Introduction: Detect Cyber Attacks

Get an overview of monitoring devices for malicious activity.

We'll cover the following

“The world is full of obvious things which nobody by any chance ever observes.” – Sherlock Holmes

Advanced persistent threat (APT)

One of the greatest fears of any security professional is undetected malicious activity on the network. Stealth is one of the primary tools attackers utilize and is how most malware behaves. An advanced persistent threat (APT) is malware that persists on a network to observe and report for an extended period without notice.

Note: An interesting definition of APT comes from the security vendor, Damballa: “Advanced persistent threats (APTs) are a cybercrime category directed at business and political targets. APTs require a high degree of ‘stealthiness’ over a prolonged duration of operation to be successful. Therefore, the attack objectives typically extend beyond immediate financial gain, and compromised systems continue to be of service even after key systems have been breached and initial goals reached.”

Attributes of the responsive measures for detections

This section discusses the detective form of security, where sensors generate alerts for security personnel to respond to. The response taken should have the following attributes:

  • Predefined

  • Documented

  • Rehearsed

  • Communicated to the team

  • Periodically reviewed

  • Updated

Security alerts that don’t have a defined response have debatable value and may produce noise and distracting busy work.

This section focuses on tactics, techniques, and procedures (TTP) that can be used to help detect security events. Defensive tactics can include implementing individual controls or a more comprehensive security solution that provides various sensors.

Importance of security sensors

To rely on security controls to provide constant real-time monitoring, we need assurance that those sensors are running. In other words, the monitors need monitors. Just because an alert isn’t activated doesn’t mean a security event didn’t occur.

For example, an uptime monitor, such as a heartbeat, can play an important part in implementing any security control. This heartbeat monitors the health and continuous operation of a sensor. A dashboard can be set up to display the status of heartbeats, and an overview of the health of all the sensors deployed to the network and endpoints can be provided.

Maturity levels applied

As with chapter one, each of the following security controls has a security maturity level indicator based on the item’s implementation, maintenance complexity and cost, and how essential the item is to the foundation of a typical organization’s information security program.

Get hands-on with 1200+ tech skills courses.