BAD to the Bone - NIST, LOTL, and IoT/ICS Behavioral Anomaly Detection (BAD)

BAD works by looking for suspicious or unauthorized activities (behaviors), rather than known IoCs like malicious files or DNS queries.

And that also makes it superior for detecting fileless malware and Living Off the Land (LOTL) Tactics — for which we don’t have IoCs.

It turns out that CyberX has the only patent in the world for IoT/ICS-aware behavioral anomaly detection. CyberX’s agentless platform uses an innovative approach called Industrial Finite State Modeling (IFSM) to quickly spot baseline deviations by modeling IoT/ICS networks as deterministic sequences of states and transitions.

Compared to traditional baselining algorithms that were designed for IT networks — where the behavior is primarily non-deterministic — this approach enables faster detection of threats, with fewer false positives and a faster learning period.

As a result, defenders can quickly detect attacks in the early stages of the kill chain — before adversaries can shut down or blow up your facilities — by continuously monitoring the network for suspicious or unauthorized activities, rather than by looking for static IoCs.

Read more at: CyberX