In this security insight brief, 21CT researchers look at the malicious network behaviors that concern organizations the most, and how to use security analytics to find them before damage is done. Understanding these 12 indicators of compromise are critical to identifying a network breach.
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Â
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
1. THE 12 INDICATORS OF COMPROMISE
12 Indicators of Compromise
Human Behavior
• Alert Visibility
• Return on Intelligence
• Social Engineering
Machine Behavior
• Autonomous System Behavior
• Policy Violations
• Botnet C&C Traffic
Volumetric Behavior
• DDoS Noise Reduction
• Unusual Inbound Traffic
• Unusual Outbound Traffic
Anomalous Behavior
• Geographic Anomalies
• Protocol Anomalies
• Long-Term Trending
21CT.COM
Using security analytics to
identify patterns of network
behaviors that indicate an
active network attack
As a security analyst, much of your day-to-day operational
work involves tracking perimeter defense alerts, responding to
end-point alerts, and running down user reports of suspicious
activity. While these tasks are important, you know that there’s
probably malicious activity on your network beyond the alerts.
So how do you find it?
Perimeter defense tools identify the identifiable—events they are
already aware of and looking for—but these known-knowns are not the
whole story. There are unknown-unknowns that perimeter defenses
miss that you must find to fully secure your network. Security analytics
can guide you directly to the malicious behavior you knew existed, but
could never see.
Security analytics use fused disparate network data, from IPS/IDS alerts
and malware notifications to flow and application metadata, to identify
patterns of behavior that are indicative of network compromise. They
quickly and (in many cases) automatically identify and classify these
malicious behaviors so that you can move fast to remediate infected
and misconfigured systems or thwart an ongoing attack missed by the
perimeter.
In this paper we look at the four categories of malicious behavior
that concern organizations the most. It is important to understand
these behaviors, what they are, and why they are dangerous. When
the presence of any of these behaviors becomes evident using
security analytics, they become Indicators of Compromise (IOCs),
something discussed throughout the industry including Dark Reading.
Understanding these 12 IOCs is critical to identifying network breaches.
In the first half of 2014, the security researchers at 21CT will release
analytics that you can use to both identify these 12 Indicators of
Compromise before they damage your business and, in some cases,
prevent the compromise from happening. We will highlight newly
published IOCs in our monthly newsletter with links to learn more
about the IOCs as well as download the analytics.
The 12 Indicators
of Compromise
2. THE 12 INDICATORS OF COMPROMISE
Human Behavior
Human behavior as used here includes known-known and social engineering behaviors.
The known-knowns provide context and visualization around perimeter defense alerts
and threat feed blacklists, while social engineering IOCs identify patterns of behavior that
deviate from human norms, indicating potential points of exploitation.
Alert Visibility
Why Alert Visibility?
The context surrounding an alert (alert visibility) is important information that security
organizations need for a more complete understanding of the activity on their networks.
What happened immediately before and after the alerted event? What hosts were the
affected systems talking to? What was taken? Security analytics help you find answers to
these kinds of questions.
Increasing Alert Visibility Using Security Analytics
An alert from your anti-malware device that a host on your network has communicated with
a new botnet command and control server identifies a known bad host on your network that
you can open a ticket on to remediate the host. As a security analyst, you need to remediate
that host, but you also want to know if the alert indicates a larger infiltration than just the
one host. How was the host infected? How long has it been infected? Who communicated
internally with the now infected host? Was it a file download? Using security analytics, you
can get answers to these questions for a fuller understanding of the scope of the attack so
you can mitigate all affected systems. Security analytics do this by fusing secondary data
sources from devices such as next-generation firewalls or application metadata sensors with
other network data to transform alerts into indicators of compromise, intelligence that leads
to faster and more complete mitigation of a compromise.
Using security
analytics you can:
• Accelerate mitigation
of a compromise
by extending your
perimeter defense to
find missed breaches
• Increase operational
insight by identifying
patterns of previously
hidden malicious
behaviors
• Avoid catastrophic
damage to your network
by quickly identifying
suspicious behavior
and accelerating your
investigation and
mitigation
• Enable faster, easier,
and more repeatable
investigations
by transforming
your experience
and creativity into
executable analytics
• Sigh with relief when
you discover your
network is more secure
Figure 1: Visualization of the context surrounding an alert
3. THE 12 INDICATORS OF COMPROMISE
Return on Intelligence
Why Return on Intelligence?
