Skip to content

Tracking Turla: ESET researchers discover attack on governmental websites in Armenia

BRATISLAVA, MONTREAL – ESET researchers have found a watering hole operation targeting several high-profile Armenian websites. It relies on a social engineering trick — a fake Adobe Flash update — as a lure to deliver two previously undocumented pieces of malware. In this specific operation, Turla has compromised at least four Armenian websites, including two belonging to the government. Thus, it is likely the targets include government officials and politicians.

Turla is an infamous cyberespionage group active for more than 10 years. Its main targets are government and military organizations. This recent operation bears similarities to the modus operandi of several of Turla’s watering hole campaigns in the past.

ESET Research has indications that these websites had been compromised since at least the beginning of 2019. We notified the Armenian national CERT and shared our analysis with them before publication.

“If the visitor is deemed interesting, the C&C server replies with a piece of JavaScript code that creates an IFrame. Data from ESET telemetry suggests that, for this campaign, only a very limited number of visitors were considered interesting by Turla’s operators,” comments ESET researcher Matthieu Faou on the victims of the attack.

“A fake Adobe Flash update pop-up window warning to the user is displayed in order to trick them into downloading a malicious Flash installer. The compromise attempt relies solely on this social engineering trick,” he adds.

Interestingly, in this latest campaign Turla utilizes a completely new backdoor dubbed PyFlash. ESET believes this is the first time the Turla developers have used the Python language in a backdoor. The command and control server sends backdoor commands that include downloading files, executing Windows commands, and launching or uninstalling malware. “The final payload has changed, probably in order to evade detection,” explains Faou.

For more details about the latest Turla campaign, read the blogpost Tracking Turla: New backdoor delivered via Armenian watering holes on WeLiveSecurity. Make sure to follow ESET research on Twitter for the latest news from ESET Research.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

ESET Research dissects Guildma: Most impactful and YouTube-abusing Latin American banking trojan

BRATISLAVA, PRAGUE – In the latest installment about Latin American banking trojans, ESET researchers take a deep look at the most impactful and advanced banking trojan we have seen in this series and in the region: Guildma. This malware is specifically targeting banking institutions and attempts to steal credentials for email accounts, e-shops and streaming services in Brazil. It affects at least 10 times as many victims as other Latin American banking trojans that ESET Research has analyzed. During its peak – a massive campaign in 2019 – ESET recorded up to 50,000 attacks per day. Guildma spreads exclusively via spam emails with malicious attachments.

In one of its latest versions, Guildma employs a new way of distributing command and control servers, abusing YouTube and Facebook profiles. However, the authors stopped using Facebook almost immediately and, at least at this time, are relying fully on YouTube.

“Guildma uses very innovative methods of execution and sophisticated attack techniques. The actual attack is orchestrated by its C&C server. This gives the authors greater flexibility to react to countermeasures implemented by the targeted banks,” explains Robert Šuman, the ESET researcher leading the team analyzing Guildma.

Guildma boasts a backdoor with multiple functionalities, including taking screenshots, capturing keystrokes, emulating keyboard and mouse, blocking shortcuts (such as disabling Alt + F4 to make it harder to get rid of fake windows it may display), downloading and executing files, and/or rebooting the machine. In addition, Guildma is very modular and currently consists of at least 10 modules. The malware uses tools already present on the machine and reuses its own techniques. “New techniques are added every once in a while, but for the most part, the developers seem to simply reuse techniques from older versions,” says Šuman.

In one of the earlier 2019 versions, Guildma added the capability to target institutions (mainly banks) outside of Brazil. Despite that, over the past 14 months, ESET has not observed any international campaigns outside Brazil. The attackers went as far as to block any downloads from non-Brazilian IP addresses.

Guildma campaigns were ramping up slowly until a massive campaign in August 2019, when ESET Research recorded up to 50,000 samples per day. This campaign went on for almost two months and accounted for more than double the amount of detections seen in the 10 months prior.

