Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver
Conventional security software is unlikely to detect attacks that are targeted to a specific company. The attack code will most likely be remixed to avert recognized malware signatures, while fresh command and control infrastructure will be stood up to evade recognized blacklisted network contacts. Defending against these fresh, targeted attacks requires protectors to identify more generic attack attributes than can be found in endless lists of known Indicators of Compromise (IoC’s) from formerly evaluated attacks.
Unless you have a time device to retrieve IoC’s from the future, understood IoC’s will not aid with fresh attacks. For that, you have to be alert to suspicious habits of users or endpoints that could be indicative of ongoing attack activity. These suspicion-arousing habits will not be as conclusive as a malware signature match or IP blacklist hit, so they will need analyst triage to verify. Insisting upon conviction certainty prior to raising alerts implies that new attacks will effectively evade your automatic defenses. It would be equivalent to a mom or dad ignoring suspicious kid habits without question up until they get a call from the authorities. You don’t desire that call from the FBI that your enterprise has actually been breached when due expert attention to suspicious behaviors would have provided early detection.
Security analytics of observed user and endpoint behaviors looks to identify attributes of prospective attack activity. Here we highlight a few of those suspect habits by way of basic description. These suspect behaviors function as cyber attack tripwires, alerting defenders to possible attacks in progress.
Anomalous Login Activity
Users and organizational systems show learnable login activity patterns that can be evaluated for anomalous departures. Abnormalities can be either spatial, i.e. anomalous with respect to peers, or temporal, i.e. anomalous with respect to that user/endpoint’s earlier login pattern. Remote logins can be examined for remote IP address and geolocation, and login entropy can be measured and compared. Non-administrative users logging into multiple systems can be observed and reported, as it deviates from anticipated patterns.
Anomalous Work Practices
Working outside typical work hours or outside established patterns of work activity can be suspicious or indicative of insider threat activity or compromised credentials. Again, abnormalities might be either spatial or temporal in nature. The work active process mix can also be analyzed for adherence to developed workgroup activity patterns. Workloads may vary a bit, but have the tendency to be fairly constant across engineering departments or accounting departments or marketing departments, and so on. Work activity patterns can be machine learned and statistical divergence tests applied to spot behavioral abnormalities.
Anomalous Application Attributes
Typical applications show reasonably consistent characteristics in their image metadata and in their active process profiles. Considerable departures from these observed activity norms can be indicative of application compromise, such as code injection. Whitelisted applications may be used by malware scripts in unlikely methods, such as ransomware utilizing system tools to remove volume shadow copies to stymie recovery, or malware staging thieved data to disk, prior to exfiltration, with considerable disk resource need.
Anomalous Network Activity
Common applications show relatively consistent network activity patterns that can be learned and defined. Uncommon levels of network activity by uncommon applications are suspect because of that alone, as is uncommon port activity or port scanning. Network activity at unusual times or with unusual consistency (perhaps beaconing) or unusual resource demand are also worthy of attention. Ignored network activity (user not present) must constantly have a possible description or be reported, especially if observed in significant volume.
Anomalous System Fault Habits
Anomalous fault habits could be indicative of a susceptible or unwrapped system or of malware that is consistently reattempting some malfunctioning operation. This could be observed as applications crashing or hanging, as service failures, or as system crashes. Compliance faults are likewise worth keeping in mind, such as not running mandated security or backup agents, or constant faulting by those agents (leading to a fault-restart-fault cycle).
When trying to find Endpoint Detection and Response services, don’t have a feeling of complacency just because you have a big library of recognized IOCs. The most effective solutions will cover these leading five generic attack characteristics plus a whole lot more.