Let’s take a quick flashback to the Mel Brooks classic, Spaceballs, for a moment… Dark Helmet has sent his troops to “comb the desert” in search of the film’s main characters. The troopers are literally using giant hair combs to sift through the desert sand and finding nothing. It’s fun to laugh at this scene, but in reality a day in the life of a cybersecurity analyst can feel a lot like this!
With today’s massive networks that consist of countless hosts and BYOD devices communicating 24x7, do you feel like those troopers combing the endless desert and coming up short as you look through infinite logs, data, and alerts? Do you have the right tools to properly monitor and alert your defenders about potential threats? Do you trust that your detection rules are functioning properly ahead of a real security incident? In this article, we’ll discuss how you can use detection engineering techniques to face today’s challenges and ensure that you’re ready to protect your organization.
First, let’s define detection engineering. It is a continuous lifecycle with the goal of creating, tuning, and validating rules/alerts that allow cybersecurity teams to more easily detect threats and anomalous behavior with fewer false positives. This can include testing and validation of vendor-supplied rules in SIEMs, EDRs, NDRs, etc; as well as the creation of custom detection rules for known threats based on available intelligence.
In addition to ensuring detection rules exist for known threats and IOCs, an experienced detection engineer can also create behavior-based detection rules to assist in the detection of unknown threats. Think of these behavior-based rules as a series of virtual tripwires that are strung throughout your network, getting the most dense closest to your crown jewels. While an attacker may virtually make their way into your doors, with the right tripwires your analysts/responders will increase their ability to identify and stop the attacker in their tracks before serious damage can be done.
Having a separate lab environment designated for detection engineering provides engineers with a consequence-free space to build and test detection rules using potentially destructive attack techniques. While it is possible to build and validate some detection rules in production, more complex rules are better-suited for development in a purpose-built lab. A lab also gives you the ability to stand up certain vulnerable systems or software versions for testing, which you may not want to introduce elsewhere.
My recommendation is to build a lab that includes a good sampling of host/device types and OS/app versions that are used in your production environment, as well as the security tools in which you desire to build/validate/tune detection rules. It is also a good idea to include some additional tools for host analysis, network analysis, malware analysis, and offensive security to enable you to fully understand the threats/behaviors that you are focused on. Keep in mind that once certain types of attacks are run, you may be required to rebuild/revert individual systems or possibly the entire lab.
Sure, you can build your own lab in the cloud or even on-premise, but then you’re spending a lot of time setting up and maintaining the lab environment. Considering threat hunters and detection engineers are often senior-level resources, you’re wasting costly resources to perform basic sysadmin functions for a significant percentage of their time. Why not use a better solution, and let those experienced resources spend their time doing what they love while adding value and reducing organizational risk?
Our platform provides many cyber range / lab environments that are ready to use right out of the box. For custom lab needs, engineers can use SimSpace Rapid Range to quickly define what types of systems they want to include in their detection engineering lab, deploy the lab range, and then let our platform automatically build the environment. We offer VM Templates for many common tech/security solutions to ease deployment, and also allow engineers to bring in custom tools/VMs for anything that is not already included in our catalog. Your engineers are able to skip most of the sysadmin work and jump straight into using the lab for the sophisticated detection engineering tasks that you need them to perform.
The SimSpace Automated Attack Platform (SAAP) can be used to launch full-killchain attacks and ensure that you can generate adversary-modeled threat actions without waiting on a red teamer to be available. SimSpace also provides unparalleled User Emulation (UE) capabilities to generate realistic user actions on the endpoints in your cyber range. The UE activities result in forensically accurate host/network artifacts, log entries, and security alerts that can be used to better tune your detection rules and reduce false positives.
If you run any destructive attacks or make complex configuration changes that are hard to back out, then the SimSpace platform makes it easy to revert individual VMs or the entire lab environment to a prior state. This allows you to iteratively go through your detection engineering processes while launching attacks, analyzing results, reverting systems as needed, and repeating the process over again. Ultimately, using SimSpace your detection engineers will be able to ensure rules/alerts are functioning and tuned properly prior to introducing them into your production environment. This will reduce alert fatigue for your SOC analysts, and increase their efficiency and ability to monitor and defend your organization.
In large environments with massive amounts of data and logs, it often feels very overwhelming and seems that attackers have the upper hand. With more efficient detection engineering capabilities, SimSpace enables cyber defenders to regain the advantage. Have confidence that all of your vendor-supplied and custom detection rules are functioning properly ahead of an attack. Ensure that you have a comprehensive web of tripwires throughout your network. If an attacker uses a new technique that bypasses your existing rules to get in the door, they’ll still step on at least one other tripwire during their desired journey of discovery, escalation, lateral movement, and data exfiltration or destruction.
Are you tired of being a sysadmin in your non-existent spare time, just so you have a place to test out new concepts? Reach out and schedule a demo with us today. We’ll show you how to quickly and easily spin up fully-functional labs that you can blow up, reset, and use continually throughout the year.
Take the next step toward continuous security improvement
With SimSpace, you can assess
and optimize your complete
security posture — all in one platform