First-stage Guildma detections since July 2019

First-stage Guildma detections since July 2019

The trojan has seemingly gone through many versions during its development, but there was usually very little development between versions due to its clunky architecture.

Distribution chain of Guildma in the latest version analyzed by ESET (150)

Guildma shares several prevailing characteristics of Latin American banking trojans. For more technical details, read the blog post Guildma: The devil drives electric on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research. 

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

ESET discovers Kr00K: Communications of a billion+ devices were at risk

BRATISLAVA, SAN FRANCISCO – February 26, 2020 – ESET researchers have discovered Kr00k (CVE-2019-15126), a previously unknown vulnerability in Wi-Fi chips used in many client devices, Wi-Fi access points and routers.

Kr00k is a vulnerability that causes the network communication of an affected device to be encrypted with an all-zero encryption key. In a successful attack, this allows an adversary to decrypt wireless network packets.

The discovery of Kr00k follows previous ESET research into the Amazon Echo being vulnerable to KRACKs (Key Reinstallation Attacks). Kr00k is related to KRACK, but is also fundamentally different. During the investigation into KRACK, ESET researchers identified Kr00k as one of the causes behind the “reinstallation” of an all-zero encryption key observed in tests for KRACK attacks. Subsequent to our research, most major device manufacturers have released patches.

Kr00k is particularly dangerous because it has affected over a billion Wi-Fi enabled devices – a conservative estimate.

ESET will publicly present its research into this vulnerability for the first time on February 26 at the RSA Conference 2020.

Kr00k affects all devices with Broadcom and Cypress Wi-Fi chips that remain unpatched. These are the most common Wi-Fi chips used in today’s client devices. Wi-Fi access points and routers are also affected by the vulnerability, making even environments with patched client devices vulnerable. ESET tested and confirmed that among the vulnerable devices were client devices by Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3) and Xiaomi (Redmi), as well as access points by Asus and Huawei.

ESET responsibly disclosed the vulnerability to the chip manufacturers Broadcom and Cypress, who subsequently released patches. We also worked with the Industry Consortium for Advancement of Security on the Internet (ICASI) to ensure that all possibly affected parties – including affected device manufacturers using the vulnerable chips, as well as other possibly affected chip manufacturers – were aware of Kr00k. According to our information, devices by major manufacturers have now been patched.

“Kr00k manifests itself after Wi-Fi disassociations – which can happen naturally, for example due to a weak Wi-Fi signal, or may be manually triggered by an attacker. If an attack is successful, several kilobytes of potentially sensitive information can be exposed,” explains Miloš Čermák, the lead ESET researcher into the Kr00k vulnerability. “By repeatedly triggering disassociations, the attacker can capture a number of network packets with potentially sensitive data,” he adds.

 

Figure: An active attacker can trigger disassociations to capture and decrypt data.

“To protect yourself, as a user, make sure you have updated all your Wi-Fi capable devices, including phones, tablets, laptops, IoT smart devices, and Wi-Fi access points and routers, to the latest firmware version,” advises Robert Lipovský, an ESET researcher working with the Kr00k vulnerability research team. “Of great concern is that not only client devices, but also Wi-Fi access points and routers that have been affected by Kr00k. This greatly increases the attack surface, as an adversary can decrypt data that was transmitted by a vulnerable access point, which is often beyond your control, to your device, which doesn’t have to be vulnerable.”

For more technical details about Kr00k, read the white paper Kr00k – CVE-2019-15126 Serious vulnerability deep inside your Wi-Fi encryption and blogpost on WeLiveSecurity. Make sure to check out Kr00k in depth on its dedicated landing page and follow ESET Research on Twitter for the latest news from ESET Research.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

BEING “SMART” DOESN’T MAKE YOU SAFE

As you may have noticed, we have posted a lot on LinkedIn recently about new cyber attacks. The biggest link between these is that those attacks are commonly caused by not following best practices, or relying only on “legacy” security tools and/or the use of weak passwords.

