Home Tags Indicators of Attack (IoA)

Tag: Indicators of Attack (IoA)

The threat hunter's guide to securing the enterprise

It’s time to face facts: Attackers are stealthy enough to evade your monitoring systems.
If you’re sitting back waiting for alarms to go off, there’s a good chance you’re already hosed. Despite spending more than $75 billion on security products and services, enterprises are frequently compromised, highly sensitive data is stolen, and the fallout can be devastating. Worse, enterprises don’t discover they’ve been breached for weeks to months after initial compromise, taking between 120 to 200 days on average to even detect an attack.

That’s a six-month head start on reconnaissance and exploitation -- more time on your network than most of your recent hires. Needless to say, existing approaches to threat detection aren’t working.
It’s time to strap on your threat hunting gear and proactively look for malicious activity in your environment. Here’s a plan to track down threats. Hunt in your own backyard Threat hunting, or cyberhunting, is a set of technologies and techniques that can help you find bad actors before they cause too much damage to your environment.

Although threat hunting can involve both manual and machine-assisted techniques, the emphasis is on investigators looking at all the pieces in context and uncovering relationships, says David Bianco, a security technologist at Sqrrl Data. Security automation can help collect data from network and endpoint segments, and machine learning can speed up analysis, but in the end, it’s up to you to assemble a series of diverse threat hunting activities into a comprehensive process for sleuthing out your adversaries, says Kris Lovejoy, president and CEO of Acuity Solutions and former general manager of IBM Security Services. “Threat hunting is a defensive process, not an offensive one,” Lovejoy adds. While a successful hunt requires you to think like a hacker, that doesn’t mean you should be tracing attacks back to the originating machine, immersing yourself in Dark Web forums, or engaging in questionable practices to uncover potential issues.

That may be the case for investigators and hunters from the U.S.

Department of Defense or the Federal Bureau of Investigation, but cyberhunting is purely defensive in the enterprise. You hunt by forming hypotheses about how an attacker can get into your network, then you look for evidence within your environment to prove or disprove those hypotheses. Build a baseline of knowledge Assessing security risk is a central facet of threat hunting, and the process can be split into three phases.

First, you must understand the threats most likely to target your organization, whether they be persistent adversaries, particular sets of malware, or a certain type of attack.
Second, you must identify your vulnerabilities, such as unpatched software or processes susceptible to human error.

Third, you must assess the impact a successful threat may have in targeting your vulnerabilities. Once you can calculate these risks, you can then prioritize your threat hunting activities to target them. “If I’m a bank and I know that criminals are likely to go after my database to get at accounts, I need to protect that database first,” Lovejoy says. Before you can start hunting, you need to understand the environment you are hunting in.

This goes back to basic IT administration, such as having a clear picture of the number of systems, what software and which version is running, and who has access to each one.

The network architecture, patch management process, and kind of defenses you have in place are all critical pieces of information in understanding your threat landscape.
IT teams need to know the weaknesses to identify potential points of entry. Here, adopting an adversary mindset is key in determining your attackers' moves. Your attackers’ motivations may vary wildly, but they often have similar goals and frequently share similar techniques.

An adversary intent on cybercrime will typically behave differently from one focused on economic espionage or sabotage, for example. Threat intelligence is one way to receive information about the kind of attacks hitting similar-sized organizations in the same industry.
If a number of competitors has been under attack by a gang using a Flash exploit, it makes sense to prioritize investigating potential Flash-based attacks over other types. Knowing exploit kits and other types of malware are all pushing the same dropper payload is helpful. It’s also essential to ascertain what might interest an attacker most about your organization right now.

This could be a new product your organization is working on or rumors about a potential acquisition. When you know what might trigger interest from potential attackers, you can better predict what techniques they will use and how they will traverse your network to get what they want. Map the kill chain A few years back, Lockheed Martin put forth the “cyber kill chain,” which divides targeted attacks into seven distinct phases: reconnaissance, weaponization, delivery, exploit, installation, command and control, and action.

Attackers typical move through each step, from initial compromise to theft, getting a lay of your environment well before exfiltrating any data.

A targeted attack takes time to develop; detecting the breach and blocking the attack as soon as possible will minimize damage. “Cyberhunters assume that something has been exploited, and their job is to find the threat before they can actually cause an impact,” Acuity’s Lovejoy says. During reconnaissance, criminals collect information about potential targets and avenues of attack. In the case of an acquisition, an attacker will collect information about executives and assistants who could potentially be working on the deal.

