By Ryan Butterworth and Bob Slapnik It’s become common knowledge that threat detection based on signatures, file checksums and blacklisted URLs doesn’t cut it. Security professionals are increasingly realizing there are better ways to detect the presence of attackers that go beyond malware. In this blog, we will illustrate in layman’s terms an effective technique to find exploitation events in
This blog gives a quick review of 1st and 2nd generation threat detection approaches and introduces the new, 3rd generation. First-Generation Detection: Signature-based IDS and AV Network-based intrusion detection systems and host-based antivirus rely on signatures to detect malware. IDS and AV fail to detect new threats because detection requires prior knowledge of the malware. IDS and AV are easily
“Malware-less” typically means the attacker uses whitelisted tools or stolen credentials and doesn’t require exploits or rootkits to maintain remote access. This is an agreeable definition. Traditional security products such as IDS or AV would not detect such an attack. There is considerable debate about what code is considered to be malware or not malware. On one hand, people say
Time is an important concept when doing a forensics investigation into the root cause of an attack. Events that occur near one another are often related. A successful exploit may crash a web browser, leaving behind a timestamped crashdump file. If the exploit payload downloads and installs a remote access tool, this exe will have a creation time shortly after
“I could solve most of our security problems by getting rid of users.” Have you ever had this thought? Sorry to say it, but users are here to stay and they will continue to do dumb things like click on malicious links and open weaponized documents. Exploitation and compromise will continue, and security pros are left with the necessary task
Arguably, endpoint security is the responsibility of the operating system. For example, Microsoft Windows has and auditing built in – if you know how to configure it. Yet, most enterprises don’t use it effectively or even implement a practice of least-privilege.