While events can be collected from various devices, it’s crucial to identify what to monitor for effective security, aiming for high-quality, relevant logs that can swiftly detect and deter threat actors, making it harder for them to bypass our alerts; below is a list of potential detection indicators and an assessment of their alterability.
Indicator |
Difficulty to change |
File checksums and hashes |
Very Easy |
IP Addresses |
Easy |
Domain Names |
Simple |
Network and Host Artifacts |
Annoying |
Tools |
Challenging |
Tactics, Techniques and Procedures |
Hard |
File checksums and hashes help identify known malware, but attackers can easily modify them; however, altering network and host artifacts is more challenging, and understanding threat actors’ Tactics, Techniques, and Procedures (TTPs) allows defenders to strengthen their defenses against attacks like spear-phishing and peer-to-peer networking.