Based on the information gathered, the criminals develop a course of action, such as creating a phishing campaign. A successful hunt involves examining each phase of the kill chain and assessing specific tactics and techniques attackers may employ.

That may involve mining social media postings to determine whether anyone working on a possible acquisition may have identified themselves as working on the deal and creating a list of employees who may be potentially targeted by a phishing email.
If you believe phishing is the likely entry point of a targeted attack, then you can make assumptions about what the attack scenario will look like along each phase of the kill chain. Actively hunt for threats Your assumptions and hypotheses about potential attacks provide places to start your hunt.
Successful hunting involves examining a specific segment of your network without trying to see everything that may go wrong.
It’s about closely scrutinizing an endpoint for specific indicators of attack rather than getting a bird’s-eye view of system security. Most threat intelligence efforts focus on indicators of compromise that don’t help with cyberhunting.

The factors tend to be cheap, fragile, and inexpensive for adversaries to change.

Consider domain names or the name of the weaponized Word document carrying the payload.
It is trivial for attackers to generate new domain names and to change the messaging in an email accompanying an attack file to bypass security filters.
Instead, hunters should focus on patterns of attack, Lovejoy recommends. For example, you should look out for attempts to open a remote desktop session to create new admin accounts within Active Directory.
It doesn’t matter what the new accounts are called -- you should be searching for unexplained accounts. It’s trivial for an attacker to change the domain of a command-and-control server, but far more expensive to give up using a Flash exploit delivered via a malicious advertisement to remotely execute code and open a backdoor on the compromised machine. Look for attackers using legitimate tools such as PowerShell and WMI.
See where account credentials are being used. Patterns of attack reveal more about attackers than indicators of compromise because they are relevant for a longer period of time. Next-generation firewalls, anomaly detection platforms, and logs all provide a wealth of information, as do threat intelligence platforms and network threat detection systems.
In many cases, there is a silo effect, with information locked within each system, making it difficult for defenders to see all the related pieces.

Threat hunting forces defenders to break out of the tendency to consider systems in isolation. When a process touches different segments and systems, hunters must pay attention to how they relate to each other. Build up security response Once you find signs of a breach, threat hunters should step aside to let traditional incident response teams take over.

The hunter’s job is to make guesses as to where the attackers may be within the network, but they aren’t necessarily those with the expertise to block attackers.
Incident response will be in charge of mitigating the attack and remediating issues. It may be tempting to create specialized hunt teams because they pinpoint problem areas and find the attacks, but that shouldn’t be at the expense of basic IT administration, network monitoring, and defense-in-depth strategy.

Cyberhunting starts with the assumption “I have been breached” and looks for evidence to support that assumption, and dedicated incident response and forensics kick in when that evidence has been found and the damage has to be contained.

They are very distinct skill sets, and both are necessary.

Defenders need all of these elements to work together. Stop the cancer Threat hunting isn’t a new concept, and many organizations have already adopted some form of the practice as part of their overall security plan.
In a recent SANS Institute survey, 86 percent of IT professionals said they had implemented threat hunting processes in their organizations and 75 percent claimed threat hunting had reduced their attack surface. As with every other aspect of information security, there’s a time and place for cyberhunting.

Enterprises should look at the Hunting Maturity Model developed by Sqrrl Data’s Bianco to judge if they are ready to begin hunting.

The model defines maturity based on three factors: the quality of data collected, the tools available for accessing and analyzing that data, and the skills of those performing the analysis.

A skilled enough analyst with high-quality data can compensate for deficiencies in the toolset, but for the most part, organizations should focus on all three factors. “In order to get anywhere, you must first know where you are and where you want to be,” Bianco wrote in a blog post outlining the model. Enterprises need to reduce the breach detection gap -- more than half a year to discover a breach is unacceptable.
Start with the assumption that attackers are already present and keep looking until either the compromise has been found, or there’s conclusive proof that your environment hasn’t been compromised. Think of the enterprise as a biological system that has been infected, and threat hunting as a way to discover how far the infection has spread and what kind of damage it is causing. “Threat hunting is catching cancer in the early stages, before it metastasizes and kills you,” Lovejoy says. Related articles

