Demystifying detection engineering and why every organization needs it
Let's dive into Detection Engineering (DE), a crucial practice in cybersecurity that can help organizations protect their computer systems from adversarial or otherwise unwanted behaviors. But before we get started, let's have some fun and imagine that we're detectives trying to catch cybercriminals.
Detection Engineering: The Practice of Catching Cybercriminals
As detectives, we have a job to do: protect our organization's computer systems from cybercriminals. And just like detectives in the real world, we need a set of tools and techniques to help us do our job effectively. That's where Detection Engineering (DE) comes in.
DE is the practice of researching, building, testing, deploying, validating, and maintaining rules, searches, and methods of detecting unwanted behaviors on computer systems. It's like having a magnifying glass that helps us spot suspicious activity on our systems. But don't be fooled — DE is not an easy task. If it were, we wouldn't have ransomware attacks or high-profile hacks in the news.
So, how do we catch these cybercriminals? Let's start by breaking down the definition of DE into smaller parts.
Research and Understanding
As detectives, we need to know what we're looking for. What exactly are we trying to detect, and why? This is where research and understanding come in. We need to gather intelligence on the latest cyber threats, analyze past incidents, and create hypotheses based on our findings. Both empirical and theoretical approaches can be valid, but we need to be selective in our approach as we can't do everything.
Building, Testing, and Deploying Rules
Now that we know what we're looking for, we need to build rules to help us detect unwanted behaviors on our systems. But it's not just about building rules; we need to test them to make sure they work correctly and don't generate false positives. This is usually tool-dependent, but we can use tools like the Sigma project to help us create detections for common use cases.
However, we can't just rely on standalone rules. We need a way to correlate our detections and combine them to get a bigger picture of what's happening on our systems. This is where the "methods" part of DE comes in.
Two-Tiered Framework
As mentioned earlier, effective DE is more than just building and deploying rules. It's about having a two-tiered framework that helps us correlate and combine our detections to get a more comprehensive view of what's happening on our systems.
The first tier of detections runs against raw data and finds individual behaviors of interest, such as encoded PowerShell commands or Windows macro executions. These detections assign a risk score, normalize entities, enrich results with other metadata like MITRE ATT&CK tactics and techniques, and then store them in a mid-tier table or index. The second tier of detections operates against this mid-tier table or index and looks for specific entities that match a threat scenario or exceed risk thresholds within allotted time periods.
One of the benefits of this approach is that the analyst doesn't have to respond to or look at the mid-tier index until an entity matches a scenario or exceeds a threshold. This approach also helps analysts view all offending behaviors at once instead of in isolation.
Why Every Organization Needs DE
Now, let's talk about why every organization needs DE. Cybersecurity negligence can lead to outcomes that really affect your business or even end your business. Ransomware, data breaches, and other cyber attacks can severely impact your organization's reputation and finances.
DE is a critical component of a comprehensive cybersecurity strategy that helps organizations protect their systems from cybercriminals. Without DE, you're essentially shooting at a target with a blindfold on or trying to solve a puzzle without all the pieces. Without DE, you can’t assure your business that you’re capable of detecting the threats that could cause significant impacts.
Check out my video on the above topic for more information and further explanation!
Until next time, may your detections be swift and your results few!