The case for behavior-based threat detection

Ammar Enaya, Regional Director – METNA, Vectra, explains how focusing on attacker behavior can improve threat detection.

Ammar Enaya, Vectra

Cyber-attackers today can change malware, search for unknown vulnerabilities and steal data from systems they have permission to access. But they can’t change their attack behaviours as they spy, spread and steal from a victim’s network.

These behaviours can be observed, giving organisations real-time visibility into active threats inside their networks. Today, the savviest organisations complement their signature-based defences with automated threat management. They stay up-to-date on prevalent attacker Tactics, Techniques and Procedures (TTPs) from evidence-based sources like the Mitre ATT&CK framework, to hypothesise possible attacks, and put appropriate controls in place.

By focusing on attack behaviours and actions, automated threat management can identify every phase of an active attack without signatures or reputation lists.

Spotting the weak signals of an attack, hidden in the cacophony of communications, isn’t easy, and requires smart, adaptive software. By combining data science, machine learning and behavioural analysis, automated threat management detects malicious behaviours inside the network, regardless of the attacker’s attempt to evade signatures and whether it’s an insider or outsider threat.

By focusing on attack behaviours and actions, automated threat management can identify every phase of an active attack — command and control, botnet monetisation, internal reconnaissance, lateral movement and data exfiltration — without signatures or reputation lists.

Behaviour-based threat detections also identify internal reconnaissance scans and port scans, Kerberos client activity, and the spread of malware inside a network. Data science models are effective at neutralising an attacker’s use of domain-generation algorithms to create an endless supply of URLs for their threats.

Check out the digital issue of Exclusive Times!

Cybercriminals always look for new ways to conceal their attack communications, and one of the most effective — and fastest-growing — ways to do this is by hiding within another allowed protocol. For example, an attacker can use benign HTTP communication but embed coded messages in text fields, headers or other parameters in the session. By riding shotgun on an allowed protocol, the attacker can communicate without detection.

However, the detection models inherent in automated threat management can reveal these hidden tunnels by learning and analysing the timing, volume and sequencing of traffic.

It’s time to jump off the signature hamster wheel, gain visibility and an understanding of the previously unknown inside your networks and cloud, and get ahead of attackers by automatically detecting and analysing the behaviours and actions that belie an attack and mitigate the threat before damage is done.


Previous ArticleNext Article


The free newsletter covering the top industry headlines