The challenge of detecting sophisticated attacks: Insights from SOC Analysts

The ever-increasing rate of sophisticated cyber-attacks and its subsequent impact on networks has remained a menace to the security community. Existing network security solutions, including those applying machine learning algorithms, often centre their detection on the identification of threats in individual network events, which is proven inadequate in detecting sophisticated multi-stage attacks. Similarly, SOC analysts whose roles involve detecting advanced threats are faced with a significant amount of false-positive alerts from the existing tools. Their ability to detect novel attacks or variants of existing ones is limited by the lack of expert input from SOC analysts in their creation of the tools; and the use of features that are closely linked to the structure of specific malware which detection models aim to identify. In this work, we conduct a literature review on malware detection tools, reflect on the features used in these approaches and extend the feature-set with novel ones identified by interviewing experienced SOC analysts. We conduct thematic analysis to the qualitative data obtained from the interviews, and our results indicate not only the presence novel generic malware characteristics based on network and application events (web proxy, firewall, DNS), but identify valuable lessons for developing effective SOCs regarding their structure and processes.