To detect security threats effectively you can utilize five different threat detection methods. By organizing your threat detection by different techniques you will improve your chances of finding security threats. The different threat detection methods complement each other and are good at different angles – combining them will help you the most.
Threat detection approaches
Threat detection methods are all about finding potential threats to your environment. In this case we are looking for threats related to computer and network security.
The goal is in the end to find bad stuff on computers, security threats. To accomplish this we can use a number of tactics.
How you find threats is not as relevant as the fact that you actually are finding them. But in order to detect threats and search for threats in a more structured manner it helps to know the different detection methods. If you know that there exists five methods to find security threats you can choose a specific method and dive down deeper into that method to learn it thoroughly.
You can implement different detection systems based on the different detection methods to improve your odds of finding that one critical intrusion.
Signature detection
The signature based approach is targeted at finding already known threats. Signature based detection can be implemented in a few different ways. Signatures can be detected at the computer or network level. Examples of signatures that can be used for detection:
- Your antivirus software checks the file hash of the files on your computer against known malicious file hashes.
- Your firewall checks for strings your network packets that previously have been identified with network vulnerability exploits.
Trend detection
Trend based detection is not the most granular detection method. This method will tell you that something is not as usual. Something has deviated from the trend.
One example is a monitoring of bandwidth consumption for your web server. Your bandwidth monitoring tool displays a nice graph of the amount of data transferred per hour. From observing this graph you detect that your web server’s outgoing traffic has been increasing for the past few hours while the incoming data has not increased at all.
The trend was clear before this. Outgoing and incoming data was correlated. Now there is a lot more data going out than coming in. Identifying the trend shift and investigating why it is occurring might be a good idea.
Anomaly detection
This technique is similar to trend based detection. With anomaly based detection you want to begin monitoring an assumed clean environment – an environment without security threats. By monitoring the assumed clean environment you get an idea for what is normal in that environment. This is your baseline – you assume that everything that has been monitored up until now is how the environment is expected to behave.
From this point forward you want your anomaly detection to alert on anything that occurs that is not included in the baseline. For practical examples you can read and follow along the these labs:
- Windows processes anomaly detection
- Windows DLL anomaly detection script
- Windows services anomaly detection script
Heuristic detection
Detecting a threat via heuristics is performed by observing and comparing identified behaviors with known suspicious or malicious behaviors.
For example: a typical suspicious behavior is to query the computer about what type of antivirus software it is running. Why would a normal program ask the computer about what antivirus is installed? A heuristic detection here would be to alert on every software that asks this question because it is a known suspicious action.
Manual detection
Manual detection of security threats relies on the intuition of the person performing the investigation. This approach is more useful than the others if the threat that you want to detect is something that would not easily be detected automatically with any of the other methods.
Another scenario when manual detection is useful is when looking into something that would generate a lot of false positive alerts if implemented as an automatic detection with any of the other methods. A lot of false positives is like ‘calling wolf’ over and over again – the person doing the investigating will get tired of this alert. Either a lot of time and energy needs to be spent on tuning this automatic alert to get it to an acceptable false positive level. But.
The better solution is to have a person manually perform an investigation. While eyeballing the results a person should quickly and relatively easily be able to get an idea of what might be an issue.
Read this post on Windows manual anomaly detection to get ideas on tools to use.
