Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver
Traditional security software applications are unlikely to spot attacks that are targeted to a specific company. The attack code will most likely be remixed to avert known malware signatures, while fresh command and control infrastructure will be stood up to avert recognized blacklisted network contacts. Defending against these fresh, targeted attacks requires defenders to identify more generic attack attributes than can be found in limitless lists of recognized Indicators of Compromise (IoC’s) from previously evaluated attacks.
Unless you have a time device to obtain IoC’s from the future, known IoC’s will not aid with new attacks. For that, you need to be alert to suspicious habits of users or endpoints that could be a sign of continuous attack activity. These suspicion-arousing behaviors will not be as definitive as a malware signature match or IP blacklist hit, so they will need expert triage to confirm. Insisting upon conviction certainty before raising alerts means that fresh attacks will effectively avert your automatic defenses. It would be equivalent to a parent disregarding suspicious kid behavior without question till they get a call from the cops. You do not want that call from the FBI that your enterprise has been breached when due analyst focus on suspicious behaviors would have supplied early detection.
Security analytics of observed user and endpoint habits seeks to recognize characteristics of possible attack activity. Here we highlight a few of those suspect behaviors by way of general description. These suspect habits work as cyber attack tripwires, notifying protectors to potential attacks in progress.
Anomalous Login Activity
Users and organizational systems display learnable login activity patterns that can be evaluated for anomalous departures. Anomalies can be either spatial, i.e. anomalous with respect to peers, or temporal, i.e. anomalous with respect to that user/endpoint’s earlier login pattern. Remote logins can be analyzed for remote IP address and geolocation, and login entropy can be determined and compared. Non-administrative users logging into several systems can be observed and reported, as it differs from expected patterns.
Anomalous Work Routines
Working outside normal work hours or outside recognized patterns of work activity can be suspect or indicative of insider threat activity or compromised credentials. Once again, anomalies might be either spatial or temporal in nature. The workload active procedure mix can also be examined for adherence to developed workgroup activity patterns. Workloads might vary a bit, but tend to be reasonably consistent throughout engineering departments or accounting departments or marketing departments, etc. Workload activity patterns can be device learned and statistical divergence tests applied to identify behavioral abnormalities.
Anomalous Application Attributes
Typical applications exhibit relatively consistent attributes in their image metadata and in their active procedure profiles. Significant departures from these observed activity norms can be a sign of application compromise, such as code injection. Whitelisted applications might be used by malware scripts in unusual ways, such as ransomware utilizing system tools to remove volume shadow copies to stymie healing, or malware staging stolen data to disk, prior to exfiltration, with substantial disk resource demand.
Anomalous Network Activity
Common applications exhibit fairly consistent network activity patterns that can be learned and identified. Uncommon levels of network activity by unusual applications are suspect because of that alone, as is uncommon port activity or port scanning. Network activity at unusual times or with uncommon regularity (possibly beaconing) or unusual resource need are also worthwhile of attention. Unattended network activity (user not present) ought to always have a possible explanation or be reported, specifically if observed in considerable volume.
Anomalous System Fault Behavior
Anomalous fault behavior could be a sign of a susceptible or revealed system or of malware that is repeatedly reattempting some failed operation. This could be observed as applications crashing or hanging, as service failures, or as system crashes. Compliance faults are likewise worth noting, such as not running mandated security or backup agents, or constant faulting by those agents (leading to a fault-restart-fault cycle).
When searching for Endpoint Detection and Response services, do not have a false sense of security just because you have a big library of known IOCs. The most reliable solutions will cover these top 5 generic attack qualities plus a great deal more.