Even with the use of today’s most advanced security tools, it can all fail at the weakest link of the security chain – people. According to csoonline, 56% of IT decision-makers claim that targeted phishing attacks are their top security threat. And this fear isn’t wrong. Everyone can be conned, even conmen. In many cases, it’s easier to get inside of the network if you abuse that fact. The most commonly used methods of exploiting people are phishing and blackmailing.

Phishing in its simplest form can be easily detected by regular humans. Because it’s not targeted, people on the receiving end can simply ask question “why did I get this email when it has nothing to do with me?” When it comes to more advanced phishing forms, like “whale” (going for the big target, e.g. top management or CEO) or spear phishing (targeted attacks against certain group/ individual), the attacker does the research and gets to know as much as possible about victims, which can be done with a search on the Internet or dumpster diving (think about what you throw away – are there any documents?). Once equipped with knowledge about the target, those attempts are way more effective.

Let’s examine it the security context. In this example, paraphrased from Christopher Hadnagy’s book “Social Engineering: The Art of Human Hacking,” an overconfident CEO is the target. The CEO thought that it’s not possible to hack him mainly for two reasons: he doesn’t utilize much technology in his personal life, and he thought that he was too smart to fall for phishing. Turns out he wasn’t that smart after all. In this example, the CEO expected an audit and readied himself for it. After scouring various sources of information, attackers decided to go with: the name of his favorite baseball team, favorite restaurant, and that he contributed funding to cancer research. On one Friday evening, a phone call took place. In it, the attacker approached the CEO with a plea asking about small contribution to the cancer cure research stating that here will be also a contest for contributors – winners will get two tickets to CEO’s favorite baseball team match (claiming that they know that baseball is not everyone’s cup of tea) and a voucher to one of three restaurants, including CEO’s favorite one. The CEO was willing to contribute, motivated by his desire to cure cancer and the possibility of winning tickets and a voucher, he told the attacker his email address, so they would be able to send him a .pdf file. That file contained a malicious code and CEO opened it, thus providing the attacker with access to his computer and everything in its reach.

Now that his computer has been compromised, as well as access to everything within the organization his authority (and passwords) will let him touch. So what to do? The attacker has access from his computer, so access rights to sensitive files are not an issue, nor is it an issue for the security team that the CEO is accessing files throughout the company. Is there a way to identify that the “CEO” accessing sensitive data is not actually the “real” CEO? Here’s where NTA technology can help. The next step following gaining access to the CEO’s accounts is to exfiltrate data. Network traffic analysis identifies that the computer in question is transmitting data where it shouldn’t, and/or in volumes that it shouldn’t. The computer can then be quarantined, the CEO alerted, and the attacker caught.

But while phishing may be the attack that’s on the mind of management, IT teams understand that “legacy” security tools, like sandbox, IDS, endpoint security or even a firewall, are not sufficient anymore. Let’s look at why.

Modern malware has many methods of detecting if it has infiltrated a “real” environment, or in cases of targeted attacks, if it has hit the right target. When such malware determines that it could be exposed, it lies dormant. This means that if you check everything that enters your company using a sandbox, malicious software can still enter the network if it is sufficiently advanced.

Known threats are usually detected by known patterns or hashes used by endpoint security or IDS, which makes them ineffective against new or advanced threats. Some endpoint security tools use AI to determine malicious behavior and are better equipped to fight new threats, but not every device can have endpoint security. Personal or “bring your own device (BYOD)” are a great example – like a laptop that an employee brings from home and connects to the network – or an IoT sensor where endpoint software cannot be installed. These devices are connected, but not secured by endpoint security.

Firewalls are essential to any networks security infrastructure, and stop communication that goes through them, meaning that generally they are able to protect the company for any threat that comes from the external network. But what if the attack starts after a user accidentally opens a communication link which allows the attacker to get behind the firewall and inside the network? What if the threat was brought inside the company by other means than through the Internet and then tries to spread in the internal network?

