Charles Leaver – A Reliable Endpoint Monitoring System Needs More Than Narrow Indicators Of Compromise

Presented By Charles Leaver And Written By Dr Al Hartmann Of Ziften Inc.


The Breadth Of The Indicator – Broad Versus Narrow

An extensive report of a cyber attack will typically offer details of indicators of compromise. Often these are slim in their scope, referencing a specific attack group as viewed in a particular attack on an organization for a limited period of time. Typically these narrow indicators are specific artifacts of an observed attack that could constitute particular evidence of compromise by themselves. For the attack it implies that they have high uniqueness, however often at the cost of low sensitivity to comparable attacks with different artifacts.

Essentially, slim indicators offer extremely restricted scope, and it is the factor that they exist by the billions in massive databases that are continually expanding of malware signatures, network addresses that are suspicious, malicious pc registry keys, file and packet content snippets, filepaths and intrusion detection guidelines and so on. The continuous endpoint monitoring solution provided by Ziften aggregates a few of these third party databases and threat feeds into the Ziften Knowledge Cloud, to take advantage of understood artifact detection. These detection elements can be used in real time in addition to retrospectively. Retrospective application is essential because of the short-term characteristics of these artifacts as hackers constantly render conceal the info about their cyber attacks to annoy this narrow IoC detection approach. This is the factor that a continuous monitoring solution must archive monitoring results for a long time (in relation to industry reported common attacker dwell times), to provide an enough lookback horizon.

Slim IoC’s have significant detection worth however they are mostly inefficient in the detection of brand-new cyber attacks by knowledgeable hackers. New attack code can be pre tested against common enterprise security solutions in laboratory environments to confirm non-reuse of artifacts that are detectable. Security solutions that operate merely as black/white classifiers suffer from this weak point, i.e. by supplying an explicit decision of destructive or benign. This approach is really easily averted. The defended organization is most likely to be completely attacked for months or years prior to any noticeable artifacts can be recognized (after extensive investigation) for the particular attack circumstances.

In contrast to the simplicity with which cyber attack artifacts can be obscured by normal hacker toolkits, the particular techniques and strategies – the modus operandi – used by attackers have been sustained over several decades. Typical strategies such as weaponized websites and docs, brand-new service installation, vulnerability exploitation, module injection, sensitive directory and registry area adjustment, new arranged tasks, memory and drive corruption, credentials compromise, malicious scripting and numerous others are broadly typical. The proper use of system logging and monitoring can detect a lot of this particular attack activity, when appropriately paired with security analytics to focus on the greatest threat observations. This entirely eliminates the opportunity for hackers to pre test the evasiveness of their destructive code, because the quantification of dangers is not black and white, but nuanced shades of gray. In particular, all endpoint danger is differing and relative, throughout any network/ user environment and time period, and that environment (and its temporal characteristics) can not be duplicated in any lab environment. The basic attacker concealment approach is foiled.

In future posts we will analyze Ziften endpoint risk analysis in more detail, along with the vital relationship between endpoint security and endpoint management. “You can’t protect what you don’t manage, you can’t manage what you do not measure, you can’t measure what you don’t track.” Organizations get breached due to the fact that they have less oversight and control of their endpoint environment than the cyber attackers have. Look out for future posts…


Leave a Reply

Your email address will not be published. Required fields are marked *