Organizations are constantly in need to keep their threat detection content up to date but with an ever-changing threat landscape, organizations struggle to properly develop viable content that is relevant to their security needs leaving unnecessary time spent on irrelevant content, increased remediation times, and large security detection gaps. In order to effectively do this, organizations need to do two things: an introspective look into their current cyber security state, and have a methodology for developing detection content.Introspection requires an organization to understand the relevant threats and threat groups associated with their industry, understand their current infrastructure, and understand what their attack surface looks like.

By taking a deep look, organizations can better identify what kind of emerging and existing threats are applicable to themselves, and pinpoint their efforts to developing detection content dedicated towards those threats. Ideally, the output of this exercise is a full breakdown of everything from security infrastructure design to relevant threat groups with associated MITRE ATT&CK mappings. As you are probably thinking, this introspection is the foundation to start the next step in almost any area of cyber security but we will focus on content development surrounding threat detection.Now that organizational needs are all mapped out, the process of developing detection content is more targeted since there is no question as to whether a new or emerging threat is relevant.

This may seem like a simple task but the reality is that every time a new critical threat emerges, most organizations scramble to determine if and how they are affected. Wouldn’t it be nice to just know whether you need to start developing detection content or not? And if you can immediately determine that you are not affected, wouldn’t it be great to not waste resources on the irrelevant and continue to focus on that backlog of the relevant? With that being said, how should an organization develop detection content for the threats that are relevant?In order to do this, organizations are going to need some organizational unit to perform functions similar to the B.A.D. (Build, Attack, Defend) pyramid.

For those unfamiliar with the concept, the B.A.D. pyramid essentially covers the critical components needed to properly defend an organization and, in order, they can create an iterative process for developing detection content. To be clear, these do not need to actually be different teams but are personas in the detection content development process. To give an idea of how this process would flow, after an organization identifies a new threat, they would employ their Attack component, or Red Team, to simulate the threat within an environment. From here the Defend component, or Blue Team, would either fully, partially, or not detect the threat. This information gets passed onto the Build component, or Yellow Team, to create or modify the necessary detection content for this particular threat who will then kick off the whole process once again for validation.

It is an iterative loop until the detection content is ready to be published which requires full transparency so that no detection logic associated with the threat is overlooked. This is required even if a detection is already made, there may be an opportunity to improve detection logic by either including other threat indicators or even just tightening detection logic to improve processing and filtering out false positives.With this information, an organization can begin to take the first steps towards effectively creating net new threat detection content, but there are still ways to improve this process in order to make it more repeatable and streamlined. Stay tuned for Content Conundrums for the SOC: Part II.