Threat detection and response
Just as malicious actors' threats and attack techniques evolve, so too must enterprise threat detection and response tools and procedures. From real-time monitoring and network forensics to IDS/IPS, NDR and XDR, SIEM and SOAR, read up on detection and response tools, systems and services.
Top Stories
-
Conference Coverage
16 May 2025
RSAC Conference 2025
Follow SearchSecurity's RSAC 2025 guide for insightful pre-conference insights and reports on notable presentations and breaking news at the world's biggest infosec event. Continue Reading
-
Tutorial
07 May 2025
How to use arpwatch to monitor network changes
The arpwatch utility flags administrators in the event of any unexpected changes or unauthorized devices, which could signal ARP spoofing or credential-harvesting attacks. Continue Reading
-
News
17 Jul 2023
Microsoft still investigating stolen MSA key from email attacks
While Microsoft provided additional attack details and techniques used by Storm-0558, it remains unclear how the Microsoft account signing key was acquired. Continue Reading
-
News
17 Jul 2023
JumpCloud breached by nation-state threat actor
JumpCloud's mandatory API key rotation earlier this month was triggered by a breach at the hands of a nation-state threat actor that gained access through spear phishing. Continue Reading
-
News
12 Jul 2023
Chainalysis observes sharp rise in ransomware payments
The rise in total ransomware payments so far this year is a reversal of the decline Chainalysis saw in 2022, when payments fell sharply to $457 million from $766 million in 2021. Continue Reading
-
News
12 Jul 2023
Threat actors forged Windows driver signatures via loophole
Threat actors bypassed Microsoft's driver signing policy using a technical loophole and signature timestamp forging tools commonly used in the video game cheat community. Continue Reading
-
Definition
07 Jul 2023
network intrusion protection system (NIPS)
A network intrusion protection system (NIPS) is an umbrella term for a combination of hardware and software systems that protect computer networks from unauthorized access and malicious activity. Continue Reading
-
News
06 Jul 2023
JumpCloud invalidates API keys in response to ongoing incident
The cloud provider did not give any details about the incident that prompted a mandatory API key rotation, which might have caused service disruptions for customers. Continue Reading
-
Definition
05 Jul 2023
host intrusion prevention system (HIPS)
A host intrusion prevention system (HIPS) is an approach to security that relies on third-party software tools to identify and prevent malicious activities. Continue Reading
-
Definition
05 Jul 2023
WannaCry ransomware
WannaCry ransomware is a cyber attack that spreads by exploiting vulnerabilities in the Windows operating system. Continue Reading
-
Tip
23 Jun 2023
Top 10 threat modeling tools, plus features to look for
Automated threat modeling tools make identifying threats simpler, but the tools themselves can be fairly complex. Understanding where risks exist is only one part of the process. Continue Reading
-
News
22 Jun 2023
Apple patches zero days used in spyware attacks on Kaspersky
Two Apple zero days were used in the spyware campaign Kaspersky Lab named 'Operation Triangulation,' which was initially discovered on iOS devices of Kaspersky employees. Continue Reading
-
Opinion
21 Jun 2023
How AI benefits network detection and response
Interest in security tools with AI is growing as security leaders uncover AI's potential. One area that could especially benefit from AI is network detection and response. Continue Reading
-
Podcast
15 Jun 2023
Risk & Repeat: Mandiant sheds light on Barracuda ESG attacks
Barracuda Networks attempted to fix the critical ESG zero-day vulnerability, but a Chinese nation-state threat actor was able to maintain access on compromised devices. Continue Reading
-
News
15 Jun 2023
Chinese nation-state actor behind Barracuda ESG attacks
Mandiant said the zero-day attacks on Barracuda Email Security Gateway appliances were part of a 'wide-ranging campaign in support of the People's Republic of China.' Continue Reading
-
Tip
15 Jun 2023
Risk assessment vs. threat modeling: What's the difference?
