Reliable Endpoint Monitoring Is Not Possible With Narrow Indicators Of Compromise – Chuck Leaver

Presented By Chuck Leaver And Written By Dr Al Hartmann Of Ziften Inc.

 

The Breadth Of The Indicator – Broad Versus Narrow

A thorough report of a cyber attack will normally supply information of indicators of compromise. Frequently these are narrow in their scope, referencing a specific attack group as viewed in a specific attack on an organization for a restricted amount of time. Typically these slim indicators are specific artifacts of an observed attack that could constitute specific evidence of compromise on their own. For the particular attack it means that they have high uniqueness, however frequently at the cost of low sensitivity to similar attacks with various artifacts.

Essentially, narrow indicators offer really minimal scope, and it is the factor that they exist by the billions in enormous databases that are continually expanding of malware signatures, network addresses that are suspicious, harmful registry keys, file and packet content snippets, filepaths and invasion detection guidelines and so on. The continuous endpoint monitoring system provided by Ziften aggregates some of these third party databases and risk feeds into the Ziften Knowledge Cloud, to take advantage of understood artifact detection. These detection elements can be used in real time in addition to retrospectively. Retrospective application is essential given the short-term qualities of these artifacts as hackers continually render obscure the info about their cyber attacks to annoy this slim IoC detection approach. This is the reason that a continuous monitoring service should archive monitoring results for a long period of time (in relation to industry reported normal hacker dwell times), to provide an enough lookback horizon.

Slim IoC’s have substantial detection worth however they are largely inefficient in the detection of new cyber attacks by proficient hackers. New attack code can be pre tested against typical business security solutions in laboratory environments to confirm non-reuse of artifacts that are noticeable. Security products that operate simply as black/white classifiers experience this weak point, i.e. by offering an explicit determination of destructive or benign. This method is very easily averted. The defended company is likely to be completely hacked for months or years before any detectable artifacts can be recognized (after extensive examination) for the specific attack instance.

In contrast to the convenience with which cyber attack artifacts can be obscured by typical hacker toolkits, the particular methods and strategies – the modus operandi – used by hackers have actually endured over numerous decades. Common methods such as weaponized websites and docs, brand-new service setup, vulnerability exploitation, module injection, delicate folder and pc registry area adjustment, new set up tasks, memory and drive corruption, credentials compromise, harmful scripting and many others are broadly typical. The proper usage of system logging and monitoring can detect a great deal of this characteristic attack activity, when appropriately combined with security analytics to concentrate on the highest hazard observations. This entirely removes the chance for hackers to pre test the evasiveness of their destructive code, considering that the quantification of threats is not black and white, however nuanced shades of gray. In particular, all endpoint risk is varying and relative, across any network/ user environment and period of time, and that environment (and its temporal dynamics) can not be replicated in any laboratory environment. The basic hacker concealment methodology is foiled.

In future posts we will analyze Ziften endpoint risk analysis in more detail, along with the important relationship between endpoint security and endpoint management. “You can’t protect what you do not manage, you can’t manage what you do not measure, you can’t measure what you do not track.” Organizations get breached due to the fact that they have less oversight and control of their endpoint environment than the cyber attackers have. Look out for future posts…

Leave a Reply

Your email address will not be published. Required fields are marked *