Skip to main content

Articles in this section

Print

Defining threat detection

  • Updated

Defining threat detection

This article delves into the foundational concepts of threat categories, security levels, and remediation complexity, providing a framework for organizations to effectively prioritize and address potential vulnerabilities.

Categories

  • System: Refers to the system or platform to which the categorization is applied. For example, it can be related to Active Directory, Entra ID, Exchange Online, etc.

  • Theme: This refers to broader topics or categories encompassing various tactics and techniques. Themes include areas like Account protection, Mailbox protection, Tenant-wide, etc.

  • Attack Tactics: This category includes methods or strategies used by threat actors to compromise systems. Examples of attack tactics are initial Access, Privilege Escalation, command and Control, etc...

  • Defend Tactics: These are strategies used to defend against attacks, such as Domain Account Monitoring, Application Hardening, Credential Hardening, etc.

  • ANSSI: This stands for the French National Cybersecurity Agency (Agence nationale de la sécurité des systèmes d'information). It refers to specific guidelines, frameworks, or taxonomies developed by ANSSI for cybersecurity.

  • STIG: It stands for Security Technical Implementation Guide. These documents provide guidelines and best practices for securing IT systems and software. STIGs are developed by the Defense Information Systems Agency (DISA) for the U.S. Department of Defense (DoD).

  • Indicator Type: Indicators are evidence pointing to malicious activity within a network or system. Here’s what each type typically represents:

  • Indicator of Attack (IoA): These are signs that an attack is currently in progress or is about to occur. IoAs are more proactive and often help detect and stop attacks before they cause significant damage. Examples include unusual login patterns and unexpected system behavior.

  • Indicator of Compromise (IoC): These are evidence that an attack has already occurred. IoCs are more reactive and are used in post-incident investigations to understand the extent of the breach and to remediate it. Examples include unusual outbound network traffic and changes to system files or configurations.

  • Indicator of Exposure (IoE): These indicate vulnerabilities or weaknesses in a system that could be exploited by an attacker. IoEs are useful for identifying and mitigating risks before an attack occurs. Examples include weak passwords and exposed services or ports.

Threat Severity Levels

This section defines and explains the various levels of threat severity, outlining their definitions, impacts, consequences, and recommended actions.

Critical

Definition: The issue or misconfiguration allows immediate privilege escalation.

Impact: Affects the entire environment (tenant or domain/forest) and can potentially cause a forest/tenant-wide failure or compromise.

Consequence: All users may lose access to their accounts and data.

Action: Immediate corrective actions are required.

High

Definition: The issue has the potential to impact the entire environment (tenant or domain/forest).

Impact: Can lead to a forest/tenant-wide failure or compromise.

Consequence: Configuration and management weaknesses put all hosted resources at risk of short-term compromise.

Action: Corrective actions should be planned and implemented promptly.

Medium

Definition: The Active Directory infrastructure is as secure as the default installation settings.

Impact: There is no immediate threat, but potential vulnerabilities exist.

Consequence: Enhancing security through preemptive measures is advised.

Action: Preemptive actions to improve security are recommended.

Low

Definition: The Active Directory infrastructure exhibits a higher level of security and management.

Impact: Minimal risk to the environment.

Consequence: Security posture is strong but can still be improved.

Action: Preemptive actions to further enhance security are recommended.

Informational

Definition: The Active Directory infrastructure correctly implements the latest administrative models and security features.

Impact: No immediate threat; considered best practice.

Consequence: The infrastructure is up-to-date with state-of-the-art security measures.

Action: Addressing this issue is recommended as a best practice.

Remediation Complexity Definition

It is based on the potential impact of performing the recommended remediation in a production environment. This is intended as a guideline to help customers build remediation plans based on severity and complexity.

These are guidelines, and all changes should be validated in a non-production environment.

  • High - Remediation has the potential to disrupt business operations if one fully does not understand why the object was configured in such a way. Example: Threat Alert- Privileged AD user account with associated SPNs. Performing this remediation in a production environment could have a negative impact on business applications. This requires business knowledge of how the account is being used before performing any remediation steps.

  • Medium - Remediation has the potential to disrupt multiple users and possibly cause service disruption to an application. Example: Threat Alert—A privileged AD user is not protected from using unsecure authentication methods. This remediation could impact authentication for privileged users, but it would not impact the rest of business operations.

  • Low – Remediation has minimal business impact and can safely be remediated. Example: Threat Alert– Microsoft Entra user not registered with MFA. No accounts in Entra ID should be configured in this manner as all accounts must have an MFA configured.

© Copyright 2013-2025 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.