Experience ensures success
Our experience is based on the daily analysis of attacks in our Security Operations Centers (SOCs) and a large number of compromise assessments, in which we were able to reliably detect reconnaissance behavior, malware, bots, backdoors, CnC communication, data leaks, etc and were able to regularly identify a wide variety of indicators (IoC) in all phases of a targeted attack.
To do this, we record both incoming and outgoing Internet traffic as well as inter-segment traffic within the network and analyze it for IoCs. Typical host-peer relationships are clustered and the normal interactions filtered out by baselining. Behavior that deviates from this comes to light more clearly because the typical patterns of the propagation techniques used (brute force, replication, Kerberos accounts scans, Power Shell scripting, SQL injection, etc.) can be identified.