Most security organizations subscribe to various threat feeds that deliver monthly, weekly, or even daily updates on
known bad domains, IP addresses, MD5 sums, or email addresses. These threat feeds are a potentially rich source of
intelligence, but gaining operational value from them is often difficult and time-consuming. Their varying formats are
not easily manipulated or searchable, and you can’t scan through them and quickly understand what is important to
you and your organization. With security analytics you can leverage the full benefit of this powerful intelligence to gain
visibility into the unknown-unknowns.
Enhancing Return on Intelligence Using Security Analytics
One way to utilize the information in threat feeds would be take a text dump of NetFlow records and write a shell script
to grep the text file for blacklisted IPs that have been communicated with. Another way would be to grep Bro sensor
logs for the MD5s that may come in from a threat feed. However, with attackers continually changing IP addresses,
even if you can utilize the information in the threat feed, you still won’t discover additional instances of an attack
from IP addresses not yet known to be bad. Security analytics provide the context you need to truly understand the
behavior of your network. With security analytics and threat feeds you can:
• Identify connections between internal hosts and known bad external IP addresses
• Identify additional hosts that downloaded the same file as those connecting to the known bad IP addresses
• Identify additional IP addresses now known to be bad
• Reduce time-to-detection and mitigation by utilizing the intelligence you care about in the threat feed
With an easy way to gain actionable intelligence from the threat feeds you already subscribe to, you significantly
improve their value and can now enhance your security posture even more by subscribing to additional threat feeds.
Social Engineering
Why Social Engineering?
According to Verizon’s 2013 Data Breach Investigations Report, nearly a third of all breaches in 2012 involved social
engineering. And because social engineering often uses common low-tech methods like emails and phone calls, these
attacks can be some of the most difficult to protect against. Humans are naturally trusting of each other, especially
when the appropriate context exists. That said, even social engineering leaves traces in your network that you can
identify using security analytics.
Mitigating the Effects of Social Engineering Using Security Analytics
An employee receives a phone call from a malicious actor who warns of a computer compromise requiring immediate
action in order to prevent catastrophe. While the phone call is in progress, at the direction of the caller, the employee
visits a website that has never been accessed by anyone in the corporate network and downloads a malware-infected
PDF with the pricing of the phantom services the scammer is trying to sell.
Since this phone call came into an office desk phone, you have access to the SIP logs and can see that the employee
answered the phone call. That host has now been compromised. Using security analytics, you can identify a pattern
of the attack: an incoming phone number (and related information such as geographic location), an MD5 sum of the
PDF file, and the web domain where the download occurred. You can then use this pattern to search for similar activity
elsewhere on the network. In seconds, you can identify the threat and take steps to mitigate it by setting up alerts,
blocking domains and phone numbers, and—importantly—creating an alert to flag the MD5 sum even if the attacker
changes phone numbers and domains. Furthermore, you can notify employees of the attack pattern to mitigate the
front-end risk vector: the human. Using security analytics, you can quickly mitigate the effects of the breach and
increase your defense against the same attack in the future... or sigh with relief when you discover that it was a one-off
attempt.
4. THE 12 INDICATORS OF COMPROMISE
Machine Behavior
Machine behavior encompasses all the network traffic and activity automatically generated by a computer beyond the user’s
control or that violates corporate policy whether explicit or implied.
Autonomous System Behavior
Why Autonomous System Behavior?
In the Human Behavior category, we discussed network activity triggered by some explicit human action (by either the attacker
or an unsuspecting employee). But computers also do things autonomously behind the scenes without explicit user interaction
such as email retrieval, instant messaging alerts, and OS updates. While autonomous system behavior is essential to a user’s
normal day-to-day activity, it can also mask potentially malicious behavior. With security analytics you can quickly filter out
normal autonomous system behavior to help you zero in on the abnormal behavior that may indicate a compromise, so
remediation is quicker and more complete.
