威胁检测 and 响应

检测威胁

When it comes to detecting and mitigating threats, speed is crucial. 安全程序必须能够快速有效地检测威胁，这样攻击者就不会有足够的时间在敏感数据中搜索. 理想情况下，企业的防御程序可以阻止大多数以前看到的威胁, meaning they should know how to fight them.

These threats are considered "known" threats. 然而，组织还需要检测额外的“未知”威胁. This means the organization hasn't encountered them before, perhaps because the attacker is using new methods or technologies.

Known threats can sometimes slip past even the best defensive measures, 这就是为什么大多数安全组织在其环境中积极寻找已知和未知威胁的原因. 那么，一个组织如何检测已知和未知的威胁呢?

Leveraging Threat Intelligence

威胁情报是一种查看来自先前攻击的签名数据并将其与企业数据进行比较以识别威胁的方法. 这使得它在检测已知威胁(而不是未知威胁)方面特别有效. 已知威胁是那些可识别的威胁，因为恶意软件或攻击者基础结构已被识别为与恶意活动相关联.

未知威胁是指那些在野外尚未被识别的威胁(或者是不断变化的威胁)。, 但威胁情报显示，威胁行为者的目标是一系列易受攻击的资产, 弱的凭证, or a specific industry vertical. User behavior analytics (UBA) 在帮助快速识别网络中的异常行为(可能表示未知的威胁)方面是无价的吗. UBA工具为给定环境中的“正常”情况建立基线, then leverage analytics (or in some cases, 机器学习)来确定和警告行为何时偏离了基线. 

Attacker behavior analytics (ABA) can expose the various tactics, 技术, 攻击者可以通过这些程序访问您的公司网络. TTPs include things like malware, cryptojacking (using your assets to mine cryptocurrency), and confidential data exfiltration. 

违约期间, 攻击者未被发现的每一刻都是他们进一步深入您的环境的时间. uba和ABAs的组合提供了一个很好的起点，以确保您的 security operations center (SOC) is alerted to potential threats as early as possible in the 攻击链.

Responding to Security Incidents

实现适当的事件响应框架的最关键方面之一是涉众的参与和协调, prior to launching the framework. 没有人喜欢在有重要工作要做的时候出现意外或事后问问题. 基本 事件响应 questions include:

• Do teams know who is responsible at each phase of 事件响应? 
• Is the proper chain of communications well understood? 
• Do team members know when and how to escalate issues as needed? 

一个好的事件响应计划和剧本可以最大限度地减少数据泄露的影响，并确保事情顺利进行, even in a stressful breach scenario. 如果你刚刚开始，一些重要的考虑包括: 

• Defining roles and duties for handling incidents: These responsibilities, including contact information and backups, should be documented in a readily accessible channel. 
• Considering who to loop in:超越IT和安全团队，记录跨职能或第三方利益相关者(如法律利益相关者), PR, 你的董事会, or customers – should be looped in and when. 了解谁拥有这些不同的通信以及如何执行这些通信将有助于确保响应顺利进行，并在整个过程中满足期望.

What Should a Robust 威胁检测 Program Employ?

• 安全事件威胁检测技术，从整个网络的事件中聚合数据, including authentication, 网络访问, and logs from critical systems.
• 网络威胁检测技术，了解网络上的流量模式和 monitor network traffic, as well as to the internet.
• 端点威胁检测技术，提供有关用户计算机上可能存在的恶意事件的详细信息, 以及任何有助于调查威胁的行为或法医信息. 
• 渗透测试, in addition to other preventative controls, to understand detection telemetry and coordinate a response. 

A Proactive 威胁检测 Program

为了增加遥测的元素，并在威胁响应中积极主动, it’s important to understand there is no single solution. 而不是, 工具的组合就像一张横跨整个组织攻击面的网, 从头到尾, to try and capture threats before they become serious problems.

Setting Attacker Traps with Honeypots

Some targets are just too tempting for an attacker to pass up. 安全团队知道这一点，所以他们设置陷阱，希望攻击者上钩. 在组织的网络环境中，入侵者陷阱可以包括一个 蜜罐 目标可能包含对攻击者特别有吸引力的网络服务. 这些“蜂蜜凭证”似乎具有攻击者为了访问敏感系统或数据而需要的用户权限.

When an attacker goes after this bait, 它会触发警报，这样安全团队就知道网络中有可疑活动，他们应该进行调查. Learn more about the different types of deception technology.

威胁狩猎

而不是等待威胁出现在组织的网络中 威胁狩猎 enables security analysts to actively go out into their own network, 端点, 和安全技术，寻找威胁或攻击者可能潜伏尚未被发现. 这是一种高级技术，通常由资深安全和威胁分析人员执行.

By employing a combination of these proactively defensive methods, 安全团队可以监控组织员工的安全, data, and critical assets. 他们也会增加快速发现和减轻威胁的机会.

Keep Learning About 威胁检测

Learn About Rapid7's Managed 威胁检测 & 响应

检测 & 响应 新闻 from the Rapid7 博客

Latest Episodes from [THE LOST BOTS] Security Podcast