Who’s next? Shift focus and detect network attackers

detect network attackersWho will be the victim of the next major breach? Nearly all enterprises and organizations are sitting ducks for a targeted network attack. Maybe it’s time to take some significant steps and be able to proclaim: “We won’t get breached again.”

Preventative security cannot prevent a network intruder from penetrating a network 100% of the time. The best pen testers even guarantee that they can get into a network within two days. Prevention is still necessary, but it is not sufficient to always stop an attacker. Companies need to have a plan B.

Expect that a motivated attacker will get into your network. Now the trick is finding an active attacker early in the process to thwart or minimize any theft or damage. Legacy security tools and procedures are ill equipped to detect active attackers on a network. The average dwell times of five months and long list of major breaches are proof of today’s failings.

Detect network attackers

To find an active attacker on your network, two fundamental challenges must be solved. First, you need to change what you look for and how. Second, you need to solve the noise problem.

You will be hard pressed to find an active network attacker through the typical process of catching technical artifacts—pre-defined signatures, hashes, software behaviors, URLs and other signs. Attackers must be detected by their operational activities. These are real threat actors that are conducting a step-by-step campaign to get to valuable assets on a network. Malware may or may not be involved in their work, and uncovering yet another piece will not underscore an in-progress attack.

Once an attacker gets inside a network—most likely through a compromised client or user account—they are in an unfamiliar setting. Their two most crucial directives are to explore/understand the network (reconnaissance) to find assets and a path to access them and then make those “lateral” movements to expand their realm of control and be positioned to get hold of the asset. These “east-west” internal movements are intended to be done in complete stealth. Security systems based on “known bad” technical artifacts simply won’t see these activities.

Similarly, endpoint detection systems are extremely limited in the ability to find east-west operational activity. These activities are inherently network operations. Sure, they are initiated by some user, but they are best seen on the network first and then associated with a specific user process.

Reconnaissance operations

Network detection has to look at full network activity rather than limited packet routing information. It boils down to “who is doing what to whom.”

Common reconnaissance operations include port scanning, using SMB to search for open network file shares or searching for various services running on other machines. These things can be best seen as something happening on the network. A further step is crucial, however, to differentiate a normal network activity from something that is both anomalous and malicious.

Lateral movement operations might include remote command execution using psexe or PowerShell. Again, these things are best spotted on the network with the proper visibility. They also require sorting out from operations that are normal for user and device, so that which is both anomalous and malicious can be detected.


Separating that which is anomalous and malicious speaks to the second major issue in detecting an active network attacker quickly and accurately: noise. Today’s security systems alert on every sign and signal of known technical artifact or various behavioral components, such as each scanned entity in a port scan.

As a result, systems produce an overwhelming number of alerts that are dominated by false positives. Security operators are besieged with hundreds or thousands of daily alerts, and most of them are worthless. Finding an alert indicative of an active attack involves nothing short of sheer luck.


A fundamental change to attack detection emphasizes live behavioral profiling. First establish baseline profiles for all users and IP-connected devices on a network. Start with a deep network view and augment it with specific details from clients. The profiling process can greatly benefit from unsupervised, in-network machine learning.

In developing an understanding of what is good or normal, not everything in this initial learning period can be tacitly accepted. Some behaviors will need to be confirmed as good.

Once ongoing profiles are established and validated, the network needs continuous monitoring to detect anomalies. Again, automated machine learning plays a crucial role. Don’t stop there, though. From these anomalies, it’s important to differentiate those things that are truly malicious. Ideally the system can take a further step in understanding how events may be connected and steps of an actual attack. Through the precision of this process, a system need create only a small number of daily alerts that are easily managed by the security or IT team.

At the same time the alerts should have a high degree of accuracy and usefulness to make the team productive. The result will have a transformative effect on a team or individual’s ability to find an attacker early in the process.

Share this