Risk assessments and threat modeling each address potential risks. But they play distinct roles in how they help companies protect systems and data. Continue Reading
-
News
13 Jun 2023
Fortinet warns critical VPN vulnerability 'may' be under attack
Fortinet said the heap buffer overflow flaw might have been exploited already and warned that Chinese nation-state threat group Volt Typhoon would likely attack the vulnerability. Continue Reading
-
News
08 Jun 2023
Cisco generative AI heads to Security Cloud, Webex
Cisco plans to release generative AI features in the Webex platform and Security Cloud this year. Together, the products tighten security for remote workers. Continue Reading
-
News
06 Jun 2023
Verizon 2023 DBIR: Ransomware remains steady but complicated
Chris Novak, managing director of cybersecurity consulting at Verizon Business, said 2023 was a "retooling year" for ransomware threat actors adapted to improved defenses. Continue Reading
-
News
05 Jun 2023
Ransomware actors exploiting MoveIt Transfer vulnerability
Microsoft said the recently disclosed zero-day flaw in Progress Software's managed file transfer product is being exploited by threat actors connected to the Clop ransomware gang. Continue Reading
-
Feature
05 Jun 2023
Manage security posture with Microsoft Defender for Endpoint
Organizations need to implement security posture management to ensure their cybersecurity strategy can address malicious actions inside and out. Continue Reading
-
Feature
30 May 2023
Vendors: Threat actor taxonomies are confusing but essential
Despite concern about the proliferation of naming taxonomies used to identify threat groups, vendors say they are crucial their understanding and visibility into threat activity. Continue Reading
-
News
25 May 2023
Chinese hackers targeting U.S. critical infrastructure
Microsoft uncovered a Chinese nation-state threat group that is compromising Fortinet FortiGuard devices to gain access to critical infrastructure entities in the U.S. and Guam. Continue Reading
-
Tip
25 May 2023
9 smart contract vulnerabilities and how to mitigate them
Smart contracts execute tasks automatically when specific events occur, and often handle large data and resource flows. This makes them particularly attractive to attackers. Continue Reading
-
News
24 May 2023
Updated 'StopRansomware Guide' warns of shifting tactics
CISA's updates to the 'StopRansomware Guide' address shifts in the threat landscape as more threat actors skip the encryption step and focus on data theft and extortion. Continue Reading
-
Tip
24 May 2023
Top breach and attack simulation use cases
While pen tests offer a point-in-time report on the security of an organization's security defenses, breach and attack simulations offer regular or even constant status checks. Continue Reading
-
News
23 May 2023
Veeam ransomware protection highlighted in Kasten, detection
Veeam unveiled security updates to its Kubernetes backup product at VeeamON. In addition, IDrive released an object storage appliance for users of Veeam and other backup vendors. Continue Reading
-
News
18 May 2023
Acronis adds EDR to endpoint security
Acronis EDR uses Intel threat detection technology to uncover sophisticated attacks, such as fileless malware, but it also has to compete in a crowded market. Continue Reading
-
News
12 May 2023
Experts question San Bernardino's $1.1M ransom payment
While no public safety services were compromised in the ransomware attack on San Bernardino County's Sheriff's Department, the government opted to $1.1 million to threat actors. Continue Reading
-
News
10 May 2023
Dragos discloses blocked ransomware attack, extortion attempt
Dragos Inc. published a blog post that outlined a likely ransomware attack it stopped this week, though a threat actor obtained 'general use data' for new hires. Continue Reading
-
News
10 May 2023
Akamai bypasses mitigation for critical Microsoft Outlook flaw
Enterprises might remain vulnerable to a critical Outlook flaw that Microsoft patched in March, as an Akamai researcher uncovered a way to bypass remediation efforts. Continue Reading
-
News
04 May 2023
Ransomware attack disrupts Dallas police, city services
The city said less than 200 government devices were compromised by the Royal ransomware attack, though it's unclear if threat actors exfiltrated sensitive data. Continue Reading
-
Feature
02 May 2023
Where climate change and cyber attacks intersect
