A number of security firms detect malware by monitoring outbound connections and looking for traffic going to known bad areas of the Internet. Other intrusion detection systems look for code designed to exploit known vulnerabilities.
Yet companies can also monitor internal traffic for strange patterns that do not resemble normal user behavior. Breachbox, a set of tools for detecting pass-the-hash and other authentication attacks, does just that, says Eric Fiterman, founder and developer of cyber security startup Spotkick, who plans to release the tools at the Black Hat Briefings in Las Vegas later this summer.