Security Engineer Starter Guide: Detection Engineering
Cybersec Café #45 - 12/10/24
So you want to be a Security Engineer, huh?
Well, you’re in the right place. Welcome to the first article in a new series of mine, Security Engineer Starter Guide.
In the inaugural article, I’ll be detailing my recommendations for getting your feet wet in a subdiscipline of cybersecurity known as Detection Engineering.
So, what is Detection Engineering?
In its simplest form, detection engineering is the creation of sets of threat detection rules that define specific patterns, behaviors, and Indicators of Compromise (IoCs) that may indicate malicious activities. (If you want to deep dive further into the topic, I’ve got you covered in a previous article.)
Detection Engineers are the experts that write the rules in SIEMs and other alerting platforms that function as tripwires and alarms to provide visibility into the activity that occurs in the different applications in your environment.
In order to do this effectively, as with most things, you need to start with…
The Basics
Security and Networking Fundamentals
Every cybersecurity professional needs to have a working knowledge of different security and networking fundamentals.
The best place to start is with the CIA Security Model. Commit this to memory. It is a foundational framework in the cybersecurity realm and serves as a guiding principle for organizations to safeguard their data and systems.
From a high level, the CIA model is:
Confidentiality: Protecting secrets
Integrity: Maintain accuracy and trustworthiness
Availability: Ensuring Accessibility
The next logical step will be to learn the OSI Model. The 7 layers in this framework will help you understand the functions of a networking system. Familiarize yourself with each layer.
On top of this, you’ll have to get familiar with the nitty-gritty of networking. This includes IP addresses, subnets, DNS, and protocols.
IPs & Subnets are a fundamental concept that allow devices to communicate over a network. IPv4 addresses are most common, but you’ll occassionally run into IPv6 - familiarize yourself with both. Subnets are the practice of dividing an IP network into smaller subnetworks defined as a subnet mask. The easiest way to understand these masks is to learn the binary notation of an IP and how subnet masks refer to the allocated bits. I’ll get you started:
192.168.1.1 = 11000000.10101000.00000001.00000001
I’d suggest reading more on the binary breakdown here.
The Domain Name System, or DNS, is a critical component of the internet. Think of it as the phone book that serves the web, translating human-readable domains into IP addresses. You’ll need to get familiar with the process that DNS uses to query and lookup, along with the common DNS record types:
A Record (Address Record): Maps a domain name to an IPv4 Address.
AAAA Record (Address Record): Maps a domain name to an IPv6 address.
CNAME Record (Canonical Name Record): Maps an alias (subdomain) to the canonical (true) domain name.
MX Record (Mail Exchange Record): Specifies the mail server responsible for receiving email messages on behalf of a domain.
TXT Record (Text Record): Stores arbitrary text data, often used for verification or information purposes.
NS Record (Name Server Record): Specifies the authoritative name servers for a domain.
Tying all of these pieces together are Web Protocols. These methods govern how data is exchanged between clients and servers. Familiarize yourself with the big five:
GET - Used to retrieve data from the server. This method should only retrieve data and should not have any other effect on the server.
POST - Used to send data to the server to create a new resource. It often involves submitting form data or uploading files.
PUT - Used to update an existing resource on the server. The request typically contains the updated data.
DELETE - Used to request the removal of a resource from the server.
PATCH - Used to apply partial modifications to a resource on the server.
Once you feel you have a solid understanding of these networking concepts, you can start diving into the most common cyber threats and attacks:
Malware: Malicious software that is designed to damage, disrupt, or gain unauthorized access to systems or data. Includes viruses, Trojans, worms, and ransomware.
Phishing: Deceptive emails, messages, or websites impersonating trusted entities with the intention to trick users into revealing sensitive information, like login credentials or personal/financial details.
Social Engineering: Manipulative tactics used to exploit human psychology and persuade individuals to divulge confidential information or perform actions against their best interests.
Insider Threats: Security risks originating from individuals within an organization who misuse their privileges or knowledge for malicious purposes.
Take the time to think about how malicious actors might leverage these different attack strategies to take advantage of unsuspecting victims.
Technical Fundamentals
Awesome - now you’ve built a solid foundation for yourself to grow on.
But in order to be a successful Detection Engineer you need to have technical abilities, not just conceptual.
Start by getting a solid grasp on the differences between Cryptography, Hashing, and Encoding:
Cryptography focuses on securing information through algorithms and keys to transform data into ciphertext. Symetric Encryption uses the same key for both encryption and decryption, whereas Asymmetric Encryption uses a public key for encryption and a private key for decryption. Cryptography is generally used to protect the confidentiality and integrity of data.
Hashing is an irreversible, one-way process that converts data of any size into a fixed-length string of characters known as a hash value. It is generally used for data integrity verification, password storage, and digital signatures.
Encoding is used to convert data from one format to another, often for the purpose of ensuring data can be properly consumed by different systems. It does not provide security, just a different representation of its data.
