• 4 hours
  • Easy

Free online content available in this course.

course.header.alt.is_certifying

Got it!

Last updated on 9/30/24

Discover How to Detect Attackers

From this point on, we’re going to focus on the people on the front line against cyberattackers and, in particular, the teams and job roles involved in cybersecurity. You’ll discover that there’s something for everyone: jobs focused on cybersecurity or interacting with the wider ecosystem, technical or organizational roles, and more! Brace yourself because you’re going to meet a lot of people!

To help with this, we’ll be using several frameworks for the cybersecurity profession. You can find these resources in the Key Resources document. These frameworks are very detailed. They list the tasks involved in the various cybersecurity roles, along with the skills and qualities required for each of them. I strongly recommend that you take a look at them if you’re interested in a career in cybersecurity. 

Discover the Roles and Functions of the Monitoring and Detection Team

Let’s go back to our attack on the hospital to understand the different roles involved in preventing, detecting and responding to the attack. In our case, once the doctor has reported the problem, it’s the security teams who analyze and manage the alert. In other cases, users are none the wiser to any malicious behavior, so it’s down to the security teams to detect threats. One of their main tasks is to detect security incidents early on, using specific tools and drawing on the diverse skill sets present in the team. Let’s take a look at who’s involved in this task and how they go about it.

Events are happening on the information system every minute—and often every second—of every day: opening a file, deleting a folder, starting an application, and so on. The information system tracks all these events, no matter how trivial.

But this is a mammoth task: there are often thousands, if not millions, of log entries to monitor!

The sheer volume of log entries (from several thousand to millions per day, if not more, depending on the size of the company) makes this task impossible for a person to perform. So, you can rely on a couple of tools to help you! For example, the monitoring and detection team might use a SIEM tool.

SIEM (Security Information and Event Management) is a tool for centralizing and analyzing all the event logs available on the various components of an information system (computers, applications, etc.). Its purpose is to detect any abnormal activity, such as a large number of files being downloaded, attempts to access unauthorized applications, or unusual file-sharing with outside organizations.

But what role do team members play if everything is done by tools?

SOC Team

Well, tools don’t do everything! Members of the monitoring and detection team perform the following tasks:

  • Define the events that trigger a security alert

  • Configure tools as required

  • Regularly update detection rules that trigger alerts, and the associated procedures

  • Receive, sort and prioritize alerts from the tools installed

  • Analyze the impact of any detected incidents

  • Alert a more senior staff member if the impact is significant and/or if resolution requires input from other teams (incident response teams, in particular)

  • Make recommendations to resolve certain incidents

The Security Operations Center (SOC) is the team responsible for detecting suspicious or malicious activity.

Here’s a reminder of the related roles:

  • SOC analyst

  • SOC manager (responsible for managing all SOC activities)

These roles may be either in-house (for very large organizations) or outsourced to external service providers.

Threat Analyst

Is there a way to predict who is going to attack us and when?

That’s exactly the challenge of another role within the monitoring and detection team: the threat analyst. Another term used is “threat intelligence analyst.” This individual or team is responsible for studying trends in threats to the organization.

More specifically, threat analysts perform the following tasks:

  • Collect and analyze data on attackers (motivations, attack techniques, specific characteristics, etc.) from various sources (dark web, social media, corporate websites, etc.)

  • Communicate information about potential attackers to the teams responsible for detecting and responding to an incident. This information helps these teams improve how they do their job.

An important part of their work is therefore monitoring, which involves researching and collecting information that can help in assessing and detecting threats.

It’s all well and good having expert teams dedicated to threat detection, but why didn’t they see the hospital ransomware attack coming?

Great question! I’m sure we’ll find out after the investigation, but there could be a few different reasons:

  • The attacker used a method as yet unknown to the detection teams, so no alerts were triggered.

  • The computer used was not being monitored as it was not yet covered by the SOC.

  • A member of the monitoring and detection team may have misinterpreted an alert received as benign, so did not trigger any corrective action.

In the case of the hospital, you saw that the responsiveness of the user who raised the alert was key to acting quickly! As you can see, we all have a role to play in preventing cyberattacks. 💪

Take a step back from the ongoing incident

It is always useful to keep in mind the major stages of a security incident. Indeed, this allows for a frame of reference and enables you to gain some perspective in a potentially stressful situation!

We will explore some key concepts from these guides in the upcoming chapters, but we can already look at this diagram representing the major stages of an incident.

Graph composed of three vertical segments: Management, Understanding, and Remediation.  Management (vertical orange segment): Crisis Management, Post-crisis Follow-up  Understanding (vertical green segment): Detection, Investigation, and Supervision
The major stages of an incident according to ANSSI (The French National Agency for the Security of Information Systems)

First of all, during the incident, there are three major components necessary for the proper management of a cyber incident:

  1. Incident management: how teams organize themselves to best handle this exceptional event (you will see this in the next chapter dedicated to crisis management);

  2. Understanding the incident: how detection activities (which we just covered!), investigation, and supervision are carried out (later in this course);

  3. Incident remediation: how containment, eviction, and eradication are ensured, alongside reconstruction. We will cover this last component in the next chapter!

Let’s Recap!

In this chapter, you’ve seen that:

  • monitoring and detection teams are responsible for analyzing IT system logs and for trying to detect attacks using security alert management. 

  • the roles of SOC analyst and SOC manager fall within this monitoring and detection team.

  • the role of threat analyst involves monitoring attackers and their operating methods to try to prevent attacks.

  • A cybersecurity incident is composed of three main components that evolve in parallel: governance, understanding, and remediation.

Now let’s find out how a crisis is managed and investigated!

Example of certificate of achievement
Example of certificate of achievement