Novetta

NOVETTA BLOG

← RETURN TO BLOG

Advanced Methods to Detect Advanced Cyber Attacks: Series Intro

by

 

When network security analysts aren’t busy triaging alerts and monitoring their standard firewall/SIEM/IDS consoles, what activity should they look for to find advanced attackers and sophisticated malware evading their perimeter defense systems? What tools and techniques do they need to uncover advanced targeted attacks?

Series Preview

This post is an introduction for a new blog series called Advanced Methods to Detect Advanced Cyber Attacks. The multi-part series will explore advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to rapidly review traffic and find clues left behind by even the most subtle and sophisticated attackers targeting their organization’s network.

Analysts currently expend a lot of effort searching for malicious behaviors, but unfortunately most of their time is spent wrangling data from multiple systems with queries that either do not provide enough information, or provide too much, creating searches that take hours and most often days to provide an answer. The analytics we’ll cover in this series are different because they run on a centralized collection of enriched network metadata and usually provide answers in seconds, even when run against the metadata of the largest data stores.

Throughout the series, we’ll cover the analytic searches listed in the table below. For each analytic we’ll describe what malicious activity it looks for, give examples of how to use it, and point out any potential false positives that should be identified and excluded. So stay tuned and watch this space for some great content about these powerful analytic searches.

Each of the analytics below are available in Novetta Cyber Analytics, an advanced network-traffic analytics solution that empowers analysts with comprehensive, near real-time cyber security visibility and awareness, filling a critical gap in today’s enterprise cyber security toolset. To see Novetta Cyber Analytics in action watch 3 Hours vs 3 Days: Incident Response with Novetta Cyber Analytics.

Series Index

Click the titles below to read the series post and learn about each powerful analytic in more detail.

Beacon

Distant Admin

HTTPS Exfiltration

Port Scanners

Protocol Abuse

RDP Keyboard Layout

Relay Finder

Suspicious Admin Toolkits

Two Degrees of Separation 

Unknown Service 

Peter VanBuskirk
Peter is the Director of Cyber Defense programs within the Cyber Defense and Enablement division of Novetta. His team supports customers that require cyber threat analysis, threat hunting, incident response, malware analysis and reverse engineering, digital forensics, and cyber security assessments. Peter holds GIAC certifications for incident handling (GCIH), penetration testing (GPEN), and Windows forensics (GCFE).

Category: Cyber Security / Novetta Blog Tag(s):  /  /