Sharing Is Caring. If you enjoy this article, help us share with others.
The Need For Alert Evaluation In Cybersecurity
The threat landscape is constantly changing as new vulnerabilities are discovered and new threats evolve. As a user and organizational needs change, so also does the attack surface. Threat actors have learned how to quickly vary the features of their exploits in order to evade detection. This article talks about alert evaluation in cybersecurity.
It is impossible to design measures to prevent all exploits. Exploits will inevitably evade protection measures, no matter how sophisticated they may be. Sometimes, the best that can be done is to detect exploits during or after they have occurred.
Detection rules should be overly conservative. In other words, it is better to have alerts that are sometimes generated by innocent traffic, than it is to have rules that miss malicious traffic. For this reason, it is necessary to have skilled cybersecurity analysts investigate alerts to determine if an exploit has actually occurred.
Tier 1 cybersecurity analysts will typically work through queues of alerts in a tool like Sguil, pivoting to tools like Zeek, Wireshark, and Kibana to verify that an alert represents an actual exploit.
The figure shows a Squil textbox up top with a line pointing to each of the three textboxes below it: Kibana, Zeek, and wire shark.
Primary Tools for the Tier 1 Cybersecurity Analyst
Evaluating Alerts
Security incidents are classified using a scheme borrowed from medical diagnostics. This classification scheme is used to guide actions and to evaluate diagnostic procedures. For example, when a patient visits a doctor for a routine examination, one of the doctor’s tasks is to determine whether the patient is sick.
One of the outcomes can be a correct determination that disease is present and the patient is sick. Another outcome can be that there is no disease and the patient is healthy.
The concern is that either diagnosis can be accurate, or true, or inaccurate, or false. For example, the doctor could miss the signs of disease and make the incorrect determination that the patient is well when they are in fact sick. Another possible error is to rule that a patient is sick when that patient is in fact healthy. False diagnoses are either costly or dangerous.
In network security analysis, the cybersecurity analyst is presented with an alert. This is similar to a patient going to the doctor and saying, “I am sick.” The cybersecurity analyst, like the doctor, needs to determine if this diagnosis is true. The cybersecurity analyst asks, “The system says that an exploit has occurred. Is this true?”
- True Positive: The alert has been verified to be an actual security incident.
- False Positive: The alert does not indicate an actual security incident. Benign activity that results in a false positive is sometimes referred to as a benign trigger.
An alternative situation is that an alert was not generated. The absence of an alert can be classified as:
- True Negative: No security incident has occurred. The activity is benign.
- False Negative: An undetected incident has occurred.
| When an alert is issued, it will receive one of four possible classifications | ||
|---|---|---|
| True | False | |
| Positive (Alert exists) | Incident occurred | No incident occurred |
| Negative (No alert exists) | No incident occurred | Incident occurred |
| Note: “True” events are desirable. “False” events are undesirable and potentially dangerous. | ||
True positives are the desired type of alert. They mean that the rules that generate alerts have worked correctly.
False positives are not desirable. Although they do not indicate that an undetected exploit has occurred, they are costly because cybersecurity analysts must investigate false alarms; therefore, time is taken away from the investigation of alerts that indicate true exploits.
True negatives are desirable. They indicate that benign normal traffic is correctly ignored, and erroneous alerts are not being issued.
False negatives are dangerous. They indicate that exploits are not being detected by the security systems that are in place. These incidents could go undetected for a long time, and ongoing data loss and damage could result.
Benign events are those that should not trigger alerts. Excess benign events indicate that some rules or other detectors need to be improved or eliminated.
When true positives are suspected, a cybersecurity analyst is sometimes required to escalate the alert to a higher level for investigation. The investigator will move forward with the investigation in order to confirm the incident and identify any potential damage that may have been caused.
This information will be used by more senior security personnel who will work to isolate the damage, address vulnerabilities, mitigate the threat, and deal with reporting requirements.
A cybersecurity analyst may also be responsible for informing security personnel that false positives are occurring to the extent that the cybersecurity analyst’s time is seriously impacted. This situation indicates that security monitoring systems need to be tuned to become more efficient. Legitimate changes in the network configuration or newly downloaded detection rules could result in a sudden spike in false positives as well.
False negatives may be discovered well after an exploit has occurred. This can happen through retrospective security analysis (RSA). RSA can occur when newly obtained rules or other threat intelligence is applied to archived network security data. For this reason, it is important to monitor threat intelligence to learn of new vulnerabilities and exploits and to evaluate the likelihood that the network was vulnerable to them at some time in the past.
In addition, the exploit needs to be evaluated regarding the potential damage that the enterprise could suffer. It may be determined that adding new mitigation techniques is sufficient, or that a more detailed analysis should be conducted.
PEOPLE ALSO READ: Ways of Applying 10x Rule to Email Marketing Strategies
Powered by Inline Related Posts
Action Point
Get My 66 Page eBook on How to Run Success Ads ON TikTok for 2,000 Naira. Click Here to Buy.
Get my 90 Page ebook on How to Run Ads on Facebook. Click here to buy now.
PS: Are you a Nigerian resident abroad and you need to send money to your loved ones back home? The stress is over now! Send money to Nigeria using the MonieWorld app. It’s fast, easy and has great rates! MonieWorld is powered by Moniepoint. Sign up with my link
P.S.: If you need private online training on any of the ICT courses I offer here and you are in Nigeria, please send me a DM on my WhatsApp at +2348103180831. Please note that the Training will be 100percent online. It will be delivered via Zoom or Google Meet.
PS: I know you might agree with some of the points raised in this article or disagree with some of the issues raised.
Please share your thoughts on the topic discussed. We would appreciate it if you could drop your comment. Thanks in anticipation.
Sharing Is Caring. If you enjoy this article, help us share with others.
Sharing Is Caring. If you enjoy this article, help us share with others.
