At its core, detection engineering functions within security operations and deals with the design, development, testing, and maintenance of threat detection logic. Threat detection logic is any rule, query, or tool used to detect activity that is either malicious, unexpected, or increases the risk that malicious activity will occur.https://panther.com/cyber-explained/detection-engineering-benefits/
So in my own words – we need hot sh!t to detect the adversary or their used tools, techniques and procedures. We need some good ideas and knowledge where we can place our detection to get the most out of it.
In my very early stages of the IT Security topic, I was in charge of managing a Snort IDS instance between my company network and the internet, outside our Packetfilter… Good old days – but after gathering a better understanding I asked myself:
“What benefit do we have to see all those scanning/attacking IP addresses if they don’t harm our systems?”.
Did you ever tried to change your perspective? It doesn’t really makes that much sense if you want to detect Lateral Movement within your network if you only have a point of view like me – outside the firewall, where the Bogeyman lives.
In my personal opinion, we should do as much as we can to cut off the low hanging fruits, but also keep in mind that we barely can reach the 100%. In archery there is a nice quotation:
Aim small, hit small.
For example, if you don’t aim small, you probably get a larger set on false positive alerts. This may become painful for your SOC, because they may get alert fatigue and would potentially ignore the bad things.
On the other hand, if you aim on targeting the 100% you may loose yourself in the rabbit whole, wasting time and money and others will pass by.
In my world there is no strict good/bad – there are a plenty of different shades between. Sometimes all you have is a screw to open the bottle of wine – then you have the best tool to use for your objective, just use it. If it’s expected to have not the best result – just say it (or mark it in your detection content).
The following sections will describe the underlying chapter, differentiated by the area where the capabilities help out:
- Network or
- Host or
- Log-Management / SIEM
- Suricata – A network IDS,
- EDR specific rules,