One session at RSA Conference 2023 focused on climate change -- a topic that is not commonly featured during cybersecurity conversations, but should be. Continue Reading
-
News
27 Apr 2023
Secureworks CEO weighs in on XDR landscape, AI concerns
Secureworks CEO Wendy Thomas talks with TechTarget Editorial about the evolution of the threat detection and response market, as well as the risks posed by new AI technology. Continue Reading
-
News
26 Apr 2023
CISA aims to reduce email threats with serial CDR prototype
CISA officials at RSA Conference 2023 showed off a prototype designed to measure the risk of suspicious files and remove them from email and web services. Continue Reading
-
News
26 Apr 2023
How ransomware victims can make the best of a bad situation
At RSA Conference 2023, Mandiant's Jibran Ilyas provided tips for ransomware victims that decide to pay, including a list of counterdemands to make to the threat actors. Continue Reading
-
News
26 Apr 2023
CrowdStrike details new MFA bypass, credential theft attack
At RSA Conference 2023, CrowdStrike demonstrated an effective technique that a cybercrime group used in the wild to steal credentials and bypass MFA in Microsoft 365. Continue Reading
-
News
25 Apr 2023
Rising AI tide sweeps over RSA Conference, cybersecurity
AI is everywhere at RSA Conference 2023, though experts have differing views about why the technology has become omnipresent and how it will best serve cybersecurity. Continue Reading
-
News
25 Apr 2023
RSAC speaker offers ransomware victims unconventional advice
Triton Tech Consulting CEO Brandon Clark advised organizations to set aside the stigma of 'negotiating with terrorists' when deciding whether to pay a ransomware gang. Continue Reading
-
Tip
20 Apr 2023
6 Mac antivirus options to improve internet security
Organizations with macOS desktops under their management need to ensure their security products can support Macs. Review these six antivirus products with macOS support. Continue Reading
-
Answer
19 Apr 2023
How to defend against TCP port 445 and other SMB exploits
Keeping TCP port 445 and other SMB ports open is necessary for resource sharing, yet this can create an easy target for attackers without the proper protections in place. Continue Reading
-
Tip
17 Apr 2023
How to build a cybersecurity deception program
In 'The Art of War,' Sun Tzu declared, 'All warfare is based on deception.' Learn how to apply this principle in the enterprise by building a cybersecurity deception program. Continue Reading
-
Guest Post
14 Apr 2023
Pen testing amid the rise of AI-powered threat actors
The importance of pen testing continues to increase in the era of AI-powered attacks, along with red teaming, risk prioritization and well-defined goals for security teams. Continue Reading
-
Tutorial
13 Apr 2023
How to use the John the Ripper password cracker
Password crackers are essential tools in any pen tester's toolbox. This step-by-step tutorial explains how to use John the Ripper, an open source offline password-cracking tool. Continue Reading
-
Definition
13 Apr 2023
Microsoft Defender for Endpoint (formerly Windows Defender ATP)
Microsoft Defender for Endpoint -- formerly Microsoft Defender Advanced Threat Protection or Windows Defender ATP -- is an endpoint security platform designed to help enterprise-class organizations prevent, detect and respond to security threats. Continue Reading
-
Tip
12 Apr 2023
How to use a CASB to manage shadow IT
Shadow IT can cost organizations time, money and security. One way to combat unauthorized use of applications is to deploy a CASB. Continue Reading
-
News
11 Apr 2023
Recorded Future launches OpenAI GPT model for threat intel
The new OpenAI GPT model was trained on Recorded Future's large data set and interprets evidence to help support enterprises struggling with cyberdefense. Continue Reading
-
Definition
11 Apr 2023
intrusion prevention system (IPS)
An intrusion prevention system (IPS) is a cybersecurity tool that examines network traffic to identify potential threats and automatically take action against them. Continue Reading
-
News
07 Apr 2023
Microsoft, Fortra get court order to disrupt Cobalt Strike
Microsoft, Fortra and the Health Information Sharing and Analysis center announced they obtained a court order in an effort to curb malicious Cobalt Strike use. Continue Reading
-
News
30 Mar 2023
3CX desktop app compromised, abused in supply chain attack
3CX customers noticed that several threat detection platforms began flagging and blocking the UC vendor's desktop application last week due to malicious activity in the executable. Continue Reading
