A series of disconnected events can be used to identify a threat. Imagine your system alerting you that one of your endpoints has received a suspicious file. You have a sophisticated IPS that is capable of informing you that the file came from a suspicious site. The latter event is not enough to convict the file – therefore it generates a low priority alert that gets lost in the flood of other alerts... The infected endpoint connects to several popular news sites and downloads their front page. This will not generate any alerts; but a good network behavioral analysis engine, which is part of a “next generation” IPS solution, would log the activity. Your analysts have plenty to do, so this is clearly not going to get their attention. What has really happened is that the infected endpoint just confirmed network connectivity. After several hours, your alert screen, having wrapped a few hundreds of times since the infection, now reports another low priority alert, but on its own is not sufficient to convict the endpoint as compromised. The infected endpoint (bot) is now trying to locate other bots by looking up randomly generated URIs based on dynamic DNS domains. Of course, your IPS cannot know these are randomly generated URIs, but sees a number of failed DNS queries followed by one successful one. The newly infected bot then connects to another bot downloading its payload with no traffic traversing the IPS since it is not communicating outside. Does this sound far-fetched and unlikely, like an extreme example? Well, this is how Kraken works, and the Kraken botnet has been active since at least 2008.
Via Technical Dr. Inc.