<img src="https://ws.zoominfo.com/pixel/0nVRFDqEc4KEsx6wmKaS" width="1" height="1" style="display: none;">

Minefield Saves the Day: How Behavior-Based Threat Detection Identifies Novel Attack Tactics


Here at BTB Security, we rely on an industry-leading threat intelligence platform, proprietary detection techniques, and intelligent pattern-recognition algorithms to find evidence of attacks that other solutions — including traditional antivirus software — will miss. Developed by our in-house RIOT Labs security researchers, our Minefield platform leverages the expertise they’ve cultivated during decades of experience as well as the data they’ve gathered in the field to identify the key behavior patterns that are typically seen in attack trajectories.

Recently, we were able to save one of our clients, a midsized organization with approximately 1,400 employees working in a Windows-based computing environment, from the heartache and financial devastation that a data breach would have caused. This client had a strong security program in place, including a well-known email filtering solution and solid antivirus protection. But without the extra layer of preventative safeguards that ongoing security monitoring brings, they would have remained vulnerable to novel and atypical attack tactics.

The importance of multilayered defenses

Don’t get us wrong: antivirus (AV) software still has a valuable role to play in every organization’s cybersecurity toolkit. Today’s AV solutions scan for many kinds of threats besides viruses, including malicious URLs, spyware, rootkits, trojans, keyloggers, and more. They do an excellent job of blocking commonly known attack techniques, especially if they take advantage of known malicious code.

In this case, however, the antivirus software didn’t see the attacker’s initial entry into the environment. The attackers successfully tricked an end-user into clicking on a phishing email. It contained a malicious payload that was concealed within a file type that hadn’t been known to deliver malware in the past. Java ARchive (JAR) is a file format in which pre-compiled Java programs are compressed and packaged together into a single archive file, similar to the better-known ZIP format. Because Java JAR files haven’t commonly been used for malicious purposes, the AV didn’t catch the first stage of this attack.

However, our security analysts soon noticed subsequent trouble signs. Monitoring the customer’s endpoint detection and response (EDR) solution, they observed evidence that the attackers were conducting reconnaissance — trying to figure out where valuable data and other resources were housed within the IT environment. They also saw the attackers trying to gather privileged credentials so that they could have broader access to the network.

Once BTB’s expert team noticed these threat indicators, we quickly isolated the affected computer, notified our customer, and provided recommendations on how to contain the incident, including changing passwords and re-imaging the machine to ensure that it’s malware-free.

Fundamental to our success was the fact that we rely on a multilayered approach: AV software provides one layer of defense, and EDR provides another. Both solutions’ capabilities have limitations, but using them together, in conjunction with security monitoring performed by expert human analysts and our TTP-based Minefield platform, which helps identify the adversarial behaviors that are most likely to be present during the various phases of an attack, provides much stronger safeguards.

An early warning system to prevent devastating attacks

Today’s phishing emails can be highly convincing. No matter how well-trained, careful or knowledgeable your employees are about cybersecurity best practices, it will always remain possible for someone to make a mistake.

And because attackers are always changing their tactics — recompiling their malicious code so that AV software won’t recognize it, for instance — any single-purpose security solution has the potential to miss things. Our Minefield platform instead focuses on malicious behavior patterns, which are near-universal. Though attackers may use different techniques to do so, they will always need to explore their victim’s environment and move laterally across it before stealing data or compromising other assets.

Currently, Minefield can detect over 500 distinct behavior patterns indicative of an in-progress attack, but because we are constantly adding to it as new attack vectors are discovered and new operating system features introduced, this number will continue to grow over time. This means that we’re able to deliver better and better outcomes for our RADAR clients, even as the threat landscape grows more complex.

Want to learn more about how our industry-leading managed detection and response services are able to identify 260% more security threats than an in-house security operations center (SOC)? Request a free, no-obligation demonstration today.

Related Posts