While the technology is different in each of these possible attacks, they all have one thing in common – attackers who exploit a gap in the security. The best gap fillers currently available are NTA solutions, like MENDEL from GREYCORTEX. MENDEL monitors all network traffic and analyzes changes of behavior in hosts, detects policy violations, data leaks, and much more. Not every unauthorized entry can be prevented before hit happens. Relying on legacy security tools means it can take months (some statistics reference nearly 200 days) to detect attackers as they move in the network. NTA solutions like MENDEL lower this time to between minutes and a few hours, often before actual damage happens in the network or the attacker knows they’ve gained access.

The question is not if you will get hacked. The question is when you will get hacked. And when that happens, are you ready for it and can you stop it, or will you still rely solely on best practices, as the CEO did, or on “legacy” security tools?

MENDEL TECHNOLOGY MAXIMIZES SECURITY FOR COST

Cybercrime is evolving at drammatic speed and at every moment, hackers and attackers are figuring out new strategies to compromise organizations and industries. The cybersecurity sector must not fall behind these attackers.

But the number of technologies claiming to create cybersecurity is vast. Organizational spending and reallocating investments to the right network security sector can help reduce cost of cyber breaches. A recent report produced by Accenture, with an independent survey by the Ponemon Institute indicates that among the higher-valued security technologies per cost; machine learning tools and extensive use of cyber analytics and user behavior analytics, have a high return on investment – in other words, they can bring a greater security benefit for a lower cost. Yet, conversely, Accenture reports that these high value technologies are under-deployed compared to other tools in the marketplace.

MENDEL, from GREYCORTEX makes extensive use of machine learning and behavior analytics to identify cyber threats, protecting the network from attacks which would be unknown and unseen by other security tools.

To find out more about MENDEL’s machine learning technology can help you, or to schedule a demonstration, contact your local GREYCORTEX partner, or GREYCORTEX directly.

With this findings comes opportunity to focus on the right technology to protect a company’s assets.

Study and images are found in the following study: https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf

THREAT HUNTING WITH MENDEL

“Threat hunting,” or “cyber threat hunting” is the process of proactively and iteratively searching through networks and datasets to detect threats that evade existing automated tools and is done by a threat hunter or security analyst. It is essential for network security because it works to identify hidden threats within an existing set of network data.
Threat hunting utilizes manual techniques from the threat hunter and machine-assisted techniques, the combination of which aims to find Tactics, Techniques, and Procedures (TTPs) of advanced adversaries. While this methodology is both time-tested and effective, it is also time consuming, and can sometimes miss important clues in mountains of network data. In the article below, we will discuss not only what threat hunting is, but also how it can be made more efficient through the use of modern tools.
Download the article here.

GREYCORTEX MENDEL DETECTS BADRABBIT

GREYCORTEX is happy to report that it is able to detect the BadRabbit ransomware. This ransomware appeared in Eastern Europe (Russia, Ukraine) but has begun to spread across several countries including South Korea, Poland, the Baltic, and regions. It uses an NSA-based exploit known as “EternalRomance” to enter networks and spreads by SMB port.
MENDEL is able to detect this ransomware in two different ways:

  • MENDEL’s integrated ruleset includes a rule specifically detecting the BadRabbit ransomware.
  • Independent from this IDS rule, MENDEL’s advanced artificial intelligence and machine learning detects the ransomware’s anomalous port sweep activity.

This detection capability demonstrates that MENDEL can identify unknown threats before rules are created in rules-based security tools. MENDEL provides network security teams vital extra time to protect their networks.

MENDEL: SECURITY AND VISIBILITY IN NETWORK MANAGEMENT

Network management is a stressful proposition, comprising not only the administration of the network, but also maintaining its performance, provisioning devices, etc. With the number of devices in a network growing – due in part to IoT within the office and BYOD which come and go frequently, and the risks of advanced persistent malware, the stress is only increasing.

