Skip to main content
My preferencesSign out
Proofpoint, Inc.

How are threats recognized?


Cyberthreats target computer networks, steal secrets from companies, and violate the privacy of individuals. Protecting the digital infrastructure remains a challenge and a key concern for most businesses.

Proofpoint uses multiple complementary techniques to detect a variety of email-borne threats.  Three main technological strategies are used to recognize threats: dynamic behavioral analysis, static analysis, and traffic analysis. All three are supported by Proofpoint's staff of world-class threat analysts and are used in combination to detect disparate threat types, such as:

  • ransomware;
  • credential theft;
  • documents with malicious macros;
  • longlining;
  • watering hole; and
  • spear phishing.

The Human Factor

The most important weapon in Proofpoint's arsenal is its staff of professional threat analysts. With presence across every time zone, they can observe and respond to emerging threats as they occur. They maintain systems which attract abuse for analysis, seek out information-sharing partnerships with customers and other vendors, and perform in-depth deconstructions of the latest attacks to ensure that Proofpoint's systems remain able to detect the attacks, even as they continue to evolve.

Dynamic Behavioral Analysis

This technique attempts to observe a running threat's behavior in its native environment. Attachments and URLs are submitted to special-purpose virtual machines and opened in the appropriate application -- e.g., Word documents are opened in Microsoft Word, PDFs are opened in Adobe Reader, and URLs are visited by a browser.

The virtual machine is then observed to detect anomalous behavior, such as:

  • writing to the registry;
  • dropping executable files;
  • starting new processes; or
  • attempting to establish persistence.

To ensure that attacks are triggered, the virtual machines are configured to emulate human behavior and cloak the presence of the virtual environment.

Static Analysis

This technique performs a deep inspection of a threat's content and context. Heuristic tests, signatures-based tests, and reputation are all examples of static analysis techniques. These techniques can detect malicious features like:

  • snippets of malicious code;
  • deobfuscation of macros;
  • attempts to contact known attacker infrastructures;
  • exploit kits; or
  • site templates.

Traffic Analysis

This technique uses Proofpoint's unique vantage point as a top-tier security vendor to watch for anomalies in our customers' email traffic. For example, if Proofpoint sees a URL appear in many customers' inboxes within a short period of time, it can submit the URL for scanning predictively, without requiring anyone to be exposed to the material. Likewise, attachments can be condemned if high volumes of similar material are sent from many different locations, as this is indicative of malicious intent.