Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver
Standard security software is not likely to identify attacks that are targeted to a particular company. The attack code will more than likely be remixed to evade known malware signatures, while fresh command and control infrastructure will be stood up to avert recognized blacklisted network contacts. Resisting these fresh, targeted attacks requires defenders to spot more generic attack attributes than can be discovered in unlimited lists of known Indicators of Compromise (IoC’s) from formerly examined attacks.
Unless you have a time machine to obtain IoC’s from the future, known IoC’s won’t assist with new attacks. For that, you need to look out for suspicious behaviors of users or endpoints that could be indicative of ongoing attack activity. These suspicion-arousing habits won’t be as definitive as a malware signature match or IP blacklist hit, so they will need analyst triage to verify. Insisting upon conviction certainty prior to raising notifications indicates that new attacks will successfully avert your automatic defenses. It would be equivalent to a parent neglecting suspicious child habits without question until they get a call from the authorities. You don’t desire that call from the FBI that your business has been breached when due analyst attention to suspicious behaviors would have offered early detection.
Security analytics of observed user and endpoint habits seeks to determine attributes of prospective attack activity. Here we highlight some of those suspect behaviors by way of general description. These suspect habits operate as cyber attack tripwires, signaling defenders to possible attacks in progress.
Anomalous Login Activity
Users and organizational units show learnable login activity patterns that can be examined for anomalous departures. Anomalies can be either spatial, i.e. anomalous with respect to peers, or temporal, i.e. anomalous with respect to that user/endpoint’s earlier login pattern. Remote logins can be analyzed for remote IP address and geolocation, and login entropy can be measured and compared. Non-administrative users logging into multiple systems can be observed and reported, as it differs from anticipated patterns.
Anomalous Work Practices
Working outside typical work hours or outside established patterns of work activity can be suspicious or a sign of insider risk activity or compromised credentials. Once again, anomalies might be either spatial or temporal in nature. The workload active procedure mix can likewise be examined for adherence to developed workgroup activity patterns. Work loads may differ a bit, however tend to be fairly consistent across engineering departments or accounting departments or marketing departments, etc. Work activity patterns can be machine learned and analytical divergence tests applied to identify behavioral anomalies.
Anomalous Application Attributes
Common applications display relatively constant characteristics in their image metadata and in their active process profiles. Significant departures from these observed activity norms can be a sign of application compromise, such as code injection. Whitelisted applications may be used by malware scripts in unlikely methods, such as ransomware utilizing system tools to remove volume shadow copies to stymie healing, or malware staging thieved data to disk, prior to exfiltration, with significant disk resource demand.
Anomalous Network Activity
Typical applications display reasonably consistent network activity patterns that can be learned and defined. Unusual levels of network activity by unusual applications are suspect because of that alone, as is unusual port activity or port scanning. Network activity at unusual times or with uncommon regularity (potentially beaconing) or uncommon resource demand are also worthwhile of attention. Ignored network activity (user not present) ought to always have a plausible description or be reported, specifically if observed in considerable volume.
Anomalous System Fault Behavior
Anomalous fault behavior could be a sign of a vulnerable or disclosed system or of malware that is consistently reattempting some failed operation. This could be observed as applications crashing or hanging, as service failures, or as system crashes. Compliance faults are also worth noting, such as not running mandated security or backup agents, or consistent faulting by those agents (resulting in a fault-restart-fault cycle).
When trying to find Endpoint Detection and Response software, don’t have a feeling of complacency just because you have a huge library of recognized IOCs. The most effective solutions will cover these top five generic attack qualities plus a whole lot more.