How behavioral security evolved (2016–2026) — a cybersecurity perspective revisited.

There has been a change in the way that cybercrime is committed. In the early days of personal computing, back in the 1980s, malware threats like the infamous Brain virus, were distributed via floppy disk and were easily localized and handled. But then along came the Internet and cybercrime became massively distributed. Since then, we have seen methods of attack increasing in sophistication and becoming more and more prevalent. One of the most hurtful and difficult things to counter all of these cyber threats is that they are now genuinely personal.

The Modern Age of Cyber Attacks: Using Our Behavior Against Us.

Cybercrime became personal when we started to use email and the Internet. The Internet was like a big open book for cybercriminal. They could create an email, stick an attachment in it containing malware and send out, en masse, to all and sundry, even using a person's own email address list to do it for them. Some "punter" would be bound to open that attachment, which would auto-run a piece of executable code they're infected with malware. This type of attempt at mass infection via email came into its own in the late 90s with the Melissa email worm. The trouble with this type of tactic is that it gets old pretty quickly. Human beings have this tendency to learn things, and over the years, we learned not to trust attachments in emails as much, and we also set up effective spam filters. This meant that attackers had to up their game.

The result of this game-changer has been a much more personalized approach to cybercrime with the use of 'social engineering as the cybercriminal weapon of choice. Social engineering is a way of using our behavior against us. It uses psychological tricks to get us to perform actions that we really shouldn't, like opening attachments or clicking on links in a possibly suspicious email. This type of behavior manipulation is nothing new. Confidence tricksters have been using this since human beings came into existence. The fact that attackers are now using it is no surprise.

One of the most successful methods of social engineering and the one responsible for some of the most significant cyberattacks in recent years is 'spear phishing.' Spear phishers use the same old malware tricks as the early hackers used, but this time they focus in on a target. Spear phishers get to know their audience. They watch to see what websites they use and trust. They find out who their line manager is, and they create emails with the right logos and signatures on, so when they arrive in an inbox, they look like they have come from that person's boss. Spear phishing is very successful because of this personalization. It is estimated that 91% of cyber-attacks now start with a spear-phishing email, and the open rate is 70% compared to a non-personalized mass-mailed phishing email which has an open rate of only 3%; personalization works and makes it hard to differentiate between what is legitimate and what isn't.

Hitting Back at Modern Cyber Attacks with Behavioral Analysis

As attackers have changed their game plan and use our behavior against us, we too can use the same methodologies, by using our knowledge of expected behavior to help us identify and mitigate cyber threats. Traditional security tools, let's call them, 'security 1.0', gave us anti-virus and firewalls as our primary methods of tackling cyber threats. These systems are still needed, and many of the underlying architectures of these security 1.0 tools have been updated to accommodate new threats. However, they don't go far enough, in what is becoming an increasingly complex attack surface with smart tactics to get at us through our technology. An example of this is the increasing use by hackers of Advanced Persistent Threats (APT).

An APT is a stealth worker. It sits on a network server, often over many months. It is specially designed to work under the covers. Once in place, hackers use 'command and control' (C&C) communications, which cannot be easily detected, as they blend in with normal Internet traffic, to update the malware, keeping it hidden from traditional tools like anti-virus. APTs are the bane of the enterprise and are becoming a very popular method of extracting data over a long period. An older example of an APT attack was the Carbanak cyberattack that affected over 100 banks, the hackers making around $1 billion out of the APT, the malware being initially installed via spear-phishing emails. The next generation of security tools, security 2.0, now use a much more sophisticated approach to security to tackle these stealth attacks, initiated through manipulation of our own behavior; these tools use behavioral analysis.

So what exactly is behavioral analysis in the context of security? Behavioral analysis is a technique that uses profiles of known behavior and expected usage patterns to spot anomalies, which may be a sign of an imminent cyber-attack or an on-going infection.

Behavioral analysis can call upon a number of techniques, depending on the product used, these include:

• Security intelligence and threat knowledge. There is much information out there about the type of attacks being perpetrated and how they are being initiated. Security companies build up profiles of attack vectors and malware instances and use these to predict the next moves and identify incoming threats.
• Profile analysis: To understand and determine any changes in behavior, you have to understand the behavior first. Behavioral analysis works by analyzing normal behavioral patterns. A simple example, of behavioral credential monitoring, would be to apply user-specific questions to a login attempt that looks like it may be a brute force, or is coming in from an unusual location, etc. An example of its implementation could be if the monitored user is genuine, instead of locking their account, which is both annoying and can lead to DOS attacks, you can ask them some personal questions; if they answer correctly, they are logged in. Another example is analyzing a particular action, say a database query; Malware presents a very different profile when extracting data, then a human being performing the same operation.
• Monitoring, analysis and detection: This involves understanding your baseline of expected behavior on a network, for example, knowing which are trusted sites, the types of files accessed by individuals, the types of access to servers, external sites and as and so on that are normal for that network. You can use the profile analysis information as a basis for your monitoring and detection of potential cyber-attacks. Traffic behavior is one area that can give much information and allow early detection of anomalies. It can also help in the fight against Botnets, which are typically difficult to detect.

Can Behavioral Analysis Work Against Cyber Attacks?

Like any arms race, the two sides are continuously upping their game to win the next battle. Cybercrime is no different. Just as we develop sophisticated tools like behavioral analysis to combat their use of social engineering and sophisticated stealth malware, the attackers are bound to develop malware that will look just like regular human behavior when using technology. For now, behavioral analysis is providing a more intelligent and considered method of dealing with complex cyberattacks. Used with traditional security tools and coupled with web security mitigation techniques, they are an important part of our new security arsenal. However, we should never become complacent, and the next major cybercrime technology is just around the corner, perhaps this time it will use gamification techniques to arm the hacker, engaging us in our malware infection.