What to Watch For: Top 5 Suspicious User/Endpoint Behaviors
Attacks targeted to a specific enterprise are unlikely to be detected by traditional security software. The attack code will more than likely be remixed to evade known malware signatures, while fresh command and control infrastructure will be stood up to evade known blacklisted network contacts. Defending against these fresh, targeted attacks requires defenders to spot more generic attack characteristics than can be found in endless lists of known Indicators of Compromise (IoC’s) from previously analyzed attacks.
Unless you have a DeLorean time machine to retrieve IoC’s from the future, known IoC’s won’t help with fresh attacks. For that, you need to be alert to suspicious behaviors of users or endpoints that could be indicative of ongoing attack activity. These suspicion-arousing behaviors won’t be as definitive as a malware signature match or IP blacklist hit, so they will require analyst triage to confirm. Insisting upon conviction certainty before raising alerts means that fresh attacks will successfully evade your automated defenses. It would be equivalent to a parent ignoring suspicious child behavior without question until they receive a call from the police. You don’t want that call from the FBI that your enterprise has been breached when due analyst attention to suspect behaviors would have provided early detection.
Security analytics of observed user and endpoint behaviors seeks to identify characteristics of potential attack activity. Here we highlight some of those suspect behaviors by way of general description. These suspect behaviors function as cyber attack tripwires, alerting defenders to potential attacks in progress.
Anomalous Login Activity
Users and organizational units exhibit learnable login activity patterns that can be analyzed for anomalous departures. Anomalies can be either spatial, i.e. anomalous with respect to peers, or temporal, i.e. anomalous with respect to that user/endpoint’s earlier login pattern. Remote logins can be analyzed for remote IP address and geolocation, and login entropy can be measured and compared. Non-administrative users logging into multiple systems can be observed and reported, as it deviates from expected patterns.
Anomalous Work Habits
Working outside normal work hours or outside established patterns of work activity can be suspect or indicative of insider threat activity or compromised credentials. Again, anomalies may be either spatial or temporal in nature. The workload active process mix can also be analyzed for adherence to established workgroup activity patterns. Workloads may vary somewhat, but tend to be relatively consistent across engineering departments or accounting departments or marketing departments, etc. Workload activity patterns can be machine learned and statistical divergence tests applied to spot behavioral anomalies.
Anomalous Application Characteristics
Common applications exhibit relatively consistent characteristics in their image metadata and in their active process profiles. Significant departures from these observed activity norms can be indicative of application compromise, such as code injection. Whitelisted applications may be put to use by malware scripts in unlikely ways, such as ransomware employing system tools to remove volume shadow copies to stymie recovery, or malware staging stolen data to disk, prior to exfiltration, with significant disk resource demand.
Anomalous Network Activity
Common applications exhibit relatively consistent network activity patterns that can be learned and characterized. Unusual levels of network activity by uncommon applications are suspect for that reason alone, as is unusual port activity or port scanning. Network activity at unusual times or with unusual regularity (possibly beaconing) or unusual resource demand are also worthy of attention. Unattended network activity (user not present) should always have a plausible explanation or be reported, especially if observed in significant volume.
Anomalous System Fault Behavior
Anomalous fault behavior could be indicative of a vulnerable or exposed system or of malware that is repeatedly reattempting some failed operation. This could be observed as applications crashing or hanging, as service failures, or as system crashes. Compliance faults are also worth noting, such as not running mandated security or backup agents, or consistent faulting by those agents (leading to a fault-restart-fault cycle).
When looking for Endpoint Detection and Response solutions, don’t have a false sense of security just because you have a big library of known IOCs. The most effective solutions will cover these top 5 generic attack characteristics plus a whole lot more.