Anatomy of an Attack
ThreatEye – Advantage – ThreatEye’s analysis of Deep Packet Dynamics, characteristics of network traffic can uncover activity relating to a user browsing a phishing website or clicking on a malicious link in an email that prompts a network-based malware call-back.
ThreatEye – Advantage – ThreatEye uses behavioral baselines to track expected network behavior, identifying resources regularly accessed, such as RDP, VPN, and SSH, maintaining an inventory of communications, used to identify anomalies that could be associated with threat actor initial access
ThreatEye – Advantage – ThreatEye can detect anomalies of host behavior associated to scanning activity, tracking communications to destinations, services, and ports often associated to threat actor discovery.
ThreatEye – Advantage – ThreatEye incorporates change-point detection in its modeling approach to identify outlier anomalies from end-systems normal active social network (clique expansion) and synchronization between new communicating parties, such as unexpected/unauthorized RDP, PowerShell Remoting, unexpected encryption tunnels
ThreatEye – Advantage – ThreatEye can detect a host within your network that has consumed an irregularly large asymmetric volume of traffic, resulting in a significant change in the behavior of that host, often associated with threat actor activity collection and staging data before exfiltration.
ThreatEye – Advantage – Deep packet dynamics help identify encrypted C2 traffic by analyzing SPLT and distinctive traffic patterns. Command and control traffic regularly displays detectable traffic characteristics between the client and server and vice versa. Encrypted Traffic Analysis detects C2 traffic by analyzing packet dynamics such as the packet payload length and the total number of bytes observed in the traffic flow.
ThreatEye Advantage – With command and control and hands on keyboard access, attackers can transfer data from an organization’s systems and devices. Data is often exfiltrated over encrypted channels such as SSL/TLS, SSH, and other encrypted protocols. While some data is exfiltrated in large quantities, attackers often use stealthy techniques such as timing channels to send small amounts of data at a time to avoid detection. The combination of deep packet dynamics features with machine learning is used to detect data exfiltration by understanding application “fingerprints” and analyzing producer consumer ratios (PCR). Examining deep packet dynamics data can identify data exfiltration as anomalous activity.