How to Detect Low and Slow Threats — and Deeply Understand Network Traffic

Many organizations focus on safeguarding their networks by “protecting the perimeter.” However, consider the analogy of building a strong fence around your home. While the fence may be robust, neglecting to secure the back door creates a vulnerability, and a determined intruder could easily scale the fence and enter undetected.

For network security teams, malicious actors continually attempt to breach the defenses you’ve worked hard to create. Once they succeed, you’re charged with answering the frustrating question:

How did this happen?

The key to improving security lies in implementing a “motion detector” within your perimeter. This proactive measure ensures that if intruders attempt to exploit vulnerabilities, their presence is quickly detected. This strategy is particularly important because many threats originate from inside organizations — with 74% of businesses reporting an increase in insider breaches.

A deep understanding of network traffic allows you to swiftly identify malicious actors who are attempting to bypass your perimeter. Automated alerts based on real-time network traffic help you to act on what the “motion sensors” are detecting, regardless of whether those activities are internal or external.

How Bad Actors Are Slipping Through the Perimeter

One of the primary challenges faced by network security teams is the overwhelming volume of network traffic.

A significant portion of this traffic is generated by benign scanning services, such as those operated by universities for research purposes or corporate entities for data collection. While these scanners are not necessarily run by malicious actors, they do contribute a substantial amount of background noise.

This noise creates an ideal environment for “low and slow” threats to operate undetected. Sophisticated attackers rarely employ aggressive tactics like attempting to access a system hundreds of times per second. Instead, they might make a single attempt, wait for an extended period, and then try again. This strategic approach allows them to conceal their activities within seemingly normal traffic patterns, potentially bypassing security measures.

An advanced network security and intelligence solution such as NetIntel reduces this noise, allowing you clear visibility into both external and internal threats.

Additionally, when capturing network traffic records, it’s important to consider the methodology used. Many teams leverage a sampled approach, which can inadvertently allow certain threats to evade detection. For example, consider watching a movie where only every 1,000th frame is visible. With this limited visibility, it becomes difficult to grasp the complete narrative.

In contrast, an unsampled approach examines every single packet. This comprehensive method significantly increases the likelihood of detecting low and slow attacks that might go unnoticed with a sampled approach.

While unsampled monitoring generates a larger volume of data, using an appropriate platform capable of processing and analyzing this information can lead to more accurate threat detection and a reduction in false positives. This approach allows network teams to gain a deep understanding of their network’s activity, improving their ability to identify and respond to potential threats.

Related: Why Sampling Sucks for Network Observability

False Positive Alerts Basically Mean No Alerts

The issue of false positive alerts creates significant challenges for network teams.

The analogy of the boy who cried wolf explains perfectly the challenge experienced by network teams inundated with a high volume of false alerts. When confronted with thousands of alerts, many of which are false positives, teams can experience:

• An increased workload

• Frustration

• A diminished sense of urgency

This situation can lead to degradation of the team’s defensive posture, a consequence that, while understandable given human nature, is problematic for maintaining network security.

However, it also presents an opportunity to rethink anomaly detection. Rather than focus solely on identifying abnormalities, the team can shift its emphasis to establishing a clear, thorough understanding of normal network behavior. 

How to Get Really Good at Understanding Normal

In network security, the ability to distinguish between normal and anomalous traffic is critical. Much like the FBI’s counterfeit experts who focus on studying genuine currency rather than fake bills, network teams should prioritize understanding normal traffic patterns to effectively detect anomalies.

This approach allows for the detection of various threats, including reconnaissance attempts, brute force attacks, and volumetric DDoS attacks.

The key to doing this successfully lies in your analytical tools. Many modern solutions can leverage machine learning for anomaly detection — a process reminiscent of the “one of these things is not like the others” game from Sesame Street.

These systems analyze data to establish a baseline of normal network behavior specific to your organization. However, detection is only the first step. Equally important is the ability to take action once anomalies are identified. Advanced solutions can help with:

• Automated alert triggering when anomalies are detected

• Integration with various platforms and workflows for immediate response

• Templated actions such as IP blocking or black hole routing

• Options for manual investigation of alerts

By combining a deep understanding of normal traffic patterns with advanced analytics and automated response mechanisms, security teams can significantly improve their ability to protect against advanced threats.  

Moving Beyond Perimeter Security and Sharing Data

Relying solely on perimeter defenses like firewalls and intrusion detection systems is no longer enough to safeguard against advanced threats. To effectively combat sophisticated attacks, organizations must leverage their existing network infrastructure and implement robust internal observability and analytics capabilities.

One powerful approach is to use NetFlow data for comprehensive network visibility. By analyzing NetFlow records, network teams can establish “motion detectors” within their network, allowing for faster detection of low and slow threats that might otherwise go unnoticed.

However, effective network security goes beyond just implementing the right strategies. It’s also important to improve collaboration between network and security teams, which often operate in silos. This separation can lead to vulnerabilities and blind spots in an organization’s security posture.

By creating shared visibility and promoting cross-team cooperation, you can improve your ability to detect and respond to both known and emerging network threats.

Do you want to learn more about supporting faster threat response and closing visibility gaps? We created a comprehensive guide, “Top Network Security Problems: How Network Traffic Data Keeps You Ahead of Threats,” to help you get started.