Blog

Are You Giving Up on Half the Battle for Attack Detection?

July 3rd, 2015 by David Thompson


Screen Shot 2015-07-07 at 8.55.30 AMWhat do you really know about your network and users?

Do you know what domains users access regularly? Do you know what internal network connections they make, and over which port, and at what frequency? Do you know what file shares are commonly used and which aren’t? Do you know who are the admins, what they administer and what tools they use to do so? Do you know where “all” your valuable data is located?

Because, I can guarantee that once external attackers land in your network, they don’t know anything about your environment. But they go about a deliberate and extensive learning process to find out – with particular focus on where their target is, and how to get to it. They’ll explore many false avenues, but, unfortunately, the ability to detect them with today’s approaches is so bad that they can take weeks and months, even years if they need to.

If you could know the answers to all my above questions – something that is theoretically possible since this is your network and your users – you would easily be able to spot someone who is out of place: the attacker who doesn’t know anything but is poking around (whether fast and furious, or low and slow) to find out.

The unfortunate reality, however, is that the above is unknowable – to a human mind. Most organization’s networks and systems are too complex, and their patterns are too jumbled and chaotic. But machine learning algorithms can learn what is normal for each network. And when programmed to detect anomalous behavior indicative of an attack (not just any regular old anomaly, but one custom-designed by cyber warfare experts to correspond to exactly the kinds of behaviors an attacker must perform to reach their objective) – attack detection can be successful. 

Even better, using the knowledge of your network and users enables accurate and actionable attack detection without trying to rely on the same sets of signatures and Indicators of Compromise (IoCs) and sandboxing that failed to prevent the initial penetration in the first place.

If knowing is half the battle (according to a wise cartoon figure), then it is time to find an Behavioral Attack Detection solution that can help you do exactly that – and then use that knowledge to detect attackers and stop them in their tracks.

Leave a Reply

Your email address will not be published. Required fields are marked *