needs of the business, the tools and expertise native to security teams, and the specific system requirements can all factor into the right approach in any given circumstance. The PEAK Threat Hunting Framework created by the SURGe Security Research Team at Splunk is a notable example of an adaptable approach that can follow hypothesis-driven, baseline, and model-assisted hunting techniques.

(Find out how network evidence generated by the Corelight Open NDR platform helps analysts elevate and refine their threat-hunting approach.)

How threat detection and response can create challenges for security teams

By any metric, no security framework or combination of tools is 100% effective. Threat detection and response platforms are no exception. However, through a mismatch between tools and SOC capabilities, or insufficient oversight, a number of challenges can create problems beyond ineffective or inefficient threat management:

• Lack of integration. As noted, a threat detection and response platform will often include several different platforms. If new platforms and tools are bolted on and not sufficiently understood, SOCs can suffer from excessive “chair swivel” as they try to make sense of a fragmented and/or incomplete view of the enterprise’s systems. This can also lead to overly complex workflows and overall inefficiency in the face of escalating threats.
• Alert fatigue. Threat detection and response systems that lack a unifying architecture can also generate higher alert volume than security teams can process. The result can be an increase in time-consuming investigation of false positives while valuable IOCs and TTP alerts are undetected or insufficiently explored.
• Expertise gaps. Even a well-architectured threat detection and response platform will underperform when managed by under-experienced security teams or teams that fail to use its capabilities of the solutions to hone their efficiency and skills.
• A lack of high-quality evidence and context. Effective threat detection and response depends on alignment with the enterprise’s processes, threat landscape and risk management approach. Without this, it is challenging for SOCs to prioritize and respond to emerging threats. Platforms that lack evidence-gathering capability make it difficult for analysts to improve their threat hunting skills and build informed hypotheses about adversary activity.

How network detection and response can improve threat detection and response

While there are many technologies on the market that can provide a foundation or support for threat detection and response, network detection and response (NDR) has become and integral part of the solution. Many organizations have found that NDR’s variety of use cases and high-fidelity evidence make the platform suitable as a first line of defense in their TDR approach. It has demonstrated value augmenting and extending EDR solutions, as well as driving more value out of AI-powered security tools.

NDR’s value to threat detection and response includes:

• Real-time monitoring capabilities. NDR’s view into network traffic can provide analysts deeper insight into logs, session information, and individual data packets. This can provide analysts with rich context for assessing user behavior, traffic patterns, and detecting lateral movement, C2 traffic data exfiltration, and a variety of other evidence of malicious activity.
• Enriched investigation, analysis. NDR can fuel deeper investigations into a variety of attack patterns. Its logging capabilities allow analysts to follow network connections across ports and protocols often exploited in attacks such as ransomware, data extraction, and malware downloads.
• Advanced threat hunting. The combination of rich metadata, automation, log generation, and threat intelligence can help analysts undertake threat hunts with greater efficiency, better models and more robust hypotheses.
• Incident containment verification and forensics. By using traffic analyzers such as Zeek, which also transforms network PCAP traffic into high-fidelity logs or metadata logs, NDR can help security teams take a step beyond incident remediation and verify containment has persisted and there has been no recurrence of adversary activity. These capabilities also help with ongoing forensic investigations of complex attacks, as well as reporting for the purposes of disclosure and compliance.
• Improved coverage of OT, ICS, and IIoT devices and systems. EDR solutions, whether on-premises, in-cloud or both, do not cover all endpoints. Many devices performing critical services in operational technology (OT) and industrial control systems (ICS) do not have the capacity for on-device security. The existence of this growing universe of endpoints (which increasingly are targets for malicious actors) makes NDR a crucial source of data for security teams, since it can monitor traffic from and between these devices and generate evidence that may indicate adversary activity.

How Corelight’s Open NDR platform supports robust, evolving threat detection and response

The open architecture of Corelight’s NDR combines powerful engineering for on-premises, cloud, and hybrid environments with the richest, cutting-edge intelligence from open-source communities. Designed to integrate with EDR, XDR, SIEM, and SaaS-based solutions, Corelight’s Open NDR helps SOCs to avoid tool integration challenges and build a robust, intuitive threat detection and response platform. Its signature-based Suricata alerting meshes with Zeek network evidence to streamline and expedite all stages of security response.

Corelight’s platform is dynamic; our researchers leverage opportunities to use our product for threat hunts in the field and threat intelligence from select, participating customers and the open source community to expand our entity collection. We also employ AI tools and LLMs to expedite alerting and response, and help analysts become more nimble and targeted in their incident response and threat hunting.

We encourage you to explore a wide range of use cases that demonstrate how Corelight’s Open NDR can take your threat detection and response capabilities to a higher level, integrate with and expand your security toolset, and manage your cybersecurity risk.

Are you ready to learn more about Corelight’s products and solutions? Contact us.