Shut Down Attacks Before Damage is Done
In a world where it is widely accepted that attackers continue to operate on networks undetected, better malware detection is only part of the answer. The ability to detect and respond to in-progress attacks is critical to reducing attack dwell time – the amount of time attackers are on a network and can cause damage.
The question is not whether an attacker will penetrate your network but how quickly you can shut them down once they do. Modern malware detection tools have improved capability to detect advanced threats and provide valuable evidence that an attack is in progress, but cannot answer this critical question. Even if malware is discovered and removed from an infected host, there’s no telling whether the attacker has moved on and established beach heads elsewhere or has already acquired legitimate credentials, mapped the network and started exploiting targets.
Malware is just a convenient tool to penetrate the network and establish a beach head; the attack is what happens next. After a successful penetration, attackers will follow a number of steps, such as inventory of network resources, collection of credentials, escalating privileges, unlocking sensitive data, establishing staging sites to store data, and exfiltrating stolen data, all the while being careful to cover tracks and avoid detection. To avoid detection these activities often go “low and slow” often persisting over weeks, months, or even years.
The ability to detect and respond to in-progress attacks is critical to reducing attack dwell time. CT Scout is the world’s first commercially available security solution utilizing Deep System Inspection (DSI) technology, which monitors activity deep within the operating system and provides unique visibility into in-progress attacks. CT Scout is used to monitor threatened systems, to deploy honeynets for real-time attack intelligence, and to analyze malware behavior for the forensic intelligence needed to build effective defenses.