'Nobody cares about your heart-rate'

CrowdStrike's Mike Sentonas talks IoT security with El Reg With CrowdStrike kicking off its Australian office, the company's freshly-minted VP of technology strategy, Michael Sentonas, took time out for a chat to Vulture South. We started the discussion looking at security in the Internet of Things market, where Sentonas says “I look at it and say 'what a disaster'.” The industry, he says, is hell-bent on “coming up with weird and wonderful ideas, and building it without expertise. Nobody's thinking about the security, and nobody's thinking about the life cycle.” When you combine cheap products with a short life cycle, he explained, “the cost models don't exist to update them”. On the other hand, he said, IoT security hype has the effect of directing attention in the wrong direction. “The sky's not always falling, “ he said. “There's a lot of technology that's really useful and done really well.” Since the IoT endpoints are already frequently too small and stupid to run security, he said, it will fall to the endpoints that act as the bridge between (for example) a sensor network and the Internet. That fits with CrowdStrike's pitch, because even sophisticated endpoints are having trouble keeping up with how quickly new threats develop. “Endpoints no longer have enough power to keep networks secure”, he said – and of course, there's a lot of hosts that are outside the network. That's a good reason to move security into the cloud, going beyond the early approach of taking a physical product (like a firewall), virtualising it and running it in the cloud. The kinds of things he has in mind, for example, is to run access control from the cloud, wherever possible; and use the cloud to make decisions about how a device is behaving. Vulture South notes that it's a lot easier to make those decisions about (for example) a thermostat than for a PC. Sentonas agreed that it's easy to know how a thermostat should be talking to the network, but expects that “we'll have more challenges with the control devices – the PC connecting the thermostat to the Internet is the thing an attacker will target”. This, again, highlights the misdirection of “hack-of-the-day”-style Internet of Things security stories. “Nobody cares if your treadmill says you hit a heart-rate of 150 bpm this morning.” The real target is elsewhere: “The app has credentials, and those credentials are installed on an Android device with no security”, he explained. That, rather than the treadmill, is where he reckons the company's cloud-based security pitch comes into play. In general, he said, “the biggest thing people are looking for is to replace approaches that aren't working.” The arms race of discovering malware and pushing out new signatures isn't enough, he says, and “indicators of compromise” are “just another way of talking about signatures.” “You can't stop 100 per cent of breach attempts.

There will always be situations where there's a silent failure, or where there's no malware used at all”. Indicators of attack, rather than looking for malware, is how he says CrowdStrike is trying to deal with threats: “look for what the adversary is doing, rather than the tools they're using.” ® Sponsored: Rise of the machines

Big data security analytics still immature, say security experts

While big data security analytics promises to deliver great insights in the battle against cyber threats, the concept and the tools are still immature, according to a panel of security experts. The US Computer Emergency Response Team (US-CERT) has yet to achieve its vision for big data security analytics, said Peter Fonash, CTO for the cyber security office at the US Department of Homeland Security. “We are still working towards our vision of a cyber threat 'weather map' that is predictive,” he told the Global Cyber Security Innovation Summit in London. An important goal for big data analytics is to enable organisations to identify unknown indicators of attack, and uncover things like when compromised credentials are being used to bypass defences. At the recent Nato summit in Wales, CERT-UK was able to mine social media data to support operations to maintain cyber security at the event. “However, handling unstructured data and combing it with structured data to arrive at an accurate assessment is one of the big challenges,” said Neil Cassidy, deputy director for operations in the UK's national Computer Emergency Response Team (CERT-UK). “At the Nato conference, it was challenging to establish what claims were true and which were false to know what was actually happening,” he said. Combining data from multiple sources But suppliers said big data security analytics is already delivering value by enabling organisations to analyse data from previously disconnected security data sources. “Attackers are exploiting the fact that security data is in silos,” said Feris Rifai, CEO of analytics firm Bay Dynamics. “Security analytics is not only about big data repositories, it is also about collecting together lots of small bits of data from point solutions to make better decisions,” he said. Rifai said the need for bid data security analytics has never been greater because IT security professionals spend most of their time on discovery. “By looking at the intersections between data from multiple sources, security professionals can more quickly identify what they need to priortise,” he said. Most organisations, however, are still tending to store data and forget about it, rather than running multiple queries against it, which is key, said Peter LaMontagne, CEO at another analytics firm, Novetta Solutions. But Fonash said many firms lack people with the right skills in running queries across multiple data sources. “Another common challenge is how to disseminate information in real time or near real time and in a machine-readable format for process automation,” he said. Identifying useful threat intelligence data To overcome some of these challenges, Cassidy said CERT-UK is looking at structured language for cyber threat intelligence information called Structured Threat Information eXpression (Stix). “Getting information out is a challenge, but we believe Stix could be key to enabling different CERTs to share information at speed and scale,” he said. CERT-UK is working with counterparts in the US and Australia to find ways of getting information to defenders quickly in a format that is useful. Handling unstructured data and combing it with structured data to arrive at an accurate assessment is one of the big challenge of big data security analytics Neil Cassidy, CERT-UK “But there are several issues around automatically ingesting information, including how to ensure that recipients can trust information sources,” said Cassidy. A common challenge for US-CERT, said Fonash, is navigating internal politics to get complete datasets from various government agencies. For all organisations, it remains a challenge to identify the most relevant or useful threat intelligence feeds. “Linking a threat to an IP address, for example, is not necessarily useful, as that IP address could represent hundreds of thousands of machines or users,” said Cassidy. But few organisations have a mature understanding of big data security analytics, and fewer still are actively using it as part of their cyber security strategy in the UK, Cassidy told Computer Weekly. For big data security analytics to be successful, he said, organisations first need to have a clear idea of exactly what they want to get out of it. “Only once you know what you want to achieve can you begin evaluating which are the most relevant technologies and feeds,” said Cassidy. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

