Synergetic Effects of Network and Host Based APT Detection

People often ask me if they still need our host based scanner THOR now that they have bought a network appliance that already checks all content that goes into and leaves their network. I normally answer that it is not a question of one solution versus another, but a combination of solutions to achieve the best possible result.

It is not difficult to understand that both solutions apply different detection techniques as they analyze different elements and provide different perspectives. It is difficult for an host based solution to detect Zero Day exploits, C2 back connects and malicious content in a network connection. But, in the same way it is impossible or difficult for a network based solution to detect system anomalies, malware-less backdoors, web shells and Eventlog or Registry based traces of hacking activities.

I collected and composed different aspects of advanced persistent threat protection in the following info graphic. The color (grey and aquamarin) indicates the coverage by the different solutions. The graphic is not based on research and may vary in specific cases. It is meant to roughly visualize the different perspectives and high coverage you achieve by combining both solutions.

Endpoint Attacker Detection

Endpoint APT Detection and Network APT Detection

I should add that we currently provide THOR only for a limited group of customers, mainly European corporations, government institutions and certain CSIRTs within the European Union. THOR’s little brother LOKI provides a very reduced feature set but may be enough and FENRIR is a dependency-less IOC scanner for Unix based target systems written in bash. For a Windows Powershell solution check out Kansa by Dave Hull. It also allows a distributed scan run using LOKI.

Tags: , , , , , , , , , , , ,

About Florian Roth

Senior IT Security Engineer: THOR APT Scanner, Security Monitoring and SIEM, Web Application Audits, Advanced Persistent Threats (APT), Malware Analysis, Incident Response, Intrusion Detection, Perl / Python / .NET Programming, Data Visualization

Discuss: “Synergetic Effects of Network and Host Based APT Detection”

  1. Dezember 22, 2015 at 12:58 pm #

    Agreed, 100%. For far too long, the focus has been solely on the network, with little or no regard given to the endpoints.

    Posted by H. Carvey
  2. Februar 17, 2017 at 10:36 am #

    If endpoints were always static and never left the network, then we could have a discussion. However, we know thi sis not the case, so the dual approach is required and assuming even greater importance day by day.

    Posted by Mitch Impey

Schreibe einen Kommentar