Security Experts:

Sherlock in the SOC: Leveraging Security Knowledge in a Behavior-Based Approach

There is a strong family resemblance about misdeeds, and if you have all the details of a thousand at your finger ends, it is odd if you can't unravel the thousand and first.”

This statement was made by the legendary fictional detective Sherlock Holmes in Sir Arthur Conan Doyle’s The Sign of Four, first published in 1890. Despite predating the Internet by approximately 100 years, Holmes’ unique approach to deduction holds some valuable insights for cybersecurity operations.

My recent articles have focused on the cyber kill chain and why it’s a necessary perspective for protecting against, and responding to, complex attacks. So what does the kill chain have to do with Sherlock Holmes, and this quote in particular? Well, Holmes is essentially describing a behavior-based model of analyzing an adversary’s actions to predict their next move, just like the kill chain.

“There is a Strong Family Resemblance About Misdeeds”

Behavior-based models, as opposed to the signature-based models that are found in conventional antivirus software and many other detection and prevention tools, follow Holmes’ notion that misdeeds—in this case cyberattacks—have a lot of similarities. 

The signature-based approach is to search for known malicious files, hashes, URLs, and other signatures. The behavior-based approach, on the other hand, is to search for patterns of behavior that are highly correlated with malicious activity. This can be done via tools like user and entity behavior analytics (UEBA) or through conceptual models like the kill chain.

A kill chain framework, such as the MITRE ATT&CK matrix, which uses a knowledgebase of thousands of real cyberattacks, breaks down those similarities to predict the likely steps an adversary will take—the modern equivalent of using the details of a thousand misdeeds to anticipate the thousand-and-first.

“You See, But You Do Not Observe”

In the spirit of Sherlock Holmes, let’s use the analogy of a crime in the physical world to illustrate the value of this approach. Imagine that a detective comes across a broken window, sees someone running in the opposite direction, and upon looking in the window, hears a person inside shout that their phone and wallet are missing. It should be obvious to the detective that a robbery has taken place. 

While this is a very simplistic example, it’s only obvious that a crime has occurred because of the detective’s knowledge of the steps that a robbery is likely to follow (a real-world kill chain). If the detective saw each piece of the crime separately, and was unable to make correlations, there would be many plausible explanations for the scene that wouldn’t suggest a robbery. The window could have been broken accidentally by kids kicking a soccer ball; the person running might just be out for a jog; and people misplace their phones and wallets all the time. Nothing suspicious going on here!

As absurd as it may sound, this is where many security teams are stuck: treating every security event separately, with minimal ability to view the context of the attack or the connections between related events. To paraphrase Holmes himself, they see, but they do not observe.

“The Art of Detection”

Security analysts are the detectives of cybersecurity, each with a wealth of knowledge built up on the job. If you give them the tools they need to see the whole picture, they’ll have a much better chance of identifying suspicious activity. The behavior-based approach is all about leveraging this knowledge, instead of obstructing it. In the case of MITRE ATT&CK, it goes a step further and actually builds the collective expertise of the security industry into the framework, allowing security teams to vastly enhance their own knowledge.

Kill chains and other frameworks are just one way to take a behavior-based approach to cybersecurity. By integrating data from across your security tools, you can also add valuable information about the geographical location, time of day, user role, network activity, and other data associated with events to highlight anomalous actions.

By combining all the information that you have at your fingertips and analyzing it not just through signature-based methods, but also a behavior-based perspective, you give yourself a magnifying glass with which to focus on evidence of advanced attacks, while ignoring red herrings. Or, in the eloquent words of Sherlock Holmes: “It is of the highest importance in the art of detection to be able to recognize, out of a number of facts, which are incidental and which vital. Otherwise your energy and attention must be dissipated instead of being concentrated.”

view counter
Stan Engelbrecht is the Director of Cybersecurity Practice at D3 Security and an accredited CISSP. Stan is involved throughout the product delivery and customer success lifecycle, and takes particular interest in working with customers to configure solutions. You can find Stan speaking about cybersecurity issues at conferences, in the media, and as the chapter president for a security special interest group.