Threat Behavior detections
Analysts will look at an adversaryโs Tactics, Techniques and Procedures (TTPs) to conduct an attack, regardless of any specific indicators. This makes detection more scalable beyond indicators.
Through this detection, analysts can focus their efforts more efficiently on responding to the threat and mitigate against it instead of utilising time and resources to understand how and why alerts were triggered. Additionally, threat behaviour detection can be paired with established workflows and playbooks to provide best practices that can be followed during an investigation.
Some of the benefits and challenges of this detection method include the following:
- Withstand the adversary's rate of change, but due to adversary's complexities, lots of data is required to provide complete coverage.
- Easy to tune and adapt to different environments, but moderately difficult to make initial implementations due to baseline assessments.
- Low rates of false positive, but only detects similar threat behaviour based on the set analytic