The next step is to learn a Query Language. Nowadays, it seems like every vendor and platform creates their own Query Language. But we see a majority of these new query languages influenced by the ol’ reliable: SQL. Take the time to learn the basics of SQL: SELECT, WHERE, UPDATE, GROUP BY, ORDER BY, … Once you learn one Query Language, you’ll be able to learn any.
Now that your technical juices are flowing, you can make the jump to learning Python. Now, I know this may sound daunting, but trust me, it’s not. You just need to know a few basics to become Python literate. I covered the bare minimum that you need to know in my Python for Security Engineers guide.
Detection Engineering Learning Track
Detection Engineering Skills
Now that you’ve gotten the basics down, it’s time to jump into some Detection Engineering specifics.
And what better way to start than by writing a Detection?
Detections are the backbone of your SIEM and what you’ll be relying on to safeguard your organization.
It’s important to understand the logic and thought process that go into researching and architecting a detection. It’ll take some practice and some critical thinking, but it’s not as difficult as it sounds.
I walk you through my step by step guide of writing your first Detection in my article here.
Give it a read. Then I challenge you to perform this task: Define a use-case for a threat you’d like to detect and write pseudo-code for your own Detection.
Once you’ve completed that, you might begin to wonder: What makes a “Good” Detection?
Again, I’d recommend reading my deep dive on the topic. But at the highest level, it’s important to be able to define the exact value that the Detection is driving.
Creating valuable detections is essential for your SIEM as you begin to scale as an organization and as a team. At the end of the day, the goal of these detections is to create alerts that are actionable by Analysts. And in order to not flood your team with noise and annoying alerts, known as Alert Fatigue, you need to focus on driving value.
And there it is, possibly the first time you’ve seen that phrase, but most definitely not the last: Alert Fatigue.
Alert Fatigue is the disease that plagues every SOC team, and a disease you will be the creator and distributor of as a Detection Engineer if you’re not careful. But, you’ll also be the most well-equiped to fight against it. Become familiar with the topic of Alert Fatigue (again, from one of my articles if you’d like) and start to consider the different ways this can affect your detections:
Improper thresholds
Poorly thought out exceptions
Improper Testing
Spotty Logic
Unclear language
Unactionable artifacts
The list goes on…
While it can be a difficult problem to solve, I’ve found one thing true in my experience: The numbers never lie.
When in doubt, turn to the data. That’s why it’s essential to understand the importance of creating a Data Driven Detection Lifecycle.
A Detection Lifecyle is the process a security team takes to review and improve the quality of the detections in place. Now, at first it may seem like the opportunities for improvement are obvious - whatever detections fire the most probably needs tuning. But as you scale and get further along with your detections, poor detections may make themselves less apparent. This is where your Query Language skills come into place. Create thoughtful ways to measure the value of your detections and allow your data to drive your decisions.
Staying Up to Date
Threats are constantly evolving.
In this field, it’s important to make sure you stay up to date on what the malicious actors are doing.
I have two tried-and-true ways that I stay up to date with Cybersecurity news. I’m not saying either or right or wrong, it’s just what I prefer and recommend.
First, is The Hacker News. This platform is great at posting emerging news on cyber threats multiple times per day.
Next is Cybersecurity Twitter/X. This takes a little more active searching as well as teaching the algorithm what you’re interested, but in time, you’ll start to see Cybersecurity news populate your feed.
If I Were Starting Over Again…
Cybersecurity is such a dense field, it’s hard to even know where to start.
Hell, it’s hard to know what’s even out there.
When I started my career in Cybersecurity, I wish I had structure - a way to learn in an organized fashion, learning new topics that build on each other in a way that actually made sense.
That’s why I created the Security Sip - the resource I wish I had when I started my career.
It divides 12 fundamental topics into 85 separate modules with 155 exercises to help drive home what you learn.
The 12 high-level topics you will cover at your own pace are:
Security Fundamentals
Network Fundamentals
Linux Fundamentals
Authn and Authz
Threat Intelligence
Python for Security
Web Application Security
Corporate Security
Cloud Security
Incident Response
Secure Coding Practices
Advanced Topics
Each module has 1 or more exercises designed to ensure your digesting what you learn and applying it to scenarios you might run into in the real world.
Plus, each exercise includes a verbose explanation to make sure you’re learning exactly what you need to be successful in this industry.
I built the exact resource I wish I had as a beginner in the field, and I hope that it can help you if you’re in a similar position I was when I first started.
Securely Yours,
The Cybersec Cafe
Just a heads up, The Cybersec Cafe's got a pretty cool weekly cadence.
Every week, expect to dive into the hacker’s mindset in our Methodology Walkthroughs or explore Deep Dive articles on various cybersecurity topics.
. . .
Oh, and if you want even more content and updates, hop over to Ryan G. Cox on Twitter/X or my Website. Can't wait to keep sharing and learning together!