Failsafe Endpoint Monitoring Is Not Possible With Narrow Indicators Of Compromise – Chuck Leaver

Presented By Charles Leaver And Written By Dr Al Hartmann Of Ziften Inc.


The Breadth Of The Indication – Broad Versus Narrow

An extensive report of a cyber attack will usually offer information of indicators of compromise. Typically these are narrow in their scope, referencing a specific attack group as seen in a specific attack on an enterprise for a limited time period. Generally these narrow indicators are specific artifacts of an observed attack that might constitute particular proof of compromise on their own. For the particular attack it indicates that they have high specificity, but frequently at the cost of low level of sensitivity to comparable attacks with various artifacts.

Essentially, slim indicators provide extremely limited scope, and it is the reason that they exist by the billions in huge databases that are constantly broadening of malware signatures, network addresses that are suspicious, malicious pc registry keys, file and packet content snippets, filepaths and intrusion detection guidelines etc. The continuous endpoint monitoring service supplied by Ziften aggregates a few of these 3rd party databases and risk feeds into the Ziften Knowledge Cloud, to take advantage of known artifact detection. These detection elements can be applied in real time and also retrospectively. Retrospective application is important because of the short-term characteristics of these artifacts as hackers continuously render hide the info about their cyber attacks to annoy this narrow IoC detection approach. This is the factor that a continuous monitoring service should archive monitoring results for a long period of time (in relation to market reported common attacker dwell times), to supply an enough lookback horizon.

Slim IoC’s have substantial detection worth but they are largely ineffective in the detection of brand-new cyber attacks by proficient hackers. New attack code can be pre evaluated against common enterprise security products in lab environments to confirm non-reuse of artifacts that are detectable. Security solutions that operate just as black/white classifiers experience this weakness, i.e. by providing an explicit decision of destructive or benign. This method is extremely quickly evaded. The protected company is most likely to be thoroughly hacked for months or years prior to any detectable artifacts can be recognized (after extensive investigation) for the particular attack instance.

In contrast to the simplicity with which cyber attack artifacts can be obscured by common hacker toolkits, the characteristic techniques and strategies – the modus operandi – utilized by attackers have actually been sustained over numerous years. Common techniques such as weaponized websites and docs, brand-new service setup, vulnerability exploitation, module injection, sensitive folder and windows registry area adjustment, new arranged tasks, memory and drive corruption, credentials compromise, malicious scripting and lots of others are broadly typical. The right usage of system logging and monitoring can find a great deal of this characteristic attack activity, when properly combined with security analytics to concentrate on the highest risk observations. This completely gets rid of the opportunity for hackers to pre test the evasiveness of their destructive code, because the quantification of risk is not black and white, but nuanced shades of gray. In particular, all endpoint danger is varying and relative, throughout any network/ user environment and time period, and that environment (and its temporal characteristics) can not be replicated in any laboratory environment. The fundamental hacker concealment methodology is foiled.

In future posts we will analyze Ziften endpoint threat analysis in greater detail, as well as the important relationship between endpoint security and endpoint management. “You cannot protect what you don’t manage, you can’t manage what you do not measure, you cannot measure what you don’t track.” Organizations get breached due to the fact that they have less oversight and control of their endpoint environment than the cyber assailants have. Look out for future posts…

Chuck Leaver – Carbanak Three Indicators Of Compromise And Ziften Continuous Endpoint Monitoring

Presented By Chuck Leaver And Written By Dr Al Hartmann   Part 3 in a 3 part series   Below are excerpts of Indicators of Compromise (IoC) from the technical reports on the Anunak/Carbanak APT attacks, with discussions their discovery by the Ziften continuous endpoint monitoring solution. The Ziften solution has a focus on generic […] Continue reading →

In The Second Part Of The Carbanak Case Study The Efficiency Of Continuous Endpoint Monitoring Is Demonstrated – Chuck Leaver

Presented By Chuck Leaver And Written By Dr Al Hartmann   Part 2 in a 3 part series   Continuous Endpoint Monitoring Is Very Effective   Capturing and blocking malicious scripts before it is able to jeopardize an endpoint is fine. But this approach is mainly ineffective in the defense of cyber attacks that have […] Continue reading →