Learn the fundamentals of detecting and responding to cybersecurity threats as well as implementing a threat detection program.
InsightIDR产品课题概述
Threat detection and response is the practice of identifying any malicious activity that could compromise the network and then composing a proper response to mitigate or neutralize the threat before it can exploit any present 漏洞.
在组织的安全程序的上下文中, “威胁检测”的概念是多方面的. Even the best security programs must plan for worst-case scenarios: when someone or something has slipped past their defensive and preventative technologies and becomes a threat.
检测 and response is where people join forces with technology to address a breach. 一个强大的威胁检测和响应程序结合了人, 流程, 以及尽早发现漏洞迹象的技术, 并采取适当的行动.
在检测和减轻威胁方面,速度至关重要. Security programs must be able to detect threats quickly and efficiently so attackers don’t have enough time to root around in sensitive data. A business’s defensive programs can ideally stop a majority of previously seen threats, 也就是说他们应该知道如何对付它们.
这些威胁被认为是“已知”威胁. However, there are additional “unknown” threats that an organization aims to detect. 这意味着组织以前没有遇到过这些问题, 也许是因为攻击者正在使用新的方法或技术.
Known threats can sometimes slip past even the best defensive measures, which is why most security organizations actively look for both known and unknown threats in their environment. So how can an organization try to detect both known and unknown threats?
Threat intelligence is a way of looking at signature data from previously seen attacks and comparing it to enterprise data to identify threats. This makes it particularly effective at detecting known threats, but not unknown, threats. Known threats are those that are recognizable because the malware or attacker infrastructure has been identified as associated with malicious activity.
Unknown threats are those that haven't been identified in the wild (or are ever-changing), but threat intelligence suggests that threat actors are targeting a swath of vulnerable assets, 弱的凭证, 或者一个特定的垂直行业. 用户行为分析(UBA) are invaluable in helping to quickly identify anomalous behavior - possibly indicating an unknown threat - across your network. UBA tools establish a baseline for what is "normal" in a given environment, 然后利用分析(或者在某些情况下), machine learning) to determine and alert when behavior is straying from that baseline.
攻击者行为分析(ABA) 能暴露各种战术吗, 技术, and procedures (TTPs) by which attackers can gain access to your corporate network. http包括恶意软件之类的东西, 加密劫持(使用您的资产来挖掘加密货币), 以及机密数据泄露.
违约期间, every moment an attacker is undetected is time for them to tunnel further into your environment. A combination of UBAs and ABAs offer a great starting point to ensure your 安全运营中心(SOC) 是否能尽早发现潜在的威胁 攻击链.
One of the most critical aspects to implementing a proper 事件响应 framework is stakeholder buy-in and alignment, 在启动框架之前. No one likes surprises or questions-after-the-fact when important work is waiting to be done. 基本 事件响应 问题包括:
A great 事件响应 plan and playbook minimizes the impact of a breach and ensures things run smoothly, 即使是在紧张的违规情况下. 如果你刚刚开始,一些重要的考虑包括:
To add a bit more to the element of telemetry and being proactive in threat response, 重要的是要明白没有单一的解决方案. 而不是, a combination of tools acts as a net across the entirety of an organization's attack surface, 从头到尾, 试图在威胁变成严重问题之前抓住它们.
有些目标对攻击者来说太诱人了. Security teams know this, so they set traps in hopes that an attacker will take the bait. Within the context of an organization's network, an intruder trap could include a 蜜罐 target that may seem to house network services that are especially appealing to an attacker. These “honey credentials” appear to have user privileges an attacker would need in order to gain access to sensitive systems or data.
当攻击者追逐这个诱饵时, it triggers an alert so the security team knows there is suspicious activity in the network they should investigate. 了解更多的不同之处 欺骗技术的类型.
而不是 of waiting for a threat to appear in the organization's network, a 威胁狩猎 使安全分析人员能够主动进入自己的网络, 端点, and security technology to look for threats or attackers that may be lurking as-yet undetected. This is an advanced technique generally performed by veteran security and threat analysts.
通过采用这些主动防御方法的组合, a security team can monitor the security of the organization's employees, data, 关键资产. They’ll also increase their chances of quickly detecting and mitigating a threat.