Part 2: Continuous Endpoint Monitoring for Indicators of Compromise— Carbanak APT

by Al Hartmann

February 25, 2015

access_time 7 min read

Part 2 in a series of 3

The Unreasonable Effectiveness of Continuous Endpoint Monitoring

There is nothing wrong with attempting to convict and block malicious software before it can compromise an endpoint. Unfortunately this technique is largely ineffective against targeted attacks that carefully devise and pretest their evasions. The basic problem is that the attack is human-directed by skilled attackers, while endpoint defense is automated by endpoint security suites relying largely on traditional antivirus technology. Human intelligence is more flexible and creative than machine intelligence and will always eventually adapt and defeat an automated defense. This is the cyber-security version of the Turing test, where a machine defense is trying to rise to the intellectual level of a skilled human hacker. At least here in the 21st Century, machine learning and artificial intelligence is not up to the task of fully automating the cyber defense, the cyber attacker inevitably triumphs, while the victims lament and count their losses. Only in science fiction do thinking machines overpower humans and take over the planet. Don’t subscribe to the cyber fiction that some autonomous security software will outwit a human hacker foe and save your organization.

The only way to stop a determined human cyber attacker is by a determined human cyber defender. But to engage your IT Security Operations Center (SOC) staff effectively, they must have visibility into endpoint and network operations. Traditional endpoint AV products don’t provide visibility, rather they are architected to remain silent unless making a conviction and quarantining malware. This traditional approach leaves the endpoints opaque to SOC staff, and the attackers rely on this endpoint opacity to conceal their activities. And this opacity extends forwards and backwards in time—your staff don’t know what was running across your endpoint population back in time, or presently, or what to expect in the future. When diligent SOC staff uncover clues requiring forensic lookback to uncover attacker tracks, your AV solution is not there to help. When it failed to act at the time, it also failed to record events at the time, and you are completely in the dark.

By contrast, continuous endpoint monitoring is always at work—providing visibility into endpoint population operation now in real time, providing forensic lookback to act upon new emerging evidence of attack and uncover earlier signs, and baselining normal operating patterns to know what to expect and flag what is abnormal in the future. Continuous endpoint monitoring provides not just visibility, but informed visibility, that applies behavioral analytics to identify activities that don’t appear normal. These analytics continuously aggregate and analyze these abnormalities to always surface to SOC staff, via the enterprise SIEM infrastructure, the most tellingly suspicious abnormalities for SOC staff attention and resolution. Continuous endpoint monitoring is there to amplify and to scale human intelligence, not to supplant it.

Continuous endpoint monitoring is a lot like the old Sesame Street game of “One of these things is not like the other.”

Even a child can play this game. It is very simple, since most items (termed high prevalence) are similar, but one or a few (termed low prevalence) stand out as dissimilar. The collection of dissimilar actions taken by hackers have been largely consistent over decades of hacking history. The indicators of compromise listed by the technical reports on the Anunak/Carbanak APT are good examples and will be covered below. When pointed out by continuous endpoint monitoring security analytics, it doesn’t require a cyber-genius to recognize something unusual or suspicious. SOC staff can usually do rapid triage on these, quickly determining a yes/no/maybe response that distinguishes unusual but known good activities from bad activities or from activities that require further monitoring and deeper forensics investigation to clear.

Attackers cannot pretest their attack code against this defense strategy—it has both a non-deterministic risk analytics component (that surfaces suspect activity via the SIEM) and a non-deterministic human component (that performs alert triage at the SOC). Depending on the endpoint population mix, current activities, and SOC staff experience, latent attack activity may or may not be recognized. That is the nature of cyber warfare, there are no guarantees in warfare, but your SOC warfighters are better armed with continuous endpoint monitoring visibility and analytics—an unreasonably effective combination.

The indicators of compromise listed by the technical reports on the Anunak/Carbanak APT are good examples and will be covered in the third installment of this blog.