Detect Unknown Cyber Threats with Network Traffic Analysis

Detect Unknown Cyber Threats with Network Traffic Analysis

In a 2002 press briefing, former US Secretary of Defense Donald Rumsfeld issued the now famous quote:

“Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don’t know we don’t know…”

Although maligned for the garbled phrasing he chose, the concept of known knowns, known unknowns, and unknown unknowns was not new. Identified threats that a given entity must protect against certainly do exist. But there are also those new, as yet unseen threats lurking about.

While Rumsfeld was speaking about foreign policy, the same notion applies to the world of cybersecurity. For example, malware that’s been in the wild for a while is a known threat. Antivirus and antimalware vendors update their tools to block these attacks. But what about the unknowns, like new zero-day exploits suddenly sprung on unsuspecting targets?

Stopping Unknown Cybersecurity Threats

Privileged account compromise is one of the most common methods of attack behind many of the high-profile data breaches of recent years. In the classic cyber kill chain process, attackers find and then exploit the powerful privileged accounts they need to covertly access systems with sensitive data. The attacker can leverage his appropriated privileged access to appear legitimate.  He can then send a spear phishing email to an unsuspecting company executive who may fall victim to the ploy. Often targets of these attacks don’t even know they’re compromised until their information is dumped on the Internet.

Security conscious organizations know they must protect their privileged accounts. But they often don’t know about all the privileged accounts in their environments or who has access to them. Thus, the actions of an external attacker or malicious insider who hijacks one of these accounts can remain undetected – until it’s too late and critical data is stolen. What can organizations do about these unknown unknowns?

The Network Traffic Analysis Approach

Although it’s a relative newcomer to cybersecurity, the network traffic analysis market is proliferating. This technology applies behavioral analysis to network traffic to detect suspicious activities that most security tools miss – those unknown unknowns.

Network traffic analysis products continuously analyze raw traffic using machine learning and artificial intelligence on NetFlow and packet inspection data. Abnormal traffic patterns raise an alert and the security team can deal with the threat.

Consider our example above about the data breach stemming from privileged account compromise. The moment the login with the hijacked account occurs, network traffic analysis can determine that the activity is unusual because the legitimate user has never logged in from that remote location before. It can also be established that the IP address of the device used is new for the network. Since there is no history for this IP address, the network traffic analysis solution will monitor the activity. It will also know when the attacker, now logged in as a legitimate user, attempts to send his spear phishing email to the executive. It’s possible to see that the real user never communicated with that executive via email before — another red flag. By analyzing this series of events, the network traffic analysis product can raise an alert in real-time.

The Gurucul Network Behavior Analytics Solution

Gurucul’s approach is to use behavior analytics to gain visibility into unknown threats based on abnormal behavior. Gurucul Network Behavior Analytics, part of the powerful Gurucul User and Entity Behavior Analytics (UEBA) platform, monitors behavior patterns attributed to all entities within the network (machine IDs, IP addresses, etc.). It can spot new, unknown malware, zero-day exploits, and attacks that are slow to develop. It can also identify rogue behavior by insider threats.

Want to learn more about how Gurucul can identify unknown network threats using advanced machine learning algorithms? Download the whitepaper Behavior Analytics is the Next-Generation Defense Against Modern Threats.

Then, request a demo and see how we can secure your network traffic from internal and external threats.

Share this page:

Related Posts