In today's rapidly evolving threat landscape, cybersecurity is more crucial than ever. Advanced persistent threats (APTs) and sophisticated attacker tactics are now part of the norm. Modern attackers are faster and more creative, taking mere hours to move from initial compromise to reaching their objectives.
Yet, detecting an attacker often takes days—sometimes even months. This speed disparity highlights the urgent need for a more robust and intelligent approach to cyber defense.
Engineering Manager of the Adversary Research Team at AttackIQ.
The Rise of Exploit-Based Attacks
One of the biggest challenges facing security teams is the shift towards exploit-based attacks. These attacks leverage vulnerabilities in software and systems, often taking advantage of zero-day exploits or previously unknown weaknesses. Unlike traditional malware attacks, exploit-based attacks are much harder to identify.
Recent studies highlight that vulnerabilities, not just phishing, have become a primary attack vector. Mandiant reports that exploit-based attacks have overtaken email-based methods, and CrowdStrike notes that 75% of threats now leverage “living off the land” (LotL) tools rather than traditional malware. These methods exploit vulnerabilities in existing systems and applications, often taking advantage of overlooked entry points. The growing prevalence of zero-days and AI-powered exploit discovery further complicates the challenge for defenders.
The Critical Role of Detection
To address these challenges, organizations need to adopt a new approach to security. Effective detection is essential, especially with the increasing number of malware-less attacks. According to Accenture, less than 1% of an organization’s detection rules are fully effective. Many detection rules remain outdated, resulting in a flood of false positives and missed detection opportunities.
Detection must focus on adversary behaviors, not static indicators like malware hashes. The shelf life for these ephemeral indicators is short. Behavior-based detection tied to adversary tactics, techniques, and procedures (TTPs) gives organizations a chance to detect and mitigate threats in real time, meeting compliance requirements from regulations like GDPR, PCI, HIPAA, and FISMA.
Why Improving Detection is Challenging
Detection engineering is the discipline of transforming adversary knowledge into actionable detection rules. This is a continuous cycle: researching relevant threats, building specific detection logic, and validating those detections to ensure effectiveness. But many organizations struggle here. Writing, testing, and maintaining hundreds of detection rules can overwhelm even the most mature security teams. Tests can be written poorly, and when they aren’t validated accurately, they lead to gaps in coverage or false positives that bury real alerts.
Effective detection is not just about having the right rules in place. It's also about having the right processes and technologies to support those rules. This includes:
- Visibility: Organizations need complete visibility into their IT environment, including all devices, applications, and user activity. This visibility is essential for identifying suspicious activity and understanding the scope of an attack.
- Automation: Security teams are often overwhelmed by the sheer volume of alerts they receive. Automation can help to filter out false positives and prioritize the most critical alerts, freeing up analysts to focus on investigating and responding to real threats.
- Threat intelligence: Up-to-date threat intelligence is crucial for understanding the latest attacker TTPs and developing effective detection rules. Threat intelligence can also help to identify potential threats before they materialize.
Four Questions to Streamline Detection Efforts
Organizations looking to enhance their detection capabilities should consider these four questions:
- Is your detection pipeline effective? Ensure your security controls communicate effectively with your SIEM to gain visibility into your detection alert pipeline.
- Can your controls catch threats beyond prevention? Prevention alone is not enough. Detection acts as a safety net to identify threats that bypass preventative measures.
- How quickly can you gain insights? In time-sensitive situations like incident response, immediate visibility into your detection capabilities is crucial.
- How can you address detected gaps? Once gaps are identified, develop and implement rules to close them.
Looking Ahead
By implementing these measures, organizations can significantly improve their ability to detect and respond to cyberattacks. However, it's important to remember that security is an ongoing process, not a one-time event. Attackers are constantly evolving their methods, so security teams must continuously adapt their defenses to stay ahead of the curve.
In addition to the technical measures outlined above, organizations also need to focus on building a strong security culture. This means educating employees about cybersecurity risks and best practices, and empowering them to report suspicious activity. A strong security culture can help to prevent attacks in the first place, and it can also help to ensure that incidents are identified and responded to quickly.
We've made a list of the best network monitoring tools.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