Luckily, GREYCORTEX MENDEL helps reduce the stress of network administration. According to recent studies, 76% of IT Professionals cite lack of visibility as a challenge in addressing issues in their networks. MENDEL offers full network visibility, up to, and including the application layer, without profiling a specific subnet or host. This means that whenever a new device enters the network, or a subnet or host is moved, identifying vulnerabilities or reconnecting appropriate devices is easy to accomplish.

MENDEL also helps network administrators improve their security, especially against advanced threats hiding within a network. It is common to use firewalls, antivirus, but also SIEMs, IPS, sandboxes, etc to protect a network. These various solutions all overlap for layered security, but each can be defeated.

Currently it takes 46 days to detect a network breach. MENDEL steps into these gaps by identifying anomalous network traffic activity, differentiating between human and machine activity, and integrating robust IDS rulesets to identify threats before they can do damage – often within hours. In some cases, like the recent WannaCry ransomware attack, MENDEL was able to identify the attack in a matter of minutes, well before it could start encrypting files.

MENDEL is based on machine learning and big data analysis. It installs in 30 minutes and can be configured in under two hours. It monitors networks using network traffic analysis without slowing traffic. Because deployment is painless, and network speed is preserved, a risk free 30 day trial is truly “risk free.” To find out more about MENDEL, or to see what may be hiding in your network from a 30 day trial, contact your local distributor or GREYCORTEX directly.

“TALES FROM THE MALWARE LAB” IS LIVE!

Following the success of our video describing the WannaCry ransomware, we are happy to announce an ongoing series of YouTube videos: “Tales from the Malware Lab – Powered by GREYCORTEX.” In it, we will leverage our in-house malware lab, complete with the latest version of GREYCORTEX MENDEL to provide useful information about emerging network security threats in an easy-to-follow visual format.

 The videos will provide an overview of each threat’s activity within the network, and visualize these attacks from the network traffic analysis standpoint. We are releasing these videos as a public service to the greater network security community, which will benefit from this video-based approach to malware.

 The first video, addressing the “EternalRocks” malware, is available here: https://youtu.be/vI1lRi5e-SM

GREYCORTEX IN CYBER DEFENSE MAGAZINE

Martin Korec’s article “Integration May Answer Questions in Machine Intelligence” has been published in the most recent edition of Cyber Defense Magazine’s “Cyberwarnings Newsletter.” A .pdf of the issue is available here. We have included the full article below.

Integration May Answer Questions in Machine Intelligence

Introduction

You are probably familiar with terms “Artificial Intelligence” and “Machine Learning,” i.e. the idea that computers can be taught to learn, and then make predictions based on the data they are given. Artificial Intelligence/Machine learning tools present huge opportunities in many areas, especially in cyber security. The UK government considers it technology which is the engine of the digital revolution. But, some are skeptical. Gartner put Machine Learning (a subset of Artificial Intelligence) at the “Peak of Inflated Expectations” in its 2015 Hype Cycle. Simon Crosby of Bromium considers these tools to be a “pipe dream.”

What Are Artificial Intelligence and Machine Learning?

Machine Learning is a subset of Artificial Intelligence, and both address the capability of machines to be taught to make predictions based on “learned” data. Both are popular terms in marketing materials, and are often confused. Deloitte has decided that a better term is “Machine Intelligence” – describing it as “an umbrella term for a collection of advances representing a new cognitive era. We are talking here about a number of cognitive tools that have evolved rapidly in recent years: machine learning, deep learning, advanced cognitive analytics, robotics process automation, and bots, to name a few.” We’ll use Machine Intelligence here (partly because “Artificial Learning” didn’t work as well) to mean the use of data analytic/predictive tools in the network security context.