NSA Sifted Crash Dump Data in Search of App Vulnerabilities: Report

Data culled from application crashes, used by developers to track down bugs, were reportedly used by the National Security Agency to pinpoint vulnerabilities and target attacks. A key tool in hunting down and fixing application bugs has reportedly been used by the National Security Agency as a way to remotely find vulnerable software within companies and organizations targeted by the U.S. spy agency. The tool, known as Dr. Watson and developed by Microsoft, records information about the state of a Windows system when an application crashes.

The service sends the crash information to Microsoft and has helped the software maker and third-party application developers eradicate many flaws that caused program instability. Yet the data has also been secretly collected by the National Security Agency using a distributed system of network taps as a way to remotely detect software vulnerabilities, according to a report published in Der Spiegel on Dec. 29. By combining its ability to sift through large amounts of data and the fact that the crash reports are unencrypted, it’s entirely possible that the National Security Agency could collect information on the software vulnerabilities inside specific networks or companies, Alex Watson, director of research for security firm Websense, told eWEEK. “Your typical organization generates enough reports that over a period of time you can create a blueprint of what the vulnerable applications are on the network,” he said. The NSA’s capability to dig into the application crashes of organizations worldwide comes out of a report in Der Spiegel documenting the NSA’s Office of Tailored Access Operations, a cyber-operations group inside the agency which finds ways to get at the hard-to-reach information that the spy agency deems essential to its mission. The report, co-authored by digital rights activist and security researcher Jacob Appelbaum, outlined the catalog of capabilities offered by the TAO, including so-called “implants”—hardware devices and software programs designed to be secreted in computer systems or networks for surveillance purposes. The ability to collect information produced by the crash-reporting tool known as Dr. Watson gives the NSA and other potential attackers the ability to collect information on systems to which they have no access, Websense’s Watson said. In a detailed analysis of what information is provided by the tool, Websense warned that the data, while valuable, present a very real potential of data leakage because much of the information is uploaded without encryption. “Applications that report this information without encrypting data risk leaking information at multiple points,” Watson wrote in the analysis. “This includes any upstream proxies, firewalls and ISPs that are in between the corporate network and the destination as well as the application developer and their partner organizations.” Microsoft is not the only company to collect crash dumps.

Apple’s Mac OS X has a similar facility for sending information back to the company to improve the quality of software. While companies may be threatened by the risk of data leakage presented by the spy agency’s alleged collection of crash dumps, the information can be valuable in detecting advanced attackers, says Websense’s Watson.

Attempts at exploiting software flaws often lead to program crashes.

This enables target organizations to determine whether a crash was caused by suspicious activities and allows them to set up defenses against attackers, he said. “These reports have been used to date to understand application crashes, but I think there is tremendous opportunity to use them to find indicators of attack activity,” he said.