Practice : Infrastructure Threat Detection

Purpose and Strategic Importance

Infrastructure Threat Detection provides visibility into malicious activity, misconfigurations, and unauthorised access attempts within cloud and on-prem environments. It’s essential for identifying early signs of compromise and defending against evolving threats to systems and data.

By monitoring infrastructure-level behaviours and signals, organisations can detect and respond to threats before they escalate - supporting incident response, forensics, and ongoing risk reduction.

Description of the Practice

  • Detects threats by analysing logs, behaviours, and telemetry from hosts, containers, VMs, and cloud services.
  • Tools include AWS GuardDuty, Azure Defender, Google Security Command Center, Wazuh, CrowdStrike, and Falco.
  • Common alerts include port scanning, rootkit installation, lateral movement, policy changes, and anomalous login patterns.
  • Threats are triaged, correlated, and escalated through SIEMs and response playbooks.

How to Practise It (Playbook)

1. Getting Started

  • Enable native threat detection features in cloud platforms and logging agents.
  • Configure alerts for high-impact activities (e.g. root access, new IAM roles, unauthorised network changes).
  • Review existing alert coverage and prioritise gaps in visibility or telemetry collection.
  • Create or adapt incident playbooks tied to infrastructure-level threats.

2. Scaling and Maturing

  • Integrate alerts into centralised SIEM or SOAR platforms.
  • Correlate infrastructure alerts with application and identity telemetry for context-rich investigation.
  • Continuously tune detection rules based on environment, threat landscape, and false positive rates.
  • Tag assets by criticality and ownership to prioritise alert response and routing.
  • Use threat detection findings to inform architectural decisions and hardening priorities.

3. Team Behaviours to Encourage

  • Treat threat alerts as opportunities to learn and improve - not blame.
  • Make detection health a shared goal between platform, security, and ops teams.
  • Include detection coverage as part of infrastructure-as-code reviews and releases.
  • Conduct regular drills using simulated threats to validate response readiness.

4. Watch Out For…

  • Alert fatigue from poorly tuned or unactionable signals.
  • Gaps in detection due to unmanaged services or legacy systems.
  • Over-reliance on default configurations without reviewing thresholds and exclusions.
  • Lack of training or ownership for responding to infrastructure alerts.

5. Signals of Success

  • Threats are detected and triaged quickly with minimal false positives.
  • Teams know how to respond and act on alerts with clarity and confidence.
  • Detection coverage improves over time and adapts to changing environments.
  • Alerts lead to measurable risk reduction and informed engineering decisions.
  • Detection is seen as an enabler, not just an audit requirement.