Overview of Cybersecurity Threat Detection

Feb 6, 2025

Mindmap

Cybersecurity Threat Research and Detection

Introduction to Threat Research

  • Focuses on understanding cybersecurity threats to organizations
  • Requires two main components:
    • Detection Mechanisms: Identifying threats
    • Common Language for Findings: Sharing information and learning from each other

Detection of Threats

  • Historically relied on signatures to identify malware
    • Based on known byte patterns or strings
    • Found in files, processes, or network packets
  • Challenges with Encrypted Traffic
    • Techniques to analyze encrypted data
    • Observable details like packet size, frequency, protocol anomalies

Attacker Strategies

  • Creating Malware without Signatures
    • New malware not yet in databases
    • Advanced malware mimics legitimate apps, operates stealthily

Cybersecurity Analyst Perspective

  • Detecting malware not caught by signatures
  • Indicators of Compromise (IOCs)
    • Artifacts indicating past breaches
    • Examples: Unusual URLs, unexpected files or processes, new registry entries, unexpected resource usage

Automated Detection Tools

  • Host-Based Intrusion Detection/Prevention
    • Tools to automatically detect anomalies
  • Security Information Event Management (SIEM)
    • Correlates multiple IOCs to identify patterns

Triage and Event Analysis

  • Reputational Method
    • Associating IOCs with known malicious activities
    • Utilizes databases and feeds
  • Behavioral Method
    • Correlates IOCs with attack patterns
    • Establishes baseline for normal activity

Tactics, Techniques, and Procedures (TTPs)

  • Define TTPs for known attacks
  • Examples:
    • DDoS: High traffic, random global connections
    • Malware: High CPU/memory usage, abnormal connections
    • APT Attacks: Remote control traffic, port hopping, fast flux DNS

Threat Modeling and Sharing

  • Structured Threat Information Expression (STIX)
    • Standardized language for describing threats
    • Uses JSON format (formerly XML)
  • TAXI Protocol
    • REST API for sharing threat information
    • Implements collection and channel models

Practical Applications

  • OpenIOC: Open project for freely available IOC definitions
  • Tools:
    • FireEye IOC Editor: Visualizes and edits IOCs
    • MISP: Malware Information Sharing Project
    • IBM X-Force Exchange: Works with TAXI for threat intelligence

Key Concepts for Exam

  • Understanding IOCs and detection methods
  • Explanation of STIX language and TAXI protocol

This summary provides an overview of key topics in threat research and detection discussed in the lecture. Understanding these concepts is crucial for cybersecurity analysis and defense strategies.