Whitepaper: Forge Threat Detection Success at the Pyramid Apex
An effective threat detection strategy requires having the right detections
Sequenced behavioral-based detections
Singular atomic-based detections have been the foundation for threat detection in security operation centers (SOCs); however, atomic-based detections alone are not enough – the concept has proven unreliable, yielding noisy detections with short operational lifespans. The pyramid of pain categorizes the various detection levels with threat actor tactics, techniques, and procedures (TTPs) being the goal of detection. The apex is where threat detection should move since understanding threat adversary objectives help to eliminate the focus on chasing dynamic and easily changeable indicators.
Reliance on a single identifier is no longer enough; instead, the atomic components should be structured in sequences to enable behavioral-based detection. Anvilogic is putting our detections deep in the fire to forge a strong security framework. The framework is sequence behavioral-based detections that can help to hone in on the attacker’s core objectives to provide a threat detection model that has been designed to hold its long-term strategic value, making it largely future-proof with the flexibility to modify as new TTPs are identified, while also giving security teams the ability to expand and easily detect for any unknowns.
A practical threat detection framework has been lacking in an industry that has been struggling to keep pace with threat adversaries outmaneuvering frazzled security practitioners. Organizations that adopted signature and heuristics-based defense strategies prove to have limitations inadequately stopping threat adversaries and malware from penetrating organizations. This happens because detection capabilities that focus on the lowest levels of the pyramid of pain, with identifiers accurately categorized as “Trivial,” “Easy,” and “Simple”, quickly lose value. Due to the ease in which threat actors can change the associated indicator can result in a security posture that is constantly degrading and will only hold the short-term strategic value, causing security defenders to chase a constantly moving target.
In addition to having a SOC that is a mad hatter tea party of chaotic disarray, these detections are often noisy and unreliable, contributing to security analysts’ burnout and dilution of confidence when trying to discern malicious activity in a sea of alerts. It’s an unintentional cycle of operational chaos – that is ineffective when a detection strategy is based on low-level atomic indicators. Since the threat landscape continually evolves at a pace antivirus systems can’t; the focus on delineating the malicious and/or benign threats through code hasn’t seemed to be the answer for the security industry. Organizations must change their reliance on antiquated methods many still think work, or as an industry, we’ll continue to go in circles talking about skills-shortages, how to keep up alert-fatigue, and all the rest of the things that hold us back. The Anvilogic Threat Detection and Incident (TDIR) Platform approach to better threat detection embraces using research focused on threat actor tactics, techniques, and procedures (TTPs) to create detections based on patterns of attack behaviors. Leveraging this threat detection approach can help teams establish a security framework that makes the attacker’s main objectives the core focus of alerting.
The Anvilogic TDIR Platform aims to create a behavioral-based framework that can help teams stabilize and modernize their security operations by breaking away from the more traditional chaotic operational cycle. With reliance no longer placed on a single identifier as alerts, teams can shift to sequenced-based threat behaviors composed of multiple threat identifiers. A detection crafted from the apex of the pyramid classified as “Tough” enables detections to operate at a level that isn’t malleable, with applicability to various threat activities, eliminating the need to focus or spend time on one-off events.