The identification of the ‘Communicating with many hosts’ behaviour has been enhanced to detect newer variations of this activity, as well as producing more metadata when it is identified.
The Communicates with Many Hosts classifier is typically used to identify behaviours associated with network discovery, fingerprinting, brute force attack or potential unwanted system use such as online gaming or torrent traffic. Some of these behaviours are good indicators of compromise and are useful in understanding what hosts on your network are doing.
After some good feedback from our analysts, we have enhanced the classifier to look back further in time to identify the low and slow attack methodologies as well as significantly enhance the associated metadata to allow for easier attribution of behaviours to hosts.
The longer look back means that the behaviour cannot be hidden by taking a break in activity for extended period of time, or randomising/normalising fingerprinting periods to avoid detection by anomaly detection methods. As a result we can discover this type of activity when we simulate it on our test networks regardless of the techniques we use to hide the behaviour.
The extra metadata enables the analyst to quickly identify behaviour of interest and understand what a host is doing more effectively.
This update is sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time. Self-monitored customers can update their own sensors using the software upgrade process. If you have any further questions about this upgrade please contact us at email@example.com