Globe 1

Spot abnormal behavior in your own network: shift the focus to traffic patterns

Blue divider
Spot abnormal behavior in your own network- shift the focus to traffic patterns

The consistency and volume of attacks on corporate digital networks is increasing and the potential damage is enormous. Attacks are getting more sophisticated with a growth of highly targeted attacks. The supply side of the cybersecurity market currently focuses mainly on protection at the gate (firewalls, intrusion detection, etc.). Less attention is paid to detecting intruders that are already in internal networks – which is why you should shift your focus. 

Currently available detection solutions are mainly signature based methodologies; detection based on already known characteristics of malicious software. More advanced intruders will not (always) be detected in time by these signature-based detection solutions. By shifting the focus to traffic patterns within your network, you can detect the previously undetected. Normal versus strange behavior of nodes in a corporate network are picked up and our solutions give you alerts on highly sophisticated attacks better and faster.

To get a good picture of the scenario in which this solution can profit you, we refer to a use case here:

The Marriott hotel hack

Companies with a lot of sensitive data regularly have to deal with criminals and third parties who want to penetrate the network in order to check out ​​the level of network security. Setting up an internal position helps them to find out where interesting data is located in the network and how to send it to their own “command & control” center. A well-known example is the hack in the network of the Marriott hotel chain in which the data of 500 million customers was stolen.

Talk to one of SightLabs’ trusted experts!

In the network for 4 years

Forensic investigation into the origin of the hack concluded that the malicious software had already established itself in the network 4 years earlier. For an extended period of time, the intruder had been hiding and stayed inactive, a characteristic behavior of this type of advanced attack method. The Marriott hotel was provided with a state-of-the-art cybersecurity ecosystem with modern tools, but these were not able to recognize this targeted attack method in its own network. 

This scenario is a nightmare for the Chief Information Security Officers (CISOs) of organizations in the vital sectors and beyond. How do you recognize an intruder without knowing what it looks like, what the intruder is interested in and where in your network it is located?

Crucial stages if the intruder is already inside

To find a solution for this, we must look at the different phases of an attack from within. There are many ways an intruder could have entered the network; phishing, clicking on malicious websites or by human actions such as the use of infected USB sticks or by internal employees with malicious motives. Assuming the intruder is already inside, 3 crucial stages of the attack are important:

Phase 1: Reconnaissance
The moment the intruder collects information about a network, the security level scans a specific security situation and valuable data is sought in the network;

Phase 2: Data collection
The moment the data is collected in the internal network;

Phase 3: Sending the data to the attacker’s command & control center.
The moment the data is sent to the attacker’s command & control center.

Network Behavior Analytics

Network Behavior Anomaly Detection or Network Behavior Analytics are both terms for technologies and solutions aimed at detecting strange behavior in a network that point out either one of those three stages. To be able to detect these strange behaviors, data is needed that must be analyzed. The solutions therefore use data that is retrieved by tapping network data that is already available or data that is retrieved by placing active equipment in the customer’s network. Sometimes a combination of these solutions is used. 

It’s clear that network behavior anomaly detection could have prevented a case such as the Marriott hotel. SightLabs provides solutions that will lead to an alert/warning for the IT Security manager which will prevent the attack.

Phase 1: Reconnaissance
Anomaly based clustering has the potential to detect this phase, but as these are short moments of unusual network traffic, this will be a difficult phase to detect. This is therefore part of the research.

Phase 2: Data collection
Since this is unusual traffic combined with a higher volume, this will be a phase that fits the detection method being developed.

Phase 3: Sending the data to the attacker’s command & control center.
This involves setting up a connection and sending the data to an external node. This will take place by means of a DNS request. The SightLabs DNS Anomaly Detection tool will detect this in most cases.

Are you ready to start detecting the undetected?


Talk to one of SightLabs’ trusted experts!

This field is for validation purposes and should be left unchanged.

Read how SightLabs detects your undetected breaches

We work on cutting-edge cyber security technology to protect you against the damaging impact of sophisticated and targeted cyberattacks. Learn more about our ethics, solutions and pricing in our brochure.
DNS Ninja

DNS Ninja

Anomaly detection

Anomaly Detection



Network behaviour

Network Behaviour