Finding the 98% of unknown attacker activity
It has been said by industry leaders that analysts can only see, at best, 2% of what the bad guys are up to on any given day.
That leaves analysts and SOC teams with an uphill battle to find and defend their organizations from the other 98% of their activity.
Using TTP based detection, based on DNS artefacts, to uncover attacker infrastructure is a new field of threat intelligence and a field that is far more useful for providing proactive defense than previous efforts.
What is TTP based detection for uncovering attacker infrastructure?
This means analysts can look for evidence left behind from attacker management processes and day to day tactics that leave trace evidence, mostly in DNS, that allows analysts to uncover the rest of a campaign they have set up.
There are many aspects to this and different pieces of evidence that analysts look for, which it is better not to reveal in a public forum. Some of the ideas are slightly revealed in previous Silent Push blog posts like New Attributes, or malicious infrastructure, which show some parts of the simpler end of things.
However to truly uncover the 98% of unknown it takes a well organized research cycle to deliver new attributes and insights which then get tested with Machine assisted learning before being tested with our behavior clustering. The result is being able to expand the knowledge of a campaign from what is known by traditional security products to the unknown portion, the 98%. With this information network defenders can really defend themselves against what is coming.
Silent Push is all about revealing that 98% to their customers. Not just that, they’re also about revealing the underlying characteristics that allow threat intelligence teams find what they need for their organization.