Network detection and response is a security solution category used by organizations to detect and prevent malicious network activity, investigate and perform forensics to determine root cause, and then respond and mitigate. These solutions can help protect against non-malware threats, including insider attacks, credential abuse, lateral movement, and data exfiltration. They also give organizations greater visibility into what is actually on the network as well as all activity occurring. This, in turn, enables security teams to identify and stop suspicious network activity rapidly and thus minimize the impact.
Defending Against Evolving Threats with Network Detection and Response
Malicious Network Activity – Early Days
Network anomalies existed before widespread Internet use, but they did not cause significant harm until the 1990s. This is when more businesses started using web servers, desktop operating systems and other programs that became explicit targets of malware. It was now possible for attackers to discover vulnerabilities within these programs and build malicious code to exploit those vulnerabilities.
Because malware-based attacks are noisy – i.e., they include downloading maliciously executable(s), gain remote access via a trojan, etc. – they are easier to detect and to respond to. As such, organizations started using security controls like intrusion detection systems (IDS) to detect and remove these threats in real time. IDS does this by building signatures that identify byte sequences from the malware infiltrating the system. But these controls aren’t without their challenges:
- It isn’t possible to detect every malware that finds its way into the network
- The ever-growing signature database presents a operational challenge of keeping it up to date.
- Organizations can be tripped up by false positives in which legitimate software is mistakenly detected as malware
Malicious Network Activity – Today
If the challenges of the early days weren’t enough, attackers started to shift their strategy to circumvent the IDS controls put into place by organizations. Now, attackers are using non-malware techniques to blend in with business-justified activity – such as compromised credentials – taking advantage of existing system tools, and other methods that go easily undetected.
Basic anomaly detection or simply looking for bad files, IPs, and domains is no longer enough. Modern network detection and response that is equipped with network processing data, analytics, and security research capabilities is needed to stop the threats that have learned to evade existing malware protection systems.
Use Cases: How Network Detection and Response Can Help
Detection of Malicious Intent
In many cases, traditional detection protocols overlook malicious, file-less malware activity that abuses business-justified applications and credentials. In these scenarios, the threat actor disguises itself on the network by using non-malicious tools already existing within the environment.
Network detection and response using machine learning and behavioral analytics can be deployed to automate complex hunting tasks specific to this situation – like detecting the use of SMB control commands for service creation, flagging that these commands remained hidden to the general user population, identifying devices with similar functions as those targeted by the threat actor, and uncovering which systems were being accessed more than usual by the user account.
Rapid and Conclusive Response
Users can unknowingly put their organizations at risk by behaving in insecure ways, such as clicking on a link within a phishing email. In this way, information can be accessed on a broad scale across the network if a user’s job is to collaborate with cross-departmental teams. By clicking on a phishing email, one user can put an organization’s entire proprietary efforts at risk to an attack.
To prevent widespread damage from any threat, network detection and response, powered by machine learning and artificial intelligence, can enable an attack campaign analysis. It does so by identifying all other affected devices attached to the user’s email address on the network, finding additional users affected by the phishing attack, uncovering other lures that had the same attacker, and continuously monitoring users and devices for real-time protection.
Exhaustive Network Intelligence
Organizations continuously need to navigate risks invisible to log- or agent-based approaches from unmanaged Internet of Things (IoT), Bring-Your-Own-Device (BYOD), and contractor devices. For example, a tiny malicious hardware implant plugged into a network jack can sniff traffic from local networks and then exfiltrate the organization’s information. Because an implant is not part of the organization’s infrastructure, existing tools such as endpoint security or log-based solutions provide no visibility into the attack.
Network detection and response tools, particularly those enhanced through artificial intelligence and machine learning, can uncover entities that have peculiar behaviors so that implants such as this are identified and stopped right away. It can be further used to highlight the device that exhibited suspicious traffic patterns and to provide a timeline of when the implant first infiltrated the network.
Awake’s Approach to Network Detection and Response
Awake is ahead of the curve when it comes to protecting against the next generation of advanced, non-malware attacks. Using sophisticated artificial intelligence and machine learning detection technologies, coupled with intent-based detection that can look for the very specific attacker tactics, techniques, and procedures (TTPs), Awake’s Network Detection and Response platform is a much more effective tool for security teams, shifting the way they go about uncovering advanced threats. In fact, 100% of Awake’s engagements reveal evil.
By automating much of the manual correlation and data-gathering capabilities typically done by an analyst or threat hunter, security teams can use Awake to gain unprecedented network visibility so that they can establish a baseline for their organization and then flag anomalies that could indicate a threat. Awake’s Network Detection and Response platform enables security teams to do this by:
- Deducing attributes including software versions, user behavior, hardware characteristics, business function, and more
- Supporting integrated graph, structured, and unstructured data to pre-correlating information with the relevant entities
- Using custom indexing and work sharing technology to support low-latency, interactive queries. This enables security teams to continually run analytics that derive views that integrate graph and pre-correlated bulk data