CDC Cyber Defence Center Detect Cyber Threat Detection

Home  Cyber Threat Detection  Threat Hunting  Honeypots

What is Threat Detection?
Getting breached is a nightmare scenario, and most organizations that prioritize their information will put smart people and technologies to work as a defensive barrier against anyone who might try to cause trouble. But security is an ongoing process—not a guarantee.

Within the context of an organization's security program, the concept of "threat detection" is multifaceted. Even the best security programs must plan for worst-case scenarios, when someone or something has slipped past their defensive and preventative technologies and becomes a threat.


When it comes to detecting and mitigating threats, speed is crucial. Security programs must be able to detect threats quickly and efficiently so attackers don’t have enough time to root around in sensitive data. A business’s defensive programs can ideally stop a majority of threats, because often they've been seen before—meaning they should know how to fight them. These threats are considered "known" threats. However, there are additional “unknown” threats that an organization aims to detect. This means the organization hasn't encountered them before, perhaps because the attacker is using brand-new methods or technologies.

Known threats can sometimes slip past even the best defensive measures, which is why most security organizations actively look for both known and unknown threats in their environment. So how can an organization try to detect both known and unknown threats?

There are several methods available in the defender's arsenal that can help:

Leveraging Threat Intelligence
Threat intelligence is a way of looking at signature data from previously seen attacks and comparing it to enterprise data to identify threats. This makes it particularly effective at detecting known threats, but not unknown. Threat intelligence is frequently used to great effect in Security Information and Event Management (SIEM), antivirus, Intrusion Detection System (IDS), and web proxy technologies.

Analyzing User and Attacker Behavior Analytics
With user behavior analytics, an organization is able to gain a baseline understanding of what normal behavior for an employee would be: what kind of data they access, what times they log on, and where they are physically located, for example. That way, a sudden outlier in behavior—such as a 2 a.m. logon in Shanghai from someone who usually works from 9 to 5 in New York and doesn’t travel for business—stands out as unusual behavior and something a security analyst may need to investigate.

With attacker behavior analytics, there's no "baseline" of activity to compare information to; instead, small, seemingly unrelated activities detected on the network over time may in fact be breadcrumbs of activity that an attacker leaves behind. It takes both technology and the human mind to put these pieces together, but they can help form a picture of what an attacker may be up to within an organization's network.

Setting Intruder Traps
Some targets are just too tempting for an attacker to pass up. Security teams know this, so they set traps in hopes that an attacker will take the bait. Within the context of an organization's network, an intruder trap could include a honeypot target that may seem to house network services—especially appealing to an attacker, or “honey credentials” that appear to have user privileges an attacker would need in order to gain access to sensitive systems or data. When an attacker goes after this bait, it triggers an alert so the security team know there is suspicious activity in the network that should be investigated. Learn more about the different types of deception technology.

Conducting Threat Hunts
Instead of waiting for a threat to appear in the organization's network, a threat hunt enables security analysts to actively go out into their own network, endpoints, and security technology to look for threats or attackers that may be lurking as-yet undetected. This is an advanced technique generally performed by veteran security and threat analysts.

Ideally, a well-developed security threat detection program should include all of the above tactics, amongst others, to monitor the security of the organization's employees, data, and critical assets.

Threat Detection Requires a Two-Pronged Approach
Threat detection requires both a human element, as well as a technical element. The human element includes security analysts who analyze trends, patterns in data, behaviors, and reports, as well as those who can determine if anomalous data indicates a potential threat or a false alarm.

But threat detection technology also plays a key part in the detection process. There's no magic bullet in threat detection—no single tool that will do the job. Instead, a combination of tools acts as a net across the entirely of an organization's network, from end to end, to try and capture threats before they become a serious problem.

A robust threat detection program should employ:

Security event threat detection technology to aggregate data from events across the network, including authentication, network access, and logs from critical systems.
Network threat detection technology to understand traffic patterns on the network and monitor traffic within and between trusted networks, as well as to the internet.
Endpoint threat detection technology to provide detailed information about possibly malicious events on user machines, as well as any behavioral or forensic information to aid in investigating threats.
By employing a combination of these defensive methods, you’ll be increasing your chances of detecting and mitigating a threat quickly and efficiently. Security is a continuous process, and nothing is guaranteed. It’ll be up to you and the resources and processes you put in place to keep your business as secure as possible.