Hot on the heels of our Building an Early Warning System paper, we have taken a much deeper look at the network aspect of threat intelligence in Network-based Threat Intelligence. We have always held to the belief that the network never lies (okay – almost never), and that provides a great basis on which to build an Early Warning System.
This excerpt from the first section sums it up pretty nicely:
But what can be done to identify malicious activity if you don’t have the specific IoCs for the malware in question? That’s when we look at the network to yield information about what might be a problem, even if controls on the specific device fail. Why look at the network? Because it’s very hard to stage attacks, move laterally within an organization, and accomplish data exfiltration without using the network.
This means attackers leave a trail of bits on the network, which can provide a powerful indication of the kinds of attacks you are seeing, and which devices on your network are already compromised. This paper will dig into these network-based indicators, and share tactics to leverage them to quickly identify compromised devices. Hopefully shortening this detection window will help to contain the damage and prevent data loss.
We would like to thank Damballa for licensing the content in this paper. Obviously we wouldn’t be able to do the research we do, or offer it to you folks for this most excellent price, without clients licensing our content.