Identifying Autonomous System Behavior Using Security Analytics
When employees arrive at work and turn on their computers, a flurry of network connections flow from their machines as
they download email and sign on to the corporate instant messaging server. A handful of HTTP requests may then go out as
employees pull up their personal email or check industry news sites. They may also launch business applications like revision
control repositories, financial applications, or other databases.
These applications normally exhibit predictable behavior. With web-based traffic, for example, most web pages download
pages, images, and scripts of varying sizes. When a host issues HTTP requests to widely different domains, but they’re all
returning the same sized HTTP pages, for
example, that’s a good indicator of suspicious
behavior. A host issuing bursts of HTTP requests
is also suspicious. Even more interesting for
the security analyst is multiple autonomous
system behaviors on a host within a short time.
Combinations of indicators are a powerful
window into malicious behavior. The graph
pattern matching capabilities of security
analytics help you identify these combinations
of behaviors that are telltale indicators of
compromise, helping you to gain operational
insight into this previously hidden behavior on
your network.
Policy Violations
Why Policy Violations?
While a host may not be violating explicit
company policy, it might be violating a well-understood,
implied policy. Either way, the result
is the same: behavior outside the expected
norm. These policies exist to establish a specific
baseline that a deviation from would indicate
(at best) a misconfigured system or (at worst) a
compromised system. Security analytics enable
you to quickly distinguish compromised systems
from misconfigurations and benign policy
violations, dramatically reducing business-critical
time to detection and mitigation.
Figure 2: Conceptualization of graph pattern matching
Figure 3: Visualization of policy violation behavior patterns
5. THE 12 INDICATORS OF COMPROMISE
Identifying Policy Violations Using Security Analytics
Internal network clients rarely need to communicate directly with other clients on the network. Most of their activity
passes through application servers like instant messaging, email, source code repositories, financial applications,
or other enterprise-level business systems. Worm propagation, however, spreads primarily through host-to-host
communication. Visualizing host-to-host communication, therefore, would provide insight into a worm that was trying
to spread throughout the network. Escalated or de-escalated privileged access to corporate data is another example
of policy violations that could indicate a compromise. If the CEO, for example, accesses the source code repository
unexpectedly, in most companies this suggests a network breach with data exfiltration as the end goal. Similarly, sudden
access of the corporate finance by an engineer would suggest a possible breach with intent to steal corporate financial
information. By fusing the data from these disparate systems with other network data, security analytics can detect
combinations of these policy violations that are significant indicators of compromise, enabling you to find and mitigate
network breaches before serious damage can be inflicted.
Botnet C&C Traffic
Why Botnet C&C Traffic?
The presence of botnet command and control (C&C) traffic represents one of the more obvious indicators of compromise.
If C&C traffic is present on your network, you almost certainly have infected hosts, whether they’re acting as C&C servers
or, more likely, bots that may be stealing corporate information or acting as drones in DDoS attacks. Security analytics
can help you identify C&C traffic and stop it before it causes additional damage.
Detecting Botnet C&C Traffic Using Security Analytics
Typical web browsing produces web pages compiled
from many different page elements from many different
hosts and paths as the browser downloads images,
scripts, and HTML files, and the resulting page is
generally static once compiling is complete. Users do
not usually refresh a webpage at regular intervals of, say,
every 120 seconds. More likely, frequent and regular
page refreshes and requests of only one or two paths to
the same host likely indicate a compromised host calling
back to the C&C server to give status updates and listen
for new commands. The Zeus botnet, for example,
almost always calls out to the same host and pulls only a
single URI path. Security analytics can help you quickly
identify this behavior and discover compromised hosts
on your network before they can inflict serious damage.
Figure 4: Visual depiction of a security analytic to detect
a single URI
6. THE 12 INDICATORS OF COMPROMISE
Volumetric Behavior
Volumetric behavior revolves around the amount of traffic being generated by network activity. Significantly higher than normal
volumes of network activity could indicate an incoming DDoS attack, compromised hosts exfiltrating data from your network,
or simply a legitimate transfer of large files to a trusted customer or partner. As a security analyst, you need to be able to identify
an abnormally high volume of network traffic and quickly determine if it is benign or malicious.
