Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

To Stop Advanced Attackers, Look for Uncommon Indicators

Traditional Security Technologies Focus on Detecting Strong Indications of Compromise, but Can’t Identify Weaker Indications of Compromise…

Traditional Security Technologies Focus on Detecting Strong Indications of Compromise, but Can’t Identify Weaker Indications of Compromise…

We all know that advanced attackers have the resources, expertise and persistence to compromise any organization, at any time; attackers fundamentally understand the nature of classic security technologies and their applications and exploit the gaps between them. They relentlessly drive their attacks home, frequently using tools that have been developed specifically to circumvent the target’s chosen security infrastructure. Once they penetrate the network they go to great lengths to remain undetected, using technologies and methods that result in nearly imperceptible indicators of compromise to accomplish their mission.

Network Security The challenge for defenders is that traditional security technologies are focused on detecting strong indications of compromise, such as known malware and other threats, but can’t capture or analyze weaker indications of compromise. Plus, these technologies are only able to make a determination at a single point in time. If that one shot at identifying and blocking a threat is missed, most IT security professionals have no way to continue to monitor files once they enter the network and take action if they turn out to be malicious. Eventually you’ll realize a breach has happened, but if you’re like most organizations it can take months or even years to discover according to the latest Verizon 2013 Data Breach Investigations Report. At that point you’re left calling in the forensics team to figure out what happened and what was stolen or destroyed.

To regain control against these stealthy attacks, defenders need a new threat-centric approach to security to address the full attack continuum – before, during and after an attack – with continuous visibility into indicators of compromise and retrospective security to quickly contain and stop the damage.

Examples of activities that could indicate compromise include a system attempting to communicate back to a known bad (blacklisted) IP address; trying to access a part of the network, a device or a database it hasn’t before; or creating a process that it wouldn’t under typical circumstances. In isolation each of these activities isn’t a detection or prevention event, but when correlated with malware intelligence and other behaviors, even seemingly benign or unrelated, they may suggest a compromise.

To be able to identify indicators of compromise once a threat has entered the network, you need to take a two-tiered approach with tools and processes that combine trajectory capabilities, big data analytics and visualization to enable the following:

Tier 1: Automated analysis and response. Identify technologies that use trajectory capabilities to track system-level activities, file origination and file relationships and then leverage big data analytics for root cause and forensic analysis. When combined, these technologies can highlight and pinpoint subtle patterns of behaviors and weak indicators, suggesting a compromise has happened and a breach has most likely occurred. The ability to alert and automatically take action can speed response and help mitigate damage.

Tier 2: Actionable intelligence. Visualization technologies are also important so that you can quickly understand the chain of events leading up to and following a possible compromise. This allows you to apply context based on your expertise, perspective and knowledge of activities happening at that moment in your environment to make an even more nuanced determination of suspicious activity and indentify indicators of compromise. If you identify an indicator of compromise you can see what’s occurring across your environment at that moment, look back at preceding events and then control activities that could be risky. If you determine a breach has occurred, by locating the point of origination and understanding the scope of the exposure you can stop the attack and remediate.

Advertisement. Scroll to continue reading.

Attackers are relying on the fact that defenders are focused on detection and prevention technologies alone to look for threats and remove them. As a result, attackers are using weak signals to create nearly imperceptible indicators of compromise to attempt to stay below defenders’ radar.

While detection and prevention are essential to any security defense strategy, defenders also need the ability quickly tie together unrelated events to identify a threat that has evaded defenses. With decisive insight from trajectory, big data analytics and visualization capabilities defenders now can see that blip on the radar, hone in, understand it and take action.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.