Back to Blog

Know Your Enemies – (Network) Behavior
Gives Away the Attacker. Every Time.

By
Teppo Halonen
|
March 8, 2022

As the new reality of the continual dangers of cyberwar gradually sets in, organizations globally are working to harden their defenses. Most cyber-attacks are blocked by preventative safeguards. Highly motivated attackers, however, tend to find ways to get through those defenses.

Nation-state actors (APTs) sometimes use their access to novel vulnerability exploits (zero-days). They have vast resources at their disposal and can perform social engineering or can even physically gain access to their targets. Organized cybercriminal groups, on the other hand, may try to leverage insiders in their target organizations to mount their attacks.

 

Regardless of the threat actor – the attackers’ behavior is similar

When an attacker has succeeded in gaining a foothold in the target environment, it is critical to detect them before they can compromise the entire system in a breach. Every attack starts with an initial compromise, by which time the attacker has likely achieved the following goals:

  1. gotten the ability to “live off the land” in one or more devices or services within the environment;
  2. gained access to valid credentials;
  3. evaded defensive measures such as identity management, firewalls, IDS, antivirus software, and even EDR solutions;
  4. started to proceed toward their ultimate objectives by executing their “Cyber Kill Chain”.

Depending on the target organization and the attacker in question, the end-game may be:

  • sabotage in some form;
  • espionage, encrypting and/or exfiltrating data;
  • stealing resources or committing fraud.

Before the attacker can reach this end-game, however, they invariably – regardless of their goals – take the following actions toward the objective:

  1. ensure persistance in the environment;
  2. secure a remote connection (C2) to the environment;
  3. perform reconnaissance;
  4. escalate access privileges;
  5. progress laterally toward the targeted high-value assets/data.

The attackers obviously attempt to do all of the above while evading defenses and detection. But such actions along the kill chain create activities across the network – whether a physical, cloud, or virtual network.

AI has proven to detect malicious activities at scale and in real time

While the attacker’s activities are hard to detect and distinguish from regular and safe activity, artificial intelligence (AI) has proven to be a good tool for doing this – at scale and in real time. Vectra AI does this by watching the network for patterns of attacker’s behaviors – based on individual steps as well as the overall progression of the attack. Unlike other cyber-defense solutions, Vectra can spotlight attackers by detecting what they are doing across networks and systems – not just by detecting tools, signatures, IOCs, or anomalies but their concrete behavior.

 

Vectra does this across the on-prem networks and cloud (IaaS, SaaS, and PaaS), leveraging purpose-built, patented machine learning and AI – covering 97% of the MITRE ATT@CK network-based techniques.

 

If you’d like to hear more, contact us and we’ll show you how we do this and what you can do. We can also put you in contact with one of our customers to hear directly their experiences with our solution.