-
News
29 Mar 2023
Google: Spyware vendors exploiting iOS, Android zero days
Recent campaigns observed by Google's Threat Analysis Group showed spyware vendors' use of zero days and known vulnerabilities pose an increasing threat. Continue Reading
-
News
28 Mar 2023
Microsoft launches AI-powered Security Copilot
Microsoft Security Copilot is an AI assistant for infosec professionals that combines OpenAI's GPT-4 technology with the software giant's own cybersecurity-trained model. Continue Reading
-
Feature
28 Mar 2023
Publicly disclosed U.S. ransomware attacks in 2023
TechTarget Editorial's ransomware database collects public disclosures, notifications and confirmed reports of attacks against U.S. organizations each month. Continue Reading
-
Tip
28 Mar 2023
Compare breach and attack simulation vs. penetration testing
A deep dive into breach and attack simulation vs. penetration testing shows both tools prevent perimeter and data breaches. Find out how they complement each other. Continue Reading
-
Definition
23 Mar 2023
forensic image
A forensic image (forensic copy) is a bit-by-bit, sector-by-sector direct copy of a physical storage device, including all files, folders and unallocated, free and slack space. Continue Reading
-
News
22 Mar 2023
Cyber insurance carriers expanding role in incident response
While cyber insurance has its benefits, infosec professionals expressed concern that carriers have too much influence over incident response decisions, especially with ransomware. Continue Reading
-
News
21 Mar 2023
ZenGo finds transaction simulation flaw in Coinbase, others
Referred to as a 'red pill attack,' ZenGo researchers discovered a way to exploit smart contracts and bypass security features known as transaction simulation solutions. Continue Reading
-
Tip
21 Mar 2023
4 ChatGPT cybersecurity benefits for the enterprise
As OpenAI technology matures, ChatGPT could help close cybersecurity's talent gap and alleviate its rampant burnout problem. Learn about these and other potential benefits. Continue Reading
-
Definition
20 Mar 2023
packet filtering
Packet filtering is the process of passing or blocking data packets at a network interface by a firewall based on source and destination addresses, ports or protocols. Continue Reading
-
News
17 Mar 2023
Google warns users of Samsung Exynos zero-day vulnerabilities
To prevent threat actors from exploiting the unpatched attack vectors, Google Project Zero made an exception for four Exynos chipset flaws by extending its disclosure timeline. Continue Reading
-
Opinion
09 Mar 2023
Why enterprise SecOps strategies must include XDR and MDR
Adopting extended detection and response and employing managed detection and response services may be the missing pieces of the SOC modernization puzzle. Continue Reading
-
News
09 Mar 2023
Flashpoint: Threat vectors converging, increasing damage
The threat intelligence vendor warned that threat actors are increasingly combining known vulnerabilities, stolen credentials and exposed data to wreak maximum damage. Continue Reading
-
News
07 Mar 2023
Vishing attacks increasing, but AI's role still unclear
The volume of vishing attacks continues to rise. But threat researchers say it's difficult to attribute such threats to artificial intelligence tools and deepfake technology. Continue Reading
-
News
06 Mar 2023
Police raids target 'core' DoppelPaymer ransomware members
A coordinated law enforcement effort last week resulted in raids and arrest warrants against 'core members' of the infamous DoppelPaymer ransomware group. Continue Reading
-
News
28 Feb 2023
Rapid7: Attackers exploiting vulnerabilities 'faster than ever'
Rapid7's 2022 Vulnerability Intelligence Report analyzed how attackers' increasing speed in deploying exploits affected an onset of widespread threats in 2022. Continue Reading
-
News
28 Feb 2023
Bitdefender releases decryptor for MortalKombat ransomware
MortalKombat ransomware was first spotted in January, but Bitdefender has already cracked the new variant and released a free decryptor to help victims recover data. Continue Reading
-
News
22 Feb 2023
Exploitation attempts observed against Fortinet FortiNAC flaw
Hours after Horizon3.ai released a proof of concept exploit through GitHub, Shadowserver Foundation observed several IP addresses attempting to exploit the vulnerability. Continue Reading
-
News
22 Feb 2023
IBM: Ransomware defenders showing signs of improvement
