Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver
Traditional security software applications are unlikely to identify attacks that are targeted to a specific company. The attack code will most likely be remixed to evade recognized malware signatures, while fresh command and control infrastructure will be stood up to evade known blacklisted network contacts. Resisting these fresh, targeted attacks needs defenders to spot more generic attack characteristics than can be discovered in limitless lists of known Indicators of Compromise (IoC’s) from previously evaluated attacks.
Unless you have a time machine to recover IoC’s from the future, known IoC’s won’t aid with new attacks. For that, you need to look out for suspicious habits of users or endpoints that could be indicative of ongoing attack activity. These suspicion-arousing behaviors won’t be as conclusive as a malware signature match or IP blacklist hit, so they will need expert triage to validate. Insisting upon conviction certainty before raising notifications suggests that fresh attacks will successfully evade your automated defenses. It would be equivalent to a parent overlooking suspicious child behavior without question until they receive a call from the authorities. You don’t desire that call from the FBI that your business has actually been breached when due expert focus on suspicious behaviors would have offered early detection.
Security analytics of observed user and endpoint habits looks to determine attributes of potential attack activity. Here we highlight some of those suspect behaviors by way of general description. These suspect habits function as cyber attack tripwires, signaling protectors to potential attacks in progress.
Anomalous Login Activity
Users and organizational units exhibit learnable login activity patterns that can be examined for anomalous departures. Anomalies can be either spatial, i.e. anomalous with respect to peers, or temporal, i.e. anomalous with respect to that user/endpoint’s earlier login pattern. Remote logins can be analyzed for remote IP address and geolocation, and login entropy can be determined and compared. Non-administrative users logging into several systems can be observed and reported, as it differs from expected patterns.
Anomalous Work Routines
Working outside typical work hours or outside recognized patterns of work activity can be suspect or indicative of insider threat activity or compromised credentials. Again, abnormalities might be either spatial or temporal in nature. The work active procedure mix can likewise be analyzed for adherence to developed workgroup activity patterns. Workloads may vary somewhat, but tend to be fairly constant across engineering departments or accounting departments or marketing departments, etc. Work activity patterns can be machine learned and statistical divergence tests applied to spot behavioral anomalies.
Anomalous Application Characteristics
Common applications display relatively constant attributes in their image metadata and in their active procedure profiles. Considerable departures from these observed activity standards can be indicative of application compromise, such as code injection. Whitelisted applications may be utilized by malware scripts in unusual methods, such as ransomware using system tools to get rid of volume shadow copies to stymie recovery, or malware staging stolen data to disk, prior to exfiltration, with significant disk resource demand.
Anomalous Network Activity
Common applications exhibit relatively consistent network activity patterns that can be learned and defined. Unusual levels of network activity by unusual applications are suspect because of that alone, as is unusual port activity or port scanning. Network activity at unusual times or with uncommon consistency (possibly beaconing) or unusual resource need are likewise worthwhile of attention. Unattended network activity (user not present) should constantly have a possible explanation or be reported, particularly if observed in considerable volume.
Anomalous System Fault Behavior
Anomalous fault behavior could be indicative of a susceptible or unveiled system or of malware that is repeatedly reattempting some malfunctioning operation. This could be observed as applications crashing or hanging, as service failures, or as system crashes. Compliance faults are also worth keeping in mind, such as not running mandated security or backup agents, or constant faulting by those agents (leading to a fault-restart-fault cycle).
When looking for Endpoint Detection and Response solutions, do not have a feeling of complacency even if you have a big library of recognized IOCs. The most effective solutions will cover these leading five generic attack attributes plus a great deal more.