The Benefits of Machine Intelligence

The essential benefit in Machine Intelligence is that it can take truly massive amounts of data, analyze it in real time, and identify anomalous or malicious behaviors invisible to manual review, or which would not be accurately identified through static detection rulesets (which are also a hassle to set up). Of course, the more data a Machine Intelligence solution has, the more effectively it can do its job. Some have claimed prediction can be improved by over 90%. If the solution has limited data from only Netflow, it is limited in its effectiveness. If input data comes from the every layer of the network, then it can identify anomalies at each layer, and each device within each layer. This means the Machine Intelligence solution identifies behavior – like advanced persistent threats or insider attacks – that may be limited or very well hidden among massive volumes of network traffic, and which would be missed by a security team pre-programming logic in SIEM systems, even well thought-out ones (a limitation of SIEM systems), or working with an IDS ruleset alone.

Some Claim Machine Intelligence has Drawbacks

Advanced analytics have been around for 20 years or more, there must be something wrong with them, or we’d all be using them. Right? Naturally, as with anything created by humans, Machine Intelligence solutions can be defeated by other humans. However, there are several existing approaches, including classification algorithms, proven to successfully mimic security analyst behavior which can be used in design and testing to avoid defeat by new threat samples. A second criticism of Machine Intelligence solutions is that they are not “plug and play,” e.g. that they need analyst time to filter out false positives/e.g teach the system what is a threat and what isn’t. Failure to do so leads to excessive false positives and alert fatigue. Alert fatigue is a problem. A recent article suggests that over half of security professionals are missing alerts they should address. However, MIT research indicates that human/Machine Intelligence collaboration is actually beneficial and can reduce false positives by close to 85%. Furthermore, while Machine Intelligence solutions may not be “plug and play,” their implementation time is much lower as compared to SIEM systems (hours vs. months) and training the machine on false positives requires a very small actual time commitment (minutes a day).

Bringing Solutions Together

Is it possible to have the benefits of Machine Intelligence technology, but minimize the hassles? Is it possible to use Machine Intelligence in such a way that this technology is used for truly advanced analysis, reducing false positives and saving the security team’s time? Integrating several features/technology types into one solution mitigates several issues with Machine Intelligence technology, and creates a more efficient system. Specifically, integrating with IDS rules and network performance monitoring is an efficient means of improving network security by joining complimentary features and data sets.

Advantages

In such an integration, detection is more effective and false positives are reduced. Less time training the system is required, and information that is “trained” starts from a more accurate position.

Integration with an IDS ruleset specifically brings two benefits: The first is that the IDS, a list of existing rules and known signatures, helps the Machine Intelligence tools function more efficiently, by determining early in the data analysis that certain traffic matches known malicious code or patterns, creating a deeper chance for analysis of events that do not trigger an IDS alert. Secondly, this type of integration has the added benefit of identifying for the Machine Intelligence tools what particular viruses/malware/trojans, etc, look like. This means that the predictive analysis tools have more, and more accurate data upon which to build their analysis. This data is also available much more quickly than if the solution was completely self-educating, or assisted only by the security team.

This also applies to adding a performance monitoring capability. A more informed and more efficient Machine Intelligence solution exists because traffic data is integrated to help it spot things like too many communication partners, services which haven’t been used before, exceptional network application delays, changed MAC addresses, or new devices or services in the network.

Integration also benefits the security team, because integrated IDS data increases efficiency. Not only does the team spend less time training the system (see above) but it also means more accurate results, resulting in less risk of alert fatigue. Alerts that actually matter are less likely to be missed as a result of the process.

In summary, Machine Intelligence technology, despite what its detractors suggest, is here to stay. Though all providers may not be using its full capabilities, its potential is too great, and its benefits in terms of detection of advanced threats too tangible for it to be given up. But, it can be improved. An integrated approach; featuring several different types of input and analysis helps to streamline Machine Intelligence data analysis, making it more effective and improves the functionality of the integrated tools. This means more effective and more efficient network security, and more family time for security analysts.