Identifying cyberthreats has grown increasingly more difficult as organizations have expanded their cloud footprint, connected more devices to the internet, and transitioned to a hybrid workplace. Bad actors take advantage of this expanded surface area and the fragmentation in security tools with the following types of tactics:
- Phishing campaigns. One of the most common ways that bad actors infiltrate a company is by sending emails that trick employees into downloading malicious code or providing their credentials.
- Malware. Many cyberattackers deploy software that is designed to damage computers and systems or collect sensitive information.
- Ransomware. A type of malware, ransomware attackers hold critical systems and data hostage, threatening to release private data or steal cloud resources to mine bitcoin until a ransom is paid. Recently, human-operated ransomware, in which a group of cyberattackers gain access to an organization’s entire network, has become a growing issue for security teams.
- Distributed denial-of-service (DDoS) attacks. Using a series of bots, bad actors disrupt a website or service by flooding it with traffic.
- Insider threat. Not all cyberthreats comes from outside an organization. There’s also a risk that trusted people with access to sensitive data may inadvertently or maliciously harm the organization.
- Identity-based attacks. Most breaches involve compromised identities, which is when cyberattackers steal or guess user credentials and use them to gain access to an organization’s systems and data.
- Internet of Things (IoT) attacks. IoT devices are also vulnerable to cyberattack, especially legacy devices that don’t have the built-in security controls that modern devices do.
- Supply chain attacks. Sometimes a bad actor targets an organization by tampering with software or hardware that is supplied by a third-party vendor.
- Code injection. By exploiting vulnerabilities in how source code handles external data, cybercriminals inject malicious code into an application.
Detecting threats
To get ahead of rising cybersecurity attacks, organizations use threat modeling to define security requirements, identify vulnerabilities and risks, and prioritize remediation. Using hypothetical scenarios, the SOC tries to get inside the mind of cybercriminals so they can improve the organization’s ability to prevent or mitigate security incidents. The MITRE ATT&CK® framework is a useful model for understanding common cyberattack techniques and tactics.
A multilayer defense requires tools that provide continuous real-time monitoring of the environment and surface potential security issues. Solutions also must overlap, so that if one detection method is compromised, a second one will detect the issue and notify the security team. Cyberthreat detection solutions use a variety of methods to identify threats, including:
- Signature-based detection. Many security solutions scan software and traffic to identify unique signatures that are associated with a specific type of malware.
- Behavior-based detection. To help catch new and emerging cyberthreats, security solutions also look for actions and behaviors that are common in cyberattacks.
- Anomaly-based detection. AI and analytics help teams understand the typical behaviors of users, devices, and software so that they can identify something unusual that may indicate a cyberthreat.
Although software is critical, people play an equally important role in cyberthreat detection. In addition to triaging and investigating system-generated alerts, analysts use cyberthreat hunting techniques to proactively search for indications of compromise, or they look for tactics, techniques, and procedures that suggest a potential threat. These approaches help the SOC quickly uncover and stop sophisticated, hard-to-detect attacks