Skip to main content

Identifying Advanced Persistent Threat Activity Through Threat-Informed Detection Engineering: Enhancing Alert Visibility in Enterprises

Advanced Persistent Threats (APTs) are among the most challenging to detect in enterprise environments, often mimicking authorized privileged access prior to their actions on objectives. Moving within the environment slowly and quietly, APTs can often persist within the environment for months before detection.

There are several approaches to detecting these adversaries, with many mature enterprises utilizing some combination of User-Entity Behavior Analytics (UEBA), Risk-Based Alerting (RBA), and traditional detection engineering practices. However, even these advanced approaches can have gaps. While they may show anomalous behavior, they can result in false positives, leading to wasted analyst cycles and potential alert fatigue.

To combat this, the question is asked: does threat modeling prior to detection engineering generate more robust detections than traditional detection engineering alone? By leveraging the threat modeling process, enterprises can leverage their existing detection strategies differently, using information gained from the threat modeling process to alert them with detections aligning to Tactics, Techniques, and Procedures (TTPs) commonly used together as part of an intrusion.

Download file

SANS_Identifying_Advanced_Persistent_Threat_Activity_Through_Threat_Informed_Detection_Engineering_Enhancing_Alert_Visibility_Enterprises (PDF, 1.44MB)

20 Feb 2025
ByEric LeBlanc
Share
All papers are copyrighted

No re-posting of papers is permitted

Related Content

Infrastructure as Code-Driven Group Policy Infrastructure: A Comprehensive Engine for Group Policy Architecture and Enforcement

Research Paper

This study introduces a PowerShell-based Infrastructure as Code (IaC) engine developed to automate the setup and enforcement of a STIG-compliant Group Policy framework.

  • 5 Dec 2025

Defending Vulnerable Populations Against Scams: Effectiveness of Browser Extensions in Mitigating Scammer Attack Chains

Research Paper

This research evaluates the effectiveness of a browser extension as a security control—Grandma’s Guardian—designed for simplicity and accessibility so that even non-technical home users can benefit from enterprise-grade protection.

  • 19 Nov 2025

Building Scalable Detection-as-Code Pipelines with Agentic Validation and Refinement

Research Paper

The proposed DaC pipeline uses large language models (LLMs) for logic conversion, variant analysis, and simulation testing via Atomic Red Team, with queries executed against Splunk to measure true positives and false negatives.

  • 6 Nov 2025

Isolated Trust: Zero Trust in Standalone Systems

Research Paper

The use of air-gapped, isolated systems remains an essential tool for organizations that require high confidentiality or integrity, including those in the government, industrial control systems, and the banking industry.

  • 6 Nov 2025

"You Again": Fingerprinting and Tracking Mechanisms of Malicious Sites

Research Paper

Browsers provide many APIs for any visited site to perform stateful and stateless tracking, and legitimate websites utilize these capabilities. Yet little is widely known about what tracking, if any, malicious sites perform.

  • 26 Sep 2025

Evaluating Zero Trust Network Access: A Framework for Comparative Security Testing

Research Paper

Evaluating Zero Trust Network Access: A Framework for Comparative Security Testing

  • 11 Jul 2025

AI-Driven Insecurity: Assessing Security Gaps in AI Generated IT Guidance

Research Paper

The increasing reliance on AI-generated technical guidance for IT system configuration introduces significant security risks. This study assesses these risks through a case study: setting up an Apache web server on a Rocky Linux system using instructions from seven AI models.

  • 13 May 2025

SIEM Detection Logic Conversion with LLMs

Research Paper

This research explores how Large Language Models (LLMs) and automation scripts can expedite the translation of detection logic between SIEMs, converting detections in minutes instead of hours.

  • 2 May 2025

Validating the Effectiveness of MITRE Engage and Active Defense

Research Paper

This research examines the impact of Active Defense compared to a traditional security posture when an adversary employs common tactics and techniques to identify high-value targets or exfiltrate sensitive data.

  • 29 Mar 2025

Shift Left the Awareness and Detection of Developers Using Vulnerable Open-Source Software Components

Research Paper

The number of open-source software components, as well as the number of existing security...

  • 26 Mar 2025

Strolling Through the STIG

Research Paper

The CKL file has become the unofficial common language amongst the Department of Defense activities...

  • 7 Mar 2025

Building Resilient IoT Devices: Binary Hardening with Yocto and Clang

Research Paper

This paper addresses the critical need for enhanced security in Internet of Things (IoT) devices by evaluating the implementation of binary hardening techniques using Clang security features within the Yocto build environment.

  • 3 Mar 2025

Persistence Busters: High Impact Methods for Adversary and Threat Detection

Research Paper

This research investigates the top persistence techniques targeting Windows systems as documented in the MITRE ATT&CK framework and how to detect them.

  • 7 Feb 2025

Evaluating Modern Network Protocol Fingerprinting: Defending Bastion Hosts in Hostile Networks

Research Paper

Adversaries continue to attack the network perimeter and trusted user workstations to gain access to...

  • 6 Feb 2025

The Proof is in the Pudding: EDR Configuration Versus Ransomware

Research Paper

Each Endpoint Detection and Response (EDR) tool is slightly different in its functions and...

  • 23 Dec 2024

Revolutionizing Enterprise Security: The Exciting Future of Passkeys Beyond Passwords

Research Paper

As digital threats grow increasingly sophisticated, traditional password-based authentication...

  • 23 Dec 2024
  • Rich Greene

Using PowerShell and Other Command Line Tools for Windows 11 STIG Compliance

Research Paper

Hardening non-domain joined Windows 11 operating systems is a daunting task without automation....

  • 5 Dec 2024

Securing the Web: Shortening TLS Certificate Lifespans for Enhanced Security

Research Paper

Google has proposed changing the maximum validity period of TLS certificates from 398 to 90 days....

  • 5 Dec 2024

Kubernetes: Micro-Segmentation for Kubernetes Instantiated Ephemeral Workloads

Research Paper

Defensive security professionals will have to commit focused energy and resources to protect...

  • 5 Dec 2024

Never Trust, Always Verify: Effectiveness of Endpoint Detection and Response Tools Versus Zero Trust Endpoint Controls in Enterprise Environments

Research Paper

Threat actors are finding new ways to evade detection by exploiting built-in tools like Living Off...

  • 5 Dec 2024