Towards Actionable Detection
Table of Contents
The Cyber Threat Intelligence (CTI) community coined the term "actionable intelligence" to describe relevant, timely, and contextual information that supports effective decision-making. In recent months, while working closely with the CTI team as a detection engineer, I have been reflecting on ways to make detections more actionable in order to address some of the common challenges faced in my role. This post summarizes my reflections.
Common Problems
Let's start by examining the common issues that plague detection engineering.
The most prevalent problem is noisy detections 🔊. High rates of false positives overwhelm the Security Operations Center (SOC), leading to alert fatigue. The causes of this issue are varied but often include poorly tuned rules and a lack of contextual enrichment, which negatively impacts investigations. Often, when analyzing a bad detection, I notice that its purpose is unclear and disconnected from any phase of the kill chain or threat model --ex.: TTP. It’s like someone’s dream that never came true.
When we look at the reason for a detection's existence 🤔, it’s unfortunately not uncommon to find detections created as substitutes for preventive controls 💀. This is problematic because the root cause isn’t addressed, turning the detection into a pain point for the SOC --like an IDS exposed to the internet and sending all alerts to your team. Issues in the detection lifecycle are also common. Outdated or temporary detections left in production generate garbage alerts or, at best, consume resources unnecessarily. The same applies to overlapping or redundant detections that trigger on the same behavior or event (within the same scope), leading to duplicate alerts and wasted resources.
These problems create friction between the SOC and detection engineering teams, potentially eroding trust in the detection program. While automation 🤖 may seem like a good solution, it often ends up being a temporary fix --similar to sweeping dirt under the rug-- by diverting resources to manage unnecessary situations. The real solution lies in addressing the root cause: improving the quality of detections and ensuring they are actionable.
Towards Actionable Detection
One of the first things I did when I started as a detection engineer was read 📘 Intelligence-Driven Incident Response. That was my first introduction to the concept of actionable intelligence. Over the past few months, while working closely with the CTI team to leverage MISP and other threat intelligence platforms, I started thinking about how I could apply this concept to Detection Engineering.
I believe that actionable detection is any detection that raises relevant, timely, and contextual alerts, calling the SOC to action for better security. From the outset, an actionable detection is not meant to replace preventive controls but to complement them. It is scoped to a specific kill chain phase or TTP, with a clear and solid use case or hypothesis in mind, directly linking to actions that mitigate malicious activity.
An actionable detection doesn’t overlap with existing actionable detections. Instead of just writing a new rule, the engineer reviews existing ones to avoid duplication. Actionable detection also has a defined lifecycle, with periodic reviews from conception to retirement, ensuring it evolves with the threat landscape and the organization’s security posture. These reviews ensure the detection remains relevant and that false positives and false negatives are kept at an acceptable level.
It’s important to note though that an actionable detection doesn’t need to be complex or perfect. You don’t need fancy correlations or enrichments to make it actionable. The key is to ensure it is relevant, timely, and contextual. Additionally, it’s important to remember that there’s no such thing as a perfect rule. Like any software, detections will have bugs and limitations --for example, it'd be naive to expect that any detection will fully cover a MITRE ATT&CK Technique (think of Procedures). You mitigate this by implementing a well-defined lifecycle and robust review process with complementary detections --see The Threat Detection Fundamental Dilemma.
Conclusion
Threat detection is a complex and challenging field --arguably the most complex within the SOC, in my opinion. After facing common problems in this area, I connected the concept of actionable intelligence to detection engineering. I believe that actionable detection is the path to making detections more effective and less painful for the SOC.
Keeping the concept of actionable detection in mind will guide you to create and maintain meaningful detections. Starting with a lifecycle process and emphasizing the conception phase will help you avoid common pitfalls, such as failing to define clear use cases or follow-up actions. By periodically reviewing your rules --not just the code but also their output and impact, such as the false positive rate-- you can keep your environment clean and your SOC team happy.💡✌️