Threat Vectors Used in Advanced Threat Defense Testing
December 14, 2015
By Jack Walsh

ICSA Labs Advanced Threat Defense (ATD) certification testing is aimed at vendor solutions designed to detect threats that other traditional security products miss.  The testing is focused on how effectively vendor ATD solutions work against unknown and little-known threats.

In addition to detection effectiveness, ICSA Labs tests whether or not ATD solutions alert on innocuous applications and associated activity. The timeliness of detection and logging of malicious threats are also tested.

ICSA Labs ATD testing does not evaluate the detection of known threats that should be detected by other kinds of products with reasonably up-to-date signature sets (or similar protection technology).

Threat Vectors Used in Testing

The threat vectors used in ICSA Labs ATD testing map directly to many of the top threat vectors leading to breaches per the Verizon 2015 Data Breach Investigation Report (DBIR).  These include the most common threat vectors leading to breaches in the most recent DBIR as well as historically.

Figure 1 shows the most common threat vectors that have led to all breaches analyzed in the DBIR since Verizon began publishing the report eleven years ago.

Figure 1 – DBIR Threat Vectors All Time

Figure 2 illustrates the threat vectors that most commonly lead to breaches in the 2015 DBIR.

Figure 2 – DBIR Threat Vectors 2015

Figures 1 and 2 indicate there is significant overlap between current and historic threat vectors.  This 2015 DBIR data provides us with a rich data set from which to base our advanced threat defense testing. 

ICSA Labs ATD testing includes the threat vector that is the most prevalent, “Direct Install.” In addition, the testing includes the threat vectors labeled:  “Web Download,” “Web Drive-By,” and “Download by Malware.”  Other threat vectors may be added to the testing in the future as the testing program matures. The threat vectors currently used correspond to more than 75% of the data breaches reported in the 2015 DBIR over its eleven year history.

The threats themselves primarily target weaknesses in end-user Windows PCs.  While some threats are generically applicable to servers as well, test cases more often target services and software found on desktops and laptops.  The threats typically involve:

  • Local execution or loading of a malicious executable or data file (covering means by which an attacker has access or a user is tricked into doing so);
  • Exploitation of a client-side vulnerability in the operating system, web browser, or other commonly installed application subject to malicious data files being loaded without intentional user action; and
  • Attacks involving remotely-accessible PC components.


Next Week

Next week’s blog post on Dec. 21 is the third installment in this four-part ATD blog series. It will provide insight into the source of the threats used in ICSA Labs ATD testing.



Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

This question is for testing whether you are a human visitor to prevent automated spam submissions.
Enter the characters shown in the image.