How does the "Advanced Threat Detection" (ATD) work?
Similarities and methods of advanced persistent threats (APTs) are the basis for ATD. In contrast to well-known and widespread malware, APTs are targeted attacks on organizations and much more complex. Furthermore, they cause much higher costs for attackers and have a time frame of weeks, months or even years.
ATD uses different types of analysis such as:
- Detection of hidden channels to control malware and exfiltrate data
- Blacklisting and domain generation algorithm (DGA)
- Virtual tunnel (Encapsulation, VPN, etc.)
- Frequency and behavioral analysis as well as signature-based detection
- Detection of forbidden encrypted communication connections
- analysis of standard protocols on hidden channels
APTs follow a certain pattern. In the following it is shown at which points of this pattern ATD and other modules of the system intervene and detect abnormalities:
- Information search (social engineering, scans) → Anomaly Detection
- Infection (weaknesses, misadjustment) → Automated Reports
- Hidden communication → ATD
- Lateral spreading → ATD, Anomaly Detection
- Data access / exfiltration → ATD, Anomaly Detection