Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver
Traditional security software applications are unlikely to spot attacks that are targeted to a particular organization. The attack code will most likely be remixed to evade known malware signatures, while fresh command and control infrastructure will be stood up to avert recognized blacklisted network contacts. Resisting these fresh, specific attacks requires protectors to identify more generic attack attributes than can be discovered in unlimited lists of known Indicators of Compromise (IoC’s) from formerly evaluated attacks.
Unless you have a time device to retrieve IoC’s from the future, known IoC’s won’t help with new attacks. For that, you have to be alert to suspicious habits of users or endpoints that could be a sign of ongoing attack activity. These suspicion-arousing behaviors won’t be as definitive as a malware signature match or IP blacklist hit, so they will require expert triage to confirm. Insisting upon conviction certainty prior to raising alerts suggests that new attacks will successfully evade your automatic defenses. It would be equivalent to a mom or dad overlooking suspicious child behavior without question till they get a call from the cops. You don’t desire that call from the FBI that your enterprise has been breached when due analyst focus on suspect habits would have supplied early detection.
Security analytics of observed user and endpoint behaviors looks to recognize characteristics of possible attack activity. Here we highlight some of those suspect behaviors by way of general description. These suspect behaviors work as cyber attack tripwires, signaling protectors to prospective attacks in progress.
Anomalous Login Activity
Users and organizational units display learnable login activity patterns that can be evaluated for anomalous departures. Abnormalities can be either spatial, i.e. anomalous with respect to peers, or temporal, i.e. anomalous with respect to that user/endpoint’s earlier login pattern. Remote logins can be examined for remote IP address and geolocation, and login entropy can be determined and compared. Non-administrative users logging into numerous systems can be observed and reported, as it differs from anticipated patterns.
Anomalous Work Habits
Working outside typical work hours or outside established patterns of work activity can be suspicious or a sign of insider threat activity or jeopardized credentials. Again, abnormalities might be either spatial or temporal in nature. The workload active procedure mix can likewise be analyzed for adherence to established workgroup activity patterns. Workloads may vary a bit, but have the tendency to be relatively consistent across engineering departments or accounting departments or marketing departments, and so on. Workload activity patterns can be machine learned and analytical divergence tests applied to identify behavioral abnormalities.
Anomalous Application Characteristics
Typical applications display fairly consistent characteristics in their image metadata and in their active procedure profiles. Significant departures from these observed activity standards can be indicative of application compromise, such as code injection. Whitelisted applications might be used by malware scripts in unlikely methods, such as ransomware utilizing system tools to remove volume shadow copies to stymie healing, or malware staging thieved data to disk, prior to exfiltration, with significant disk resource need.
Anomalous Network Activity
Typical applications exhibit reasonably consistent network activity patterns that can be learned and defined. Uncommon levels of network activity by uncommon applications are suspect because of that alone, as is unusual port activity or port scanning. Network activity at unusual times or with uncommon regularity (possibly beaconing) or unusual resource demand are likewise worthwhile of attention. Ignored network activity (user not present) need to always have a plausible description or be reported, specifically if observed in significant volume.
Anomalous System Fault Habits
Anomalous fault habits could be indicative of a vulnerable or revealed system or of malware that is consistently reattempting some failed operation. This could be observed as applications crashing or hanging, as service failures, or as system crashes. Compliance faults are also worth keeping in mind, such as not running mandated security or backup agents, or constant faulting by those agents (resulting in a fault-restart-fault cycle).
When searching for Endpoint Detection and Response services, don’t have a false sense of security even if you have a big library of known IOCs. The most effective services will cover these leading 5 generic attack qualities plus a lot more.