Emerging Threats//
CrazyHunter Ransomware
CrazyHunter is a ransomware campaign targeting healthcare that weakens endpoint defenses and escalates privileges before encrypting systems at scale.
I don’t think anyone would dispute that cyber security has a problem with buzzwords. These are words that start with a fixed
definition but
ultimately are
dilute
d
over time. One of these so-called buzzwords is
‘
threat detection
.
’
But I am here to tell you that this is one buzzword that we should reclaimed and that organizations should spend more time considering.
What is Threat Detection?
Before we go digging into threat detection, let’s first define what it is. You'd be forgiven for wondering why we need to
define
threat detection in the first place. Especially since the term seems very straightforward.
Regardless, because of the aforementioned dilution it is still important. For us, we will say that t
hreat detection is a process that detects malicious activities by observing behaviours
known to be associated with specific malware
.
Threat detection contrasts with
threat protection.
Threat protection
is a process that detects malicious code through signatures. These signatures rely
almost exclusively
on digital
characteristics
of the malware
, instead of their behaviours
. These could include hash values, strings of text, IP addresses, domains
or other similar things
.
Threat Detection vs Threat Protection
Simply put, threat
protection
looks are what the threat
is
, and threat
detection
looks at what the threat
does
. Recall Dave Bianco’s infamous “Pyramid of Pain.” Threat protection aligns to the lower three levels, while threat detection corresponds to the upper three. This means that threat detection is more robust. Especially when faced with
modifications
like code recompilation or infrastructure changes.
The Advantage?
Threat detection, compared to threat protection, has a lot of real-world advantages for security teams. One of the biggest advantages relates to false positives. False positives for threat protection relate to indicators and are binary in nature.
A
n analyst spending significant time investigating an alert that is a false positive will
ultimately
have a reductive outcome
for security teams
.
This is because
the investigation will
likely
lead to the disabling of the rule or removal of the indicator.
Threat detection, however, looks for suspicious behaviours. This doesn't mean you won't see false positives. Analysts will find power users leveraging Microsoft Office or batch scripts in
ways you never thought possible. Their analysis, however, will not be wasted. Instead, that behaviour can be whitelisted without losing the protection provided
by the threat detection
content
.
This means more reliable detections moving forward.
This also results in security team
s
b
e
ing able to better profile “what is normal”
in their environment
.
[hubspot type=cta portal=7924572 id=ec572148-ebc2-449f-8ccc-0353bc94df5e]
Threat Detection Pre-requisites
While some people believe that threat detection requires new and fancy tools, the opposite is actually true. Threat detection only requires the platforms and tools most teams already have. These include a
SIEM
or data lake platform and an
endpoint agent for logging
.
Of course, t
here are other tools and technologies, such as EDR, that can make security teams’
lives
easier. But these tools aren’t required to get started.
Threat Detection Content
With
logging
at the host level
in place, and a platform to analyze those logs, the next important step is
threat detection content
. Content in this context refers to the queries deployed in a SIEM or data lake platform. This content will often be written in a platform-specific syntax. These could include
- SPL (for Splunk),
- KQL (for ELK stacks),
- AQL (for QRadar),
- ArcSight Keywords (for ArcSight), or
- YARA (which is a cross-platform content format).
As we mentioned, threat detection content differs from traditional threat protection content. Instead of relying on traditional atomic indicators
to detect malicious activity,
it looks for specific behaviors
used by malware and could
include things such as:
- Suspicious parent-child process relationships,
- Creation or modification of specific files in specific locations,
- External network connections using odd protocols,
- Modifications or additions to specific registry hives,
- Access to specific Windows APIs, or
- Specific commands and switches
Where Does Content Come From?
Threat Detection content comes from some different sources. The most common sources are open-source repositories, default platform content, and in-house development. Each of these methods has their own advantages and drawbacks (which we covered
here
).
However, at the end of the day, threat detection content originates from
threat intelligence
.
Effective Threat Detection Leads to More Advanced Capabilities
Organizations should also consider that mature threat detection capabilities have other advantages.
Specifically, t
hey enable organizations to adopt new and more advanced capabilities, like
threat hunting
. This is because capabilities like threat hunting rel
y
on many of the same prerequisites that threat detection does. This means that time spent developing a solid underpinning for threat detection is not a temporal benefit. Instead, it is one that will continue to pay dividends well into the future.
Conclusion
While the
cyber security industry is plagued with buzzwords, it doesn’t mean that those buzzwords don’t have value. Instead, it means that those words must be looked at critically to ensure we see the virtual forest for the digital trees. ‘Threat detection’ is one such concept that has tremendous value for organizations
.
Interested in finding out more about threat detection? Check
out what threat hunters believe are the
free tools that everyone in the infosec industry should be using
.
[hubspot type=cta portal=7924572 id=ae832f8f-83db-4b26-8f4d-f37f258623e2]