How does the "Advanced Threat Detection" (ATD) work?

Similarities and methods of advanced persistent threats (APTs) are the basis for ATD. In contrast to well-known and widespread malware, APTs are targeted attacks on organizations and much more complex. Furthermore, they cause much higher costs for attackers and have a time frame of weeks, months or even years.

ATD uses different types of analysis such as:

  • Detection of hidden channels to control malware and exfiltrate data
  • Blacklisting and domain generation algorithm (DGA)
  • Virtual tunnel (Encapsulation, VPN, etc.)
  • Frequency and behavioral analysis as well as signature-based detection
  • Detection of forbidden encrypted communication connections
  • analysis of standard protocols on hidden channels

APTs follow a certain pattern. In the following it is shown at which points of this pattern ATD and other modules of the system intervene and detect abnormalities:

  1. Information search (social engineering, scans) → Anomaly Detection
  2. Infection (weaknesses, misadjustment) → Automated Reports
  3. Hidden communication → ATD
  4. Lateral spreading → ATD, Anomaly Detection
  5. Data access / exfiltration → ATD, Anomaly Detection

Go back