What is Detection Engineering?
Detection Engineering is the capability to author, interpret and model threats to deliver modern and effective threat detections. The main output of detection engineering are ‘detectors‘ which are analytics that capture the tactics, techniques and procedures of adversaries.
Detection as Code
“Detection as Code” is referencing a more systematic, flexible and comprehensive approach to threat detection that follows an Alert Development Lifecycle, similar to the Software Development Lifecycle (SDLC).
The Detection Engineering Process
Detection Engineering Languages
Detection Engineering Categorization
The Detection Engineer Role
Where does a detection engineer fit in?
A detection engineer would work with a security operations center or cyber incident response team to supply the security platform(s) with detectors. This role would work closely with incident responders, threat hunters, and security engineers to develop, deploy, and maintain a library of detectors. Moreover, detection engineers are usually part of a detection and response team which has cross-competencies within the security domain.
What does a detection engineer do?
- Build new detection capabilities based upon research, analysis of threat actor methodology,
- Testing of new attack techniques using data collected from a variety of embedded devices, firewalls, network devices, and hosts
- Define and tune data sources to better identify and stop threat actor activity
- Translate threat intelligence into actionable detection methods
- Technical point of contact to guide and mentor fellow teammates and maintain exceptional quality of deliverables
- Understand open and proprietary protocols to identify software, devices, configurations, and vulnerabilities
- Build new detection capabilities based upon research, analysis of threat actor methodology, and testing of new attack techniques
What does it take to be a detection engineer?
- Expert level knowledge of Windows/Linux OS
- Digital forensic and intrusion analysis expertise
- Experience in:
- Security Operations
- Threat Hunting
- Offensive Operations
- Threat Emulation
- Security Tool Development
- Certifications (GIAC: GCIH, GCFA, GNFA, GCTI)
- Coding experience (Python, SQL, etc.) and the ability to create and understand pseudo-code
Detection Engineering Resources
- Getting Started with ATT&CK: Detection and Analytics
- Part 1: Would a Detection by Any Other Name Detect as Well?
- Part 2: Would a Detection by Any Other Name Detect as Well?
- Dissecting a Detection: An Analysis of ATT&CK Evaluations Data (Sources) Part 1 of 2
- Actionable Detections: An Analysis of ATT&CK Evaluations Data Part 2 of 2
- Behind the Scenes with Red Canary’s Detection Engineering Team
- Detection Engineering: Setting Objectives and Scaling for Growth
- Driving Efficacy Through Detector Tuning: a Deeper Dive Into Detection Engineering
- Remapping Red Canary with ATT&CK sub-techniques
- YouTube – Rethinking Detection Engineering
- YouTube – Rethinking Detection Engineering – Threat Scoring for Prioritization
- YouTube – Understanding Technique Abstraction for Detection Engineers
- SpecterOps Blogs: “Detection Engineering” Tag
- Detection in Depth
- Detection Spectrum
- Capability Abstraction
- Diving into the Security Analyst’s Mind
- Thoughts on Host-based Detection Techniques
- Engineering Process Injection Detections – Part 1: Research
- Engineering Process Injection Detections — Part 2: Data Modeling
- Engineering Process Injection Detections — Part 3: Analytic Logic
- Anton on Security
- Can We Have “Detection as Code”?
- Role of Context in Threat Detection
- What Are You NOT Detecting?
- Stop Trying to Take Humans Out of SOC … Except … Wait… Wait… Wait…
- SOC Threat Coverage Analysis — Why/How?