Tips for success when building a detection capability

The necessary move to detection and response

As cyber incidents continue, security focus has shifted from prevention toward resilience and a broader set of capabilities including timely detection and the ability to respond to live incidents. In light of increased budgets, it is important for CISOs to establish a capability that detects modern attacks while demonstrating a return on investment. Furthermore, as attacker techniques, tactics and procedures (TTPs) evolve, an adaptive detection capability that can continuously improve is required. Technology alone is not the solution. As Gartner (2017) contends, “the shift to detection and response approaches spans people, process and technology elements.” The implementation of – and ongoing improvements to – overall capability is therefore challenging particularly in the context of the global skills shortage.

In our previous article (, the necessary combination of trained human insight with technology was highlighted. Perhaps as a result of the global cyber skills shortage, organizations commonly place too much reliance on the many “blinky boxes” swamping the market. Shrewd marketing makes it easy to believe that once implemented, a given technology will detect the right attacks 100% of the time. However, most often is this not the case. Reliable detection is more of an engineering problem: it requires careful deployment and tuning, benefiting from environmental context and an understanding of the latest attack methods.


The benefits of an effective detection capability

In light of these challenges, this article provides useful advice on how to ensure your security monitoring function provides an effective detection capability that is practically aligned to the following, interrelated factors:

-     An understanding of your organization’s environment

-     The techniques, tactics and procedures of your most likely adversaries

-     Continuous incremental improvement

Too often we see security monitoring teams failing to develop a meaningful detection capability, perhaps due to an overreliance on signature based detection, or alerts and playbooks that bear no relation to modern attack techniques. An effective security monitoring team will analyze the correct data sources and detect the attack techniques it needs to, resulting in reduced risk to your business. Building a reliable detection capability is based on several factors, each of which relate to what MWR’s consultants see on a regular basis when working with security teams.  


Understanding your environment

Security monitoring teams need to know what it is they should be protecting. At the highest level, this may take the form of a threat assessment, or business risk assessment, where the business identifies its critical assets, and opines on the relative priority of foreseeable events. And yet, so often is this process poorly implemented or bypassed completely due to factors such as a lack of collaboration or understanding of what could go wrong. Neglecting this step causes inaccuracies when designing, implementing and managing security monitoring structures as the risks it aims to mitigate may be incorrectly prioritized. While it is good to undertake an assessment as early as possible, a monitoring team can also take this step at any point to assess whether they are protecting the right assets from priority threats.

A security monitoring team should also spend time considering and understanding the intricacies of their environment; the battlefield on which a cyber-attack will play out. Although a daunting challenge, knowing the layout, design, strengths and weaknesses of an organization’s IT infrastructure will place the defender in the unique position of being able to predict an attacker’s most likely path/s of entry. This will allow for the implementation of preventive measures and monitoring in strategic locations.


Anticipating Attacker Actions

Furthermore, the defense team can use an understanding of the attacker’s mind-set to their advantage. If defenders can anticipate attacker actions within their environment, they can increase the chances of detection by pushing the enemy unknowingly along a specific but “trip wired” path that leads to their strategic ambush. Exploiting such opportunities requires a combination of technology and procedures commonly referred to as Use Cases.


Use Cases   

Use Cases constitute a set of rules that, when broken, notify the detection team regarding a security incident. They are used to monitor various log sources and range in complexity, from simple signature-based alerts relating to known-bad actions or malware, to the collation and analysis of multiple logs to identify a user performing anomalous activities. Too often security teams rely on out of the box Use Cases provided with monitoring technologies, and increasingly on alerts driven by statistically anomalous behavior. Well-designed, tailored Use Cases can not only reliably detect attacker actions with a low signal to noise ratio, but also drive investigation and containment.

To ensure the implementation of effective Use Cases (those that alert the security team to incidents that require further investigation or immediate intervention), an understanding of the particular threats facing an organization is essential. Identifying the most likely adversaries in terms of their motivations and tactics, techniques and procedures (TTPs) will inform the Use Case design and documentation, providing analysts with valuable insights to drive further investigation and effective containment. For example, a good Use Case will situate the alert in the lifecycle of an attack, helping an analyst anticipate what might happen next, and how to uncover prior actions which may present further avenues of investigation.

Applying context to Use Cases also assists in determining the extent of an alert. For example, if an alert triggers on an attempt to disable Anti-Virus, the same alert’s meaning will differ vastly based on the host it pertains to. If it came from a domain controller it is likely to be more serious than if it emerged from a developer’s regularly tinkered with machine.

When it comes to deciding which of the many detection technologies to deploy, the “where” is as important as the “what.” For example, if controls are placed only at the perimeter of your estate, the extent of an attack may not be realized as a sophisticated attacker could quite easily bypass the perimeter without triggering an alert. This will make detecting and ultimately containing an attack difficult for the analysts and defenders. Ensuring a complementary deployment of detective and preventive controls throughout the estate better reflects the lifecycle of a modern attack. Lockheed Martin’s cyber kill chain acts as an effective guide when mapping controls to an attacker’s methodology, a point to be discussed in a future article. What is clear, given modern attack techniques, is that most organizations will require a combination of endpoint detection (usually a software agent), network level monitoring and logging from a range of preventive controls.            

Ultimately, regardless of the decision made, a technology’s effectiveness will depend greatly on the human insight and experience employed to collaborate and investigate the generated alerts and information.


Measurement and Continuous Improvement

Lastly, regular testing simulating modern attack techniques will help maintain the alignment of an organization’s defense measures to the changing threat landscape. Outcome-based testing emulating the attacks you want to detect will be most conducive to the development of an effective detection capability, while also demonstrating a return on investment. Once Use Cases have been proven to alert on the actions you realistically expect an attacker to perform, testing can be automated and repeated regularly to ensure a consistent level of detection over time. This will free up time for analysts, engineers and testers to develop new Use Cases that detect attacker actions beyond existing automated alerts.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.