When network security analysts aren’t busy triaging alerts and monitoring their standard firewall/SIEM/IDS consoles, what activity should they look for to find advanced attackers and sophisticated malware evading their perimeter defense systems? What tools and techniques do they need to uncover advanced targeted attacks?
This post is an introduction for a new blog series called Advanced Methods to Detect Advanced Cyber Attacks. The multi-part series will explore advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to rapidly review traffic and find clues left behind by even the most subtle and sophisticated attackers targeting their organization’s network.
Analysts currently expend a lot of effort searching for malicious behaviors, but unfortunately most of their time is spent wrangling data from multiple systems with queries that either do not provide enough information, or provide too much, creating searches that take hours and most often days to provide an answer. The analytics we’ll cover in this series are different because they run on a centralized collection of enriched network metadata and usually provide answers in seconds, even when run against the metadata of the largest data stores.
Throughout the series, we’ll cover the analytic searches listed in the table below. For each analytic we’ll describe what malicious activity it looks for, give examples of how to use it, and point out any potential false positives that should be identified and excluded. So stay tuned and watch this space for some great content about these powerful analytic searches.
Each of the analytics below are available in Novetta Cyber Analytics, an advanced network-traffic analytics solution that empowers analysts with comprehensive, near real-time cyber security visibility and awareness, filling a critical gap in today’s enterprise cyber security toolset. To see Novetta Cyber Analytics in action watch 3 Hours vs 3 Days: Incident Response with Novetta Cyber Analytics.