Detecting and Disrupting Compromised Devices based on Their Communication Patterns to Legitimate Web Services
Data breaches of enterprises have been one of the most destructive and prominent security threats that enterprises have been facing in recent years. Some well-known APT groups as well as cybercriminals leverage legitimate web services such as GitHub, Twitter, Google Storage, and many more, in order to achieve their attack goals and breach an enterprise. Even supply chain attacks include the usage of the same original legitimate web service, just in a malicious manner.
Many network mechanisms rely on signatures to block outgoing communication from enterprise devices to malicious destinations for defending against such attacks. But, what happens when you can’t simply block that destination? You’re not going to block all outgoing communication to Github, are you?
We suggest applying UEBA, User and Entity Behavior Analytics for detecting such botnet malicious activities and using other mitigation options such as monitoring/blocking specific sessions or devices.