Principle: C2 Proactive Security Event Discovery
The organisation detects, within networks and information systems, malicious activity affecting, or with the potential to affect, the operation of essential functions even when the activity evades standard signature-based prevent or detect solutions (or when standard solutions are not deployable).
The organisation detects, within networks and information systems, malicious activity affecting, or with the potential to affect, the operation of essential functions even when the activity evades standard signature-based prevent or detect solutions (or when standard solutions are not deployable).
This means having the ability to identify advanced threat actors who may take measures to avoid detection via standard security monitoring tools, such as anti-virus software or signature-based intrusion detection systems.
Exploiting these less direct security event indicators in order to improve network and information system security should be considered an advanced capability which will augment core elements of section C1: Security Monitoring. It should be considered when found to be technically possible, cost effective and prioritised appropriately.
The proactive security event discovery principle should be considered aspirational and is not required by departments to meet the Baseline or Enhanced Profile. It has been added to inform departments of existing government guidance, for those that wish to develop capability in this area.
Guidance
- Organisations that want to use automated tools should consult the NCSC’s guidance on Intelligent Security Tools. Capabilities like machine learning are increasingly applicable in the field of intrusion detection. However, if they are not well designed and executed, these technologies can be expensive, difficult to implement and can produce high false-alarm rates. This guidance will encourage you to understand your organisational needs, the underlying technology behind artificial intelligence and whether AI tools are an appropriate solution to the problem you want to resolve.
- Threat hunting involves using your security analysts to generate and test a hypothetical threat. If the hunt hypothesis is proven true, then you can take the appropriate measures to contain and remediate the threat. The Digital, Data & Technology Profession has developed a Guide to Threat Hunting which will enable you to build and operate a threat hunting capability. It provides a Threat Hunting Capability Maturity Model, which consists of five levels of maturity, ranging from ‘initial’ up to ‘optimising’ which includes automated risk scoring, TTP tracking, periodic threat hunts and the sharing of indicators of compromise (IOCs) and hunting analytics across the community.
- The Detection approaches section within the NCSC’s Building a Security Operations Centre guide lays out several advanced forms of threat identification. It discusses how behavioural analytics tools, custom use cases, data mining and threat hunting can all be utilised to detect anomalous behaviour on your network. All of these methods will require continued maintenance to ensure that they remain in tune with normal network activity and have an up to date knowledge of attack techniques.
Further information
Further guidance and information can be found on the NCSC’s CAF Guidance webpage.