M8- Integrated Threat Detection

Applying Concepts to Real-World Cyber Scenarios

​

Justin David Pineda CISSP, CISM

Version 1

Apr 2026

Learning Objectives

• Analyze complex scenarios with multiple signals
• Apply structured detection workflow
• Correlate IOCs into meaningful narratives
• Make risk-based and ethical decisions

Session Approach

• Each concept is revisited in detail
• Each concept has a real-world scenario
• Focus is on reasoning, not memorization
• All answers must be justified

Concept: Exposure

• Exposure refers to systems accessible from external networks
• Includes open ports, APIs, cloud services, and misconfigured assets
• Attackers continuously scan the internet for exposed services
• Even non-critical systems can become entry points

Scenario: Exposure

• A company accidentally exposes an internal admin panel to the internet
• The panel allows username/password login but has no rate limiting
• It is indexed by search engines and visible globally
• No breach has been reported yet

Concept: Vulnerabilities

• Vulnerabilities are weaknesses that can be exploited
• They may be software bugs, outdated systems, or poor configurations
• Human factors such as weak passwords also qualify
• Attackers prefer low-effort, high-impact vulnerabilities

Scenario: Vulnerability

• An internal server is running an outdated OS with known exploits
• The vulnerability allows remote code execution
• No suspicious activity has been detected
• The system is critical to daily operations

Concept: IOCs

• Indicators of Compromise are observable artifacts suggesting malicious activity
• Examples include unusual logins, file changes, or traffic patterns
• Single indicators rarely confirm attacks
• Correlation across multiple indicators increases confidence

Scenario: IOCs

• A user account shows 15 failed login attempts
• A successful login occurs immediately after
• The login originates from a foreign IP address
• The user claims they were not logging in at that time

Concept: Logs

• Logs record system and user activities
• They provide chronological evidence for investigations
• Without logs, detection and validation become extremely difficult
• Logs must be protected and retained properly

Scenario: Logs

• A system shows signs of compromise
• However, logging was disabled due to performance concerns
• Only minimal firewall logs are available
• No endpoint visibility exists

Concept: Detection Workflow

• Detection follows a structured process
• Observe anomalies and unusual behavior
• Identify potential indicators
• Validate through evidence
• Decide on action

Scenario: Workflow

• A server suddenly generates large outbound traffic
• The destination IP is unfamiliar
• Users report slow performance
• No alerts were triggered automatically

Concept: Threat Context

• Cyber threats are influenced by global events
• Geopolitical conflicts increase cyber activity
• Economic stress leads to scams and fraud
• Local organizations are affected by global attacks

Scenario: Threat Context

• During a global fuel crisis, phishing emails claim to offer subsidies
• Messages are sent to employees of financial institutions
• Links redirect to credential harvesting sites
• Multiple employees report receiving similar emails

Concept: Business Pressure

• Organizations balance security and operations
• Delays can result in financial loss
• Security findings may conflict with deadlines
• Decision-makers weigh risk vs revenue

Scenario: Business Pressure

• A critical SQL injection vulnerability is discovered
• The system is scheduled for production release tomorrow
• The client demands immediate deployment
• Fixing the issue will delay launch by two weeks

Concept: Ethics

• Ethics guide cybersecurity decisions
• Protecting users is a primary responsibility
• Actions must consider both harm and obligations
• Different frameworks may lead to different decisions

Scenario: Ethics

• Suspicious activity is detected in a live system
• There is no full confirmation of compromise
• Shutting down the system affects thousands of users
• Leaving it running risks further damage

Integrated Scenario Part 1

• Multiple failed logins detected on a server
• A successful login occurs from a foreign IP
• User denies performing the login

Integrated Scenario Part 2

• An unknown process executes after login
• Outbound traffic spikes significantly
• Destination IP is flagged as suspicious

Integrated Scenario Part 3

• System performance degrades
• Users report unusual behavior
• Security team has partial logs only

Decision Point

• Escalate as incident
• Monitor further
• Dismiss as false positive
• Justify based on evidence and risk

Key Takeaways

• Detection is based on incomplete information
• Correlation is critical
• Decisions require technical, business, and ethical balance

Closing Thought

• Cybersecurity is about making the best decision with limited data
• Judgment matters as much as technical skill