Using specialized data analytics in the behavioral analysis of applications, users, and endpoints can be a huge advantage over cyberattackers. Thanks to this analysis, anomalous behaviors can be found, which allows organizations to get ahead of future cyberattacks.

These behavioral study models have proven to be the most efficient way of dealing with increasingly complex and coordinated threats. This is why the cybersecurity community is increasing its efforts with regards to the techniques and tools needed to study these patterns.

Cyberattackers as pen-testers_

One of the newest tools in this area was developed by researchers at the University of Texas in Dallas, with the support of US Defense and government agencies: DEEP-Dig (DEcEPtion DIGging) In their study, “Improving Intrusion Detectors by Crook-Sourcing“, they explain that by using this method, cyberattackers are unknowingly diverted to a site that acts as a decoy, and pretends to be the attacker’s legitimate target, such as an organization’s common server.

However, this lure not only serves to deflect cyberattacks from the protected target; it also uses all the data and the patterns used in the attack to build behavioral models. This way, it is possible to overcome some of the difficulties encountered with other more conventional Machine Learning models applied to detection systems. These problems include a lack of sufficiently detailed and categorized data for each cyberattack and its origin. In addition, it is possible to establish more reliable and accurate models. And all of this is done using cyberattackers who, in actual fact, as being used as pen-testers, that is, as if they were actors pretending to carry out an simulated attack to study their behavior.


Honeypots: the bait_

Actually, the use of decoys against cyberattackers is nothing new in cybersecurity. DEEP-Dig uses techniques similar to honeypots, which also use system or network elements that pretend to be legitimate to try to lure cyberattackers in. These strategies can be categorized in different ways, but depending on their purpose and deployment method, they can be divided into:

  • Production honeypots: these are the easiest to implement and deploy. They are located on the organization’s network with the main purpose of diverting or slowing down cyberattacks that target other more sensitive elements. Since their primary purpose is to protect, they do not tend to gather large amounts of information about the cyberattacks or cyberattackers.
  • Research honeypots: Their main task is to collect information on the methods and tactics of cyberattackers. For this reason, they are much more complex, and therefore are practically limited to large organizations, university institutions, departments of defense, and states. DEEP-Dig, because of its academic and governmental development, falls into this category.

It should also be noted that honeypots have certain disadvantages: the most complex have high deployment costs. On the other hand, they’re designed from the very start to receive, detect, and/or analyze cyberattacks on their decoy system or network. This means that they are blind to cyberattacks on other legitimate systems within the organization that may be vulnerable. Therefore, for a company, honeypots should simply constitute one more element, albeit a useful one, in a comprehensive cybersecurity strategy.

But in order for CISOs to be able to fully and effectively implement such a strategy, they must have tools to detect and investigate cyberattacks on all endpoints, as well as solutions that make use of the cybersecurity community’s knowledge.

This is how Cytomic Orion works. It carries out a detailed study of behavior patterns, but does not limit itself to its own sources: Cytomic has alliances with international organizations, such as CCN and the Cyber Threat Alliance. It exchanges threat indicators (IoAs and IoCs) with these organizations, as well as working with collaborative tools such as Jupyter Notebooks.