Chuck Leaver – Narrow Indicators Of Compromise Make Comprehensive Endpoint Monitoring Difficult

Presented By Chuck Leaver And Written By Dr Al Hartmann Of Ziften Inc.

 

The Breadth Of The Indication – Broad Versus Narrow

A thorough report of a cyber attack will generally provide information of indicators of compromise. Typically these are slim in their scope, referencing a specific attack group as viewed in a particular attack on an organization for a limited period of time. Typically these narrow indicators are specific artifacts of an observed attack that might make up particular proof of compromise on their own. For the attack it implies that they have high uniqueness, however often at the cost of low sensitivity to similar attacks with various artifacts.

Basically, slim indicators offer extremely limited scope, and it is the reason that they exist by the billions in enormous databases that are continuously expanding of malware signatures, network addresses that are suspicious, harmful computer registry keys, file and packet content snippets, file paths and invasion detection rules and so on. The continuous endpoint monitoring system provided by Ziften aggregates a few of these third party databases and risk feeds into the Ziften Knowledge Cloud, to take advantage of known artifact detection. These detection aspects can be used in real time as well as retrospectively. Retrospective application is necessary given the short term characteristics of these artifacts as hackers constantly render conceal the details about their cyber attacks to frustrate this narrow IoC detection approach. This is the factor that a continuous monitoring service should archive tracking results for a long period of time (in relation to market reported typical attacker dwell times), to provide a sufficient lookback horizon.

Narrow IoC’s have significant detection worth but they are largely inefficient in the detection of brand-new cyber attacks by skilled hackers. New attack code can be pre tested against typical business security products in laboratory environments to confirm non-reuse of artifacts that are noticeable. Security solutions that operate merely as black/white classifiers experience this weakness, i.e. by offering a specific decision of destructive or benign. This method is extremely quickly averted. The safeguarded company is most likely to be thoroughly attacked for months or years prior to any noticeable artifacts can be determined (after intensive investigation) for the specific attack instance.

In contrast to the convenience with which cyber attack artifacts can be obscured by typical hacker toolkits, the particular methods and strategies – the modus operandi – used by attackers have endured over numerous years. Common methods such as weaponized sites and docs, new service installation, vulnerability exploitation, module injection, sensitive directory and computer system registry area modification, brand-new set up tasks, memory and drive corruption, credentials compromise, malicious scripting and many others are broadly common. The right usage of system logging and monitoring can find a great deal of this particular attack activity, when properly combined with security analytics to concentrate on the highest threat observations. This totally gets rid of the opportunity for hackers to pre test the evasiveness of their destructive code, considering that the quantification of risk is not black and white, however nuanced shades of gray. In particular, all endpoint risk is differing and relative, throughout any network/ user environment and time period, and that environment (and its temporal dynamics) can not be reproduced in any lab environment. The fundamental hacker concealment methodology is foiled.

In future posts we will analyze Ziften endpoint threat analysis in more detail, as well as the crucial relationship between endpoint security and endpoint management. “You cannot protect what you don’t manage, you cannot manage what you do not measure, you cannot measure what you do not track.” Organizations get breached because they have less oversight and control of their endpoint environment than the cyber attackers have. Watch out for future posts…