DDoS Noise Reduction
Why DDoS Noise Reduction?
Distributed denial-of-service (DDoS) attacks have garnered much attention in recent years as major corporations have suffered
very public attacks. While most of the attention is focused on website downtime and resource unavailability, many DDoS
attacks are now used as a smokescreen for penetration or exfiltration. As the DDoS attack is happening, security organizations
scramble to deploy their best people to fix or mitigate the effects of the attack, while the attackers are busy with their true
objective: gaining access to intellectual property and other sensitive corporate information. Using security analytics with all
your disparate network data fused and visualized in a single solution, you can quickly filter out the noise to detect and mitigate
the stealth attacks, as well as the obvious and noisy ones.
Reducing DDoS Noise Using Security Analytics
A DDoS attack can be a highly visible indicator of compromise, yet it also may be masking the true intent of the attacker.
Understanding the type of DDoS attack that you are investigating is very important in being able to properly reduce the noise
so that the normal underlying behavior can be analyzed. When analyzing large datasets, time can be a useful filter to reduce the
amount of data that you need to scan. For example, you could look at new inbound connections over only the past 60 minutes
rather than over the past 24 hours. This is a useful technique, but during DDoS attacks new inbound connections may be
happening orders of magnitude more
than during a regular time interval.
For example, Slowloris is an HTTP-based
attack where bogus HTTP headers are
fed from the attacker to the subject
HTTP server. These bogus headers
are sent in large time intervals where
a single request could potentially take
hours or even days to complete. When
tens or hundreds of thousands of these
connections build up over time, the
HTTP server is rendered inaccessible
because of resource exhaustion. With
security analytics you can quickly filter
these types of connections out of the
larger dataset so that you don’t see
millions of bogus connections but can instead focus on the connections that might be trying to deliver server-side exploits.
This allows you to truly see infiltration attempts without being distracted by a large volume of otherwise meaningless Slowloris
connections.
Figure 5: Visual depiction of a security analytic for filtering Slowloris
7. THE 12 INDICATORS OF COMPROMISE
Unusual Inbound Traffic
Why Unusual Inbound Traffic?
Most companies should normally
receive very little inbound traffic to their
corporate networks. Most companies
have websites, but they aren’t typically
hosted on the internal corporate network.
Most are hosted in the cloud or by a
third-party provider so there would be no
inbound traffic on the corporate network
to the corporate web site. Other than
VPN connections and requests to the
corporate DNS servers, inbound traffic
to the corporate network is very rare
and is therefore a strong indicator of
compromise. Security analytics can help
you quickly separate the good traffic from
the bad and remediate the cause sooner
and mitigate its impact on your business.
Detecting Unusual Inbound Traffic
Using Security Analytics
Inbound SSH connections to externally exposed internal hosts are a strong indicator of compromise, particularly if there is
a pattern to the connections. When an SSH brute force attack happens, an analyst would see lots of invalid SSH attempts,
followed by a successful one. This could indicate that an external attacker has gained SSH access to an internal host.
Inbound connections to ephemeral ports are another indicator of compromise. If there is inbound traffic expected, that
traffic will be destined for well-known ports in the sub-1023 range. Inbound traffic for other ports likely indicates attempts to
compromise the network or to at least try to gauge the security and openness of the corporate network to gain access. With
security analytics, you can quickly and easily detect these types of network behavior patterns, leading to faster mitigation
and prevention of large-scale data exfiltration.
Unusual Outbound Traffic
Why Unusual Outbound Traffic?
Unusual outbound traffic is an even more likely indicator of compromise than inbound traffic because it could represent
actual data loss and theft. There are very few reasons that anyone on the corporate network should be uploading gigabytes
worth of traffic externally. While there are exceptions, this outbound behavior would be a strong indication of compromise
and behavior that security analytics can help you detect.