According to IBM X-Force's Threat Intelligence Index report, a smaller percentage of threat actors executed a ransomware attack after gaining access in 2022 than in 2021. Continue Reading
-
Feature
16 Feb 2023
No relief in sight for ransomware attacks on hospitals
Despite being off limits for some hackers, hospitals continue to be lucrative targets for ransomware groups because of their valuable data and higher rate of paying ransoms. Continue Reading
-
News
15 Feb 2023
Cisco Talos spots new MortalKombat ransomware attacks
Researchers discovered the threat campaign is also using a new GO version of malware called Laplas Clipper to steal cryptocurrency from individuals and businesses in the U.S. Continue Reading
-
News
09 Feb 2023
U.S., U.K. hit TrickBot cybercrime gang with sanctions
TrickBot malware has caused considerable damage to U.S. organizations, particularly in the healthcare industry, and was used in Conti and Ryuk ransomware attacks. Continue Reading
-
Podcast
08 Feb 2023
ESXiArgs ransomware campaign raises concerns, questions
This Risk & Repeat podcast looks at the widespread ESXiArgs ransomware attacks and the questions they've raised about the threat landscape, vulnerability patching and more. Continue Reading
-
Definition
03 Feb 2023
passive reconnaissance
Passive reconnaissance is an attempt to gain information about targeted computers and networks without actively engaging with the systems. Continue Reading
-
Tutorial
01 Feb 2023
How to use BeEF, the Browser Exploitation Framework
The open source BeEF pen testing tool can be used by red and blue teams alike to hook web browsers and use them as beachheads to launch further attacks. Continue Reading
-
Podcast
31 Jan 2023
Risk & Repeat: The FBI's Hive ransomware takedown
This podcast episode discusses the law enforcement operation that led to the infiltration and takedown of the Hive network and what it could mean for other ransomware gangs. Continue Reading
-
News
30 Jan 2023
Schools don't pay, but ransomware attacks still increasing
Ransomware gangs have increasingly focused their attacks on the K-12 education sector, even though most school districts do not pay the ransom. But how long will that last? Continue Reading
-
News
26 Jan 2023
FBI hacked into Hive ransomware gang, disrupted operations
The FBI infiltrated Hive's network in July 2022 and obtained decryption keys, which it distributed to victims to prevent $130 million in ransom payments, according to the DOJ. Continue Reading
-
News
25 Jan 2023
ChatGPT could boost phishing scams
The conversational AI tool could make it hard to detect attackers due to how conversant and grammatically correct it is. A way to combat that is to create a detector. Continue Reading
-
Tip
25 Jan 2023
How cyber deception technology strengthens enterprise security
They say the best defense is a good offense. Cyber deception puts that philosophy into practice in the enterprise, using a combination of technology and social engineering. Continue Reading
-
Tip
25 Jan 2023
Centralized services as a hedge against shadow IT's escalation
Proliferation of cloud, AI and integration tools has increased the deployment security risks of shadow IT and the need to centralize business functions and share support services. Continue Reading
-
Opinion
20 Jan 2023
6 cybersecurity buzzwords to know in 2023
Enterprise Strategy Group research indicates many organizations will increase cybersecurity spending in 2023, and with that comes an evolving set of vendor buzzwords to sort out. Continue Reading
-
Tip
19 Jan 2023
Building a shared services organization structure
Amid the shifting economic climate and new reality of hybrid workforces, there's no better time for companies to consolidate business functions and centralize support services. Continue Reading
-
News
12 Jan 2023
Windows zero day patched but exploitation activity unclear
Avast threat researchers detected exploitation of a Windows zero-day flaw in the wild, and organizations are being urged to patch the flaw immediately. Continue Reading
-
News
11 Jan 2023
Vulnerable software, low incident reporting raises risks
Beneath the buzz around tech innovations at CES were discussions about cybersecurity and how to prevent the next generation of tech from being just as vulnerable as the last. Continue Reading
-
News
10 Jan 2023
BitSight, Schneider Electric partner to quantify OT risk
The new partnership aims to provide organizations with increased visibility and risk detection capabilities for operational technology environments and critical infrastructure. Continue Reading
