Breadth vs Depth: Attacker behaviour detection

Any piece of cloud service, software or hardware could represent a way into the system if a new vulnerability is discovered by hackers. Cyber criminals are continually looking for new exploits, producing new strains of malware or tinkering with existing strains just enough to alter their threat profile and evade signature-based detection solutions. Tactics have also evolved at a rapid pace, from the use of social engineering techniques in the initial attack to methods for evading detection once a network is compromised.

With such a huge scope of attacks to contend with, security strategies often tend to prioritise the breadth of threat detection coverage with the idea that the more attacker Tactics, Techniques and Procedures (TTPs) that are accounted for, the better the chances of keeping the organisation secure. However, while more breadth of coverage is important, organisations must also be able to back this up with deep, contextual insights and an ability to effectively respond with agility.

Covering all the bases

With threats coming from every direction, it can be hard to know where to start with a security strategy. MITRE’s ATT&CK framework is one of the most useful tools in this regard, offering multiple matrices that cover a wide variety of enterprise and cloud attack surfaces and the known TTPs that threat actors have used against them. Security decision makers can look at threat actor techniques across the entire attack kill chain from initial access and persistent establishment to reconnaissance, lateral movement, exfiltration and impact, complete with a selection of recommended counters for each.

As well as examining attack lifecycles as a whole, IT security decision makers can focus on specific areas of concern. For example, a CISO might identify a particular risk around credential access and use MITRE ATT&CK to learn more about common techniques such as brute forcing and web portal capturing, find specific real-world examples of groups using each TTP, and finally look to define the technical controls to mitigate them.

Frameworks like this provide a valuable source of empirical evidence, allowing CISOs and other security leaders to more easily review their own capabilities, and which tools, controls and processes they should consider implementing.

We also find that these matrices are often used as a sort of checklist and being able to detect as many of the listed TTPs as possible will indeed contribute to keeping the organisation secure. However, establishing reliable security requires a more intensive line of questioning beyond asking “can I use this solution to detect that TTP?”. Establishing breadth of detection is only the beginning of the battle.

Alert overload

Acquiring the broadest range of detection capabilities possible seems like a rational goal. However, this breadth of detection is only useful if the security team is able to effectively deal with and appropriately action those incoming threat alerts.

Security operations centre (SOC) analysts often spend a large part of any day being bombarded with a huge volume of security alerts competing for their attention. Each of these alerts represents a potential threat to the organisation, and while many will be benign or false positives, each one needs to be properly investigated and triaged.

As attack volumes continue to rise, many teams simply do not have the resources needed to investigate every alert, and it’s easy for high risk threats to get lost in the constant noise. Alert fatigue also means that practitioners are likely to be slower to respond to genuine threats, wasting precious minutes that can see an initial attack escalate into a major breach.

Broadening the detection range further without addressing this problem first will only increase the pressure on security analysts and add another cluster of security alerts for which they may lack the resources to properly examine. To be effective, detection must not only have breadth, but depth.

Going deeper

Speed is of the essence when it comes to cyber security incident response. Every minute that ticks by after an initial compromise brings the company closer to a serious security incident such as major data exfiltration or a ransomware attack. Security teams must be able to act quickly and decisively as soon as a threat is detected in order to shut it down before the true damage can be done.

This is where the depth of threat detection comes in. Providing teams with deep, prioritised contextual insights will help them to triage the most significant threat alerts and quickly decide the right course of action with confidence. AI-powered analytics have a powerful role to play here, examining the vast amount of threat data being produced by security solutions and automatically scoring threats based on the risk they represent.

AI does all the heavy lifting by parsing the data and reducing false positives, and enriching detections with powerful contextual insights, leaving the human personnel with the resources and energy needed to investigate and mitigate the real threats to the organisation. AI can work far faster than any human to analyse data from across the network, taking into account multiple TTPs and correlating them into a single chain of incidents.

The MITRE ATT&CK framework remains a valuable knowledge base for security leaders seeking to assess their current security capabilities and the most prevalent TTPs they should prioritise. CISOs have to continue to prioritise their investments in detecting and mitigating known and anticipated threats to their organisations. However, alongside striving to check as many items off the list as possible, they must combine this breadth of detection with the deep, contextual data that will empower their teams to be agile, decisive and effective in shutting down attacks and preventing breaches.