Figure 6: Visualization of an SSH brute force attack
8. THE 12 INDICATORS OF COMPROMISE
Detecting Unusual Outbound Traffic Using Security Analytics
RAR archives are the preferred archive and compression format for external attackers such as APT1. A spike in the numbers
of outbound RAR archives can be a very telling sign. Abnormal database traffic can also be indicative of compromise. If an
internal database receives a read request followed by large outbound requests, this may indicate a SQL injection attack where
an external user is dumping a large table such as usernames and password hashes. This attack vector has been used to gain
access to major corporations’ customer information. Other types of outbound traffic are also pretty unusual. SSH connections
that transfer large amounts of data, SCP connections sending data out of the corporate network, and, like with unusual inbound
traffic, unusual outbound traffic to ephemeral ports could also indicate compromise and data exfiltration. Using security
analytics, you could quickly identify the exfiltration of an unusual number of RAR archives or large amounts of outbound traffic,
enabling you to quickly stop an active data exfiltration.
Anomalous Behavior
Anomalous behavior is network traffic or activity that deviates from an established baseline or does not conform to standard
protocol behavior.
Geographic Anomalies
Why Geographic Anomalies?
Many organizations do business with a limited subset of
the world or have employees only in certain countries.
The presence of geographic anomalies—traffic from
unexpected locations—in network traffic can help to indicate
compromise from foreign nations. The most convenient
part about geographic anomalies is that they are easier
to baseline than other traffic baselines. Here, too, security
analytics, when run on your full range of fused network
data, can identify traffic to and from specific geographic
locations or traffic not from a specific geographic location,
depending on what is typical on your network.
Understanding Geographic Anomalies Using Security
Analytics
If a company is based solely in the United States, there is
little reason why anyone from a foreign country should try
to access the corporate network. This traffic would be a red
flag that something unexpected was happening. Further,
if internal resources were communicating with foreign Figure 8: Visualization of geolocation data on a network
Figure 7: Visual depiction of a security analytic for SSH filtration
9. THE 12 INDICATORS OF COMPROMISE
countries that you wouldn’t expect, this too would indicate some kind of compromise. Geographic anomalies are one of
the easier indicators to keep the pulse of because so many perimeter devices have geolocation functionality built in. With
security analytics, you can take this information and fuse it with other network data to provide the remaining context to more
fully understand the behavior of anomalous geographic traffic on your network.
Protocol Anomalies
Why Protocol Anomalies?
All network protocols have distinct behaviors, many of which are well documented either through the IETF’s RFC process
or simply from industry standardization. Deviations from these distinct behaviors could be an indicator of compromise, but
also could simply indicate a misconfiguration of some kind. Using security analytics you can more easily detect deviations
and sort out the suspicious behavior from simple misconfigurations or benign violations.
Identifying Protocol Anomalies Using Security Analytics
A typical host in an enterprise uses DHCP to retrieve an IP address along with other necessary information like default
gateway, netmask, and DNS servers. The use of external DNS servers is rare on corporate networks. A corporate host using
an external DNS server indicates at best
a grossly misconfigured endpoint and at
worst an infected host waiting to unleash
havoc in your network.
Similarly, HTTP traffic can display behavior
that, while valid, is still anomalous. There are
likely many different hosts on the corporate
network that talk to the same external host.
Google.com, Yahoo.com, and Gmail.com
are all hosts that many different hosts may
talk to on a daily basis as users engage in
normal web surfing. While lots of different
hosts communicating with a host is not
necessarily an indicator of compromise,
when every host uses the same user-agent
string, a compromise likely exists. Since
there will usually be tens if not hundreds of
different user agent strings as users surf with
different browsers, different service packs,
and different versions of the same browser, many different hosts all communicating with the same external server on a
single user-agent is a strong indicator of compromise. Using the pattern searching capabilities of security analytics, you can
identify this anomalous behavior so you can investigate its root cause and mitigate the behavior quickly to avoid further
damage to your network.
Long-Term Trending
Why Long-Term Trending?
Long-term trending can help to identify anomalies occurring on a network. The key is establishing an accurate baseline.
Luckily, the human mind typically identifies with establishing norms and identifying deviations, which is why long-term
trending is so powerful.
Figure 9: Visual depiction of a security analytic for detecting user-agent patterns