in-depth analysis

How to apply a network-centric approach to cybersecurity

The pivotal role of NDR

Threat history is generally available in three places: network, endpoint and logs. Endpoint Detection and Response (EDR) provides a detailed ground-level view of the processes running on a host and interactions between them.

Network Detection and Response (NDR) provides an aerial view of the interactions between all devices on the network. Security teams then configure Security Information and Even Management (SIEMs) to collect event log information from other systems and correlate between data sources.

Security teams that deploy these tools are empowered to answer a broad range of questions when responding to an incident or hunting for threats.

For example, they can answer: What did this asset or account do before the alert? What did it do after the alert? Can we find out when things started to turn bad?

Of this group, NDR is most critical because it provides perspective where the others cannot. For example, exploits that operate at the BIOS level of a device can subvert EDR or malicious activity may simply not be reflected in logs.  But, their activity will be visible by network tools as soon as they interact with any other system through the network.

Effective AI-driven network detection and response platforms collect and store the right metadata and enrich it with AI-derived security insights. Effective use of AI can then drive the detection of attackers in real time and perform conclusive incident investigations.

Image of SOC visibility triad. 3 parts: SIEM/UEBA, Network Detection and Response, Endpoint Detection and Response

Detection: Automation through AI

Powered by AI – machine learning, deep learning and neural networks – attacker behavior models constantly learn and adapt to automatically detect advanced threats in real time, before they do damage. 

In addition to threat detection, AI is instrumental in triaging and prioritizing the highest-risk threats and correlating attacks with compromised host devices. 

Tier 1automation alone can condense weeks – and even months – of work into minutes and reduce the security analyst workload by 37X.

Here are some tips to improve thedetection of attacker behaviors in network traffic, security posture and riskmanagement:

  • Augment signature-based perimeter security products with behavior-based network traffic analytics.
  • Focus on detecting malicious command-and-control, internal recon, lateral movement and data exfiltration behaviors in your unique environment.
  • Insist on scalability so you can analyze all traffic in your network and optimize detection efficacy.
  • Ask for a proof-of-concept trial to ensure that attacker detections are relevant to your environment.
Cooper University Healthcare - Vectra Case Study

Response: Faster and smarter

When a threat is detected, security teams must answer a wide range of questions in order to respond quickly and decisively. These include:

  • Did other assets behave strangely after communicating with a potentially compromised asset?
  • What service and protocol were used?
  • What other assets or accounts may be implicated?
  • Did other assets contact the same external command-and-control IP address?
  • Did a user account behave in unexpected ways on other devices?

The first step is to make sure that the attributes necessary to answer these questions are readily available to the analyst.  Relevant security information, rich in context, must available to incident responders.

Machine learning-derived attributes, including host identity and beaconing, provide vital context that reveals the complete scope and scale of an attack. 

Context that puts the most relevant information at your fingertips provides a trail of forensic evidence about threat behaviors throughout the entire attack lifecycle while eliminating the endless hunt and search for threats.

University of Oklahoma - Vectra Case Study

The cyberattack lifecycle

Command and control

The first step is to make sure that the attributes necessary to answer these questions are readily available to the analyst.  Relevant security information, rich in context, must available to incident responders.

Machine learning-derived attributes, including host identity and beaconing, provide vital context that reveals the complete scope and scale of an attack. 

Context that puts the most relevant information at your fingertips provides a trail of forensic evidence about threat behaviors throughout the entire attack lifecycle while eliminating the endless hunt and search for threats.

Attack lifecycle - Command & Control

Internal reconnaissance

Reconnaissance attacker behaviors occur when a device is used to map-out the enterprise infrastructure.

This activity is often part of a targeted attack, although it might indicate that botnets are attempting to spread internally to other devices.

Detection types cover fast scans and slow scans of systems, network ports and user accounts.

Attack Lifecycle - Internal Recon

Lateral movement

Lateral movement covers scenarios of lateral action meant to further a targeted attack. This can involve attempts to steal account credentials or to steal data from another device.

It can also involve compromising another device to make the attacker’s foothold more durable or to get closer to target data.

This stage of the attack lifecycle is the precursor to moving into private data centers and public clouds.

Attack lifecycle - Lateral movement

Data exfiltration

Data exfiltration behaviors occur when data is sent to the outside in a way that is meant to hide the transfer.

Normally, legitimate data transfers do not involve the use of techniques meant to hide the transfer.

The device transmitting the data, where it is transmitting the data, the amount of data and the technique used to send it are indicators of exfiltration.

Attack lifecycle - Data exfiltration

Botnet monetization

Botnets are opportunistic attack behaviors in which a device makes money for its bot herder.

The ways in which an infected device can be used to produce value can range from mining bitcoins to sending spam emails to producing fake ad clicks.

To turn a profit, the bot herder utilizes devices, their network connections and, most of all, the unsullied reputation of their assigned IP addresses.

Attack lifecycle - Botnet monetization