What is Advanced Threat Detection and how it works?

Advanced Threat Detection or ATD is a bit of a vague name. If for nothing else, then because every self-respecting vendor says its products are advanced, or next generation.

An example conversation on the topic of ATD:
»You have email security?«
»No, no, no!  It’s ADVANCED Email Protection!«
»You sell firewalls?«
»What!?!?! We build NEXTGEN firewall platforms!«

So, are you having “fun” trying unsuccessfully to figure out what ATD really is?

Aspects of ATD solutions are truly many – they can protect web, email, endpoints, network traffic, files shares and much more, from advanced threats. There might be multiple deployment options, like on-premise, cloud deployments, hybrid and so on. You might use just ATD for web, or web and email, include it also at the endpoints, file shares or orchestrate everything together in one giant well performing, integrated solution, well back-up by intelligence and services.

Vendors, who were already covering the standard web, email and network security, developed ATD for those channels, like Forcepoint for example, some vendors also included this in their endpoint security solutions, like McAfee Enterprise while vendors, whose focus was ATD from the start, have well interconnected, intelligence driven solutions for all platforms plus services to properly back them up, like for example, the pioneer in this field, company FireEye (now Trellix).

But all those solution’s core functionality or purpose is similar – that is to discover advanced modern threats in a very much different way than traditional solutions. Malware has evolved to evade detection by antivirus, intrusion prevention, firewalls, and other traditional IT security solutions, that is actually why advanced threat detection was developed in the first place.

Different ATD solutions might use multiple techniques, but one most common and basic concept is sandboxing.

Sandboxing solution is capturing files, objects and other program codes in monitored traffic and executing them in a closed, controlled virtual environments. In this sandbox environment the potential malware, if executed, will not cause damage and will not be able to spread. The sandbox system is closely monitored while the code is being executed. Using behavioural analysis, sandbox solution is then able to detect if the executed code does things that usually malware does, like creating or modifiing files in system folders, changing memory, adding registry entries, hiding in other processes, opening connections to suspicious servers, trying to connect to other computers in local network etc.

Unknown malware detected by this concept, would otherwise never be detected by traditional solutions. But, as said, sandboxing is just the basic concept of ATD solutions and honestly, this concept has been around for quite a long time, so malware developers had time also to develop their own advanced techniques, but to avoid sandboxing solutions.

That is why the real Advanced Threat Detection and Prevention solutions utilize many additional, different, really advanced concepts to avoid alware’s advanced ATD evasion techniques. Those advanced ATD concepts include custom build hypervisors, simulation of user interaction in virtual environment, accelerating time, correlation between multiple virtual environments with different operating systems and software and vectors of attack, contextual intelligence and many others.

So, yes, A in ATD really stands for Advanced, but you need to really carefully analyse and compare the “claim to be” ATD solutions in order not to implement something that would give you just false sense of security – ATD, after all, is currently usually considered the last line of your cyber defense.