Threat Detection Engineering: The Series

This series is an attempt to step back from the day-to-day efforts and think about the core concepts and principles of Threat Detection and Hunting, then identify a winning strategy for keeping attackers out of our networks. I’ll then offer some practical applications to help refine how we do those day-to-day Detection Engineering efforts.

The series will present threat detection as a game of probability and create a visual model for thinking about how we can maximize the chances of reliably winning that game. It will offer a loose mathematical approach to evaluating the value of a given detection and discuss incremental detection costs to help you determine whether a detection (or collection of them) are helping you win the game. It will look at the relative strengths of threat detection and hunting (and how they are different from one another). It will provide an analytic tool to help you identify attack techniques as accurately as possible with your available telemetry.

Hopefully it will be useful in helping you define, refine, or clarify your own thoughts! If you have questions or topics you’d like me to address in future posts, let me know in the comments!

This post will serve as the index to tie together the rest of the articles in the series. I’ll categorize the articles as primarily Strategy or Application, though I’ll include a bit of both in each article. The application articles will draw heavily on the concepts and terminology established in the strategy ones, so I’d recommend reading those first. Here we go!

Strategy

1. Plotting a Winning Threat Detection Strategy: A Visual Model
2. Identifying and Classifying Attack Techniques
3. The Relative Strengths of Threat (Detection|Hunting)

Application

1. Threat Detection Cost vs. Coverage
2. Improving Threat Identification with Detection Data Models
3. DDM Use Case: What ATT&CK Gets Wrong about Process Injection
4. Mistaken Identification: When an Attack Technique isn’t a Technique