-
Podcast
10 Jan 2023
Risk & Repeat: Analyzing the Rackspace ransomware attack
This Risk & Repeat podcast episode discusses new details of the Rackspace ransomware attack, as well as the questions remaining following the company's final status update. Continue Reading
-
News
06 Jan 2023
Rackspace: Ransomware actor accessed 27 customers' data
Rackspace said Personal Storage Tables of 27 customers were accessed in the attack last month, but added there was no evidence threat actors viewed, obtained or misused the data. Continue Reading
-
Guest Post
28 Dec 2022
Understanding current XDR elements and options
What do existing extended detection and response products provide? Learn about EDR+, SIEM+ and Comprehensive options, which all provide varying levels of XDR. Continue Reading
-
Tip
27 Dec 2022
How to prevent and mitigate process injection
Process injection is a defense evasion technique that helps attackers hide from enterprise security systems. Learn how it works and how to mitigate it. Continue Reading
-
News
21 Dec 2022
Play ransomware actors bypass ProxyNotShell mitigations
CrowdStrike is urging organizations to apply the latest Microsoft Exchange updates after investigations revealed attackers developed a bypass for ProxyNotShell mitigations. Continue Reading
-
Tip
21 Dec 2022
How to use Microsoft Sentinel with Office 365 to find risks
The security product attempts to ferret out threats that originate from apps and services then assists the enterprise with an automatic response to head off trouble. Continue Reading
-
News
20 Dec 2022
NCC Group: Ransomware attacks increased 41% in November
In addition to a month full of unexpected trends in both threat group activity and targeted sectors, NCC Group warned organizations to be aware of an increase in DDoS attacks. Continue Reading
-
Feature
19 Dec 2022
11 cybersecurity predictions for 2023
Analysts and experts have looked into their crystal balls and made their cybersecurity predictions for 2023. Is your organization prepared if these predictions come true? Continue Reading
-
News
09 Dec 2022
Claroty unveils web application firewall bypassing technique
Claroty's attack technique bypasses web application firewalls, or WAFs, by tricking those that can't detect JSON as part of their SQL injection detection process. Continue Reading
-
News
07 Dec 2022
Vice Society ransomware 'persistent threat' to education sector
New research from Palo Alto Networks supports recent government warnings that Vice Society poses an increased risk to K-12 schools and higher education. Continue Reading
-
Opinion
02 Dec 2022
XDR definitions don't matter, outcomes do
Despite remaining confusion about what XDR is, security teams need to improve threat detection and response. ESG research revealed plans for increased XDR spending in 2023. Continue Reading
-
Opinion
02 Dec 2022
7 steps to implementing a successful XDR strategy
There's still confusion around what extended detection and response is, but it will play a key role in enterprise security. To successfully implement XDR, follow these steps. Continue Reading
-
News
01 Dec 2022
Archive files become preferred format for malware delivery
The team at HP Wolf Security found that cybercriminals are using archive files as the preferred method for spreading malware, beating Microsoft Office for the first time. Continue Reading
-
News
30 Nov 2022
Lockbit 3.0 has BlackMatter ransomware code, wormable traits
LockBit 3.0 or 'LockBit Black' includes anti-debugging capabilities, the ability to delete Volume Shadow Copy files and the potential ability to self-spread via legitimate tools. Continue Reading
-
News
22 Nov 2022
Google's new YARA rules fight malicious Cobalt Strike use
Google's YARA rules detect cracked versions of Cobalt Strike's older releases so that legitimate instances of the red teaming tool, which use the latest version, aren't targeted. Continue Reading
-
News
17 Nov 2022
Magecart malware menaces Magento merchants
Sansec researchers say as many as 38% of commercial customers running the Adobe Commerce and Magento platforms could be infected with Magecart's TrojanOrders malware. Continue Reading
-
Tip
17 Nov 2022
Industrial control system security needs ICS threat intelligence
Threat actors and nation-states constantly try to find ways to attack all-important industrial control systems. Organizations need specialized ICS threat intelligence to fight back. Continue Reading