It’s a well-documented fact that an organization may be under attack and not even know it, with malware spreading undetected across the network for days, weeks or even years.
With increasingly sophisticated, polymorphic malware hitting enterprise networks daily — either opportunistically or by intention — how can security staff on the front lines effectively combat these threats? We know it is no longer enough to simply detect and stop threats we already know about: now we’re looking for multiple needles in many haystacks to reveal stealthy campaigns in progress.
This would seem to be a losing battle, and, indeed, that’s how it is often portrayed. But the truth is that the signs of an attack are nearly always present; they’re just hard to see. All too often they’re only identified in hindsight because security personnel were either overwhelmed by alert fatigue or had no way of understanding that a seemingly innocuous request was actually malicious. But attacks are never truly hidden; they leave an indelible footprint we can follow to cut through the clutter of noise and expose what’s false and what’s real.
Network activity provides a lot of the clues required to piece together information for identifying attacks in progress, but to be effective at identifying them we need to truly understand the network and how it is being used. To leverage network activity effectively we need to create a model of the network that will provide us with security-relevant signals to potentially identify attacks. This model should be based not simply on connections between devices (which is a low-level abstraction that does not provide much insight), but on how the network is actually being used.
Devices within a network interact with each other through well-defined services and protocols; therefore, modeling the network as a medium that supports interaction between service providers and service consumers best captures how the network is being used. For example, a single-user laptop needing to download a file would first need to resolve a hostname via the DNS service by leveraging a DNS service provider, followed by consuming the HTTP service in downloading the file from an HTTP service provider (i.e. a web server).
This service-based model of the network provides a higher order abstraction that provides much more insight into how the network is being used by various permanent and ephemeral devices at any point in time. Changes in how certain security-relevant services are being either consumed by or provided to the network will yield clues to help identify attacks in progress.
Identifying attacks in progress
Another advantage of the service-based model is that services exist to satisfy a specific purpose, and the intent of the service can be leveraged by the network model to create security-relevant service categories. Three categories of services that play a huge role in identifying attacks in progress are:
1. Control consisting of services like RDP, SSH, VNC, and so forth used to control or to navigate to other devices in the network.
2. Data consisting of services used for data transfer. These include (s)ftp, SMB, rsync, database, and web application services such as Dropbox or Box.
3. Authentication consisting of services that support authentication and authorization of users and devices within the environment. Examples include Kerberos, CHAP, and RADIUS.
Four key signs of an attack
Once we have a service model in place, we can begin to look for the following four key signs of an attack within that context:
1. Is a network resource behaving differently than is normal?
Let’s face it, most people (and therefore most network resources) pretty much do the same thing every day: arrive at work at around the same time, log in, check e-mail, connect to the file server, begin working. If any network resources start acting differently — for example, by providing new services, connecting to far more systems in the environment than usual, connection from new locations, etc. — this can be a strong indicator of malicious behavior.
The trick, however, is to learn over time which behavioral shifts are actually normal for your environment: for instance, it’s normal for a system administrator to RDP into remote desktops frequently, but not for an admin assistant. The risk of false positives in this line of inquiry have prevented it from becoming a commonly-used tool, although the growth of User Behavior Analysis and certain kinds of Network Traffic Analysis are beginning to solve this puzzle.
2. Are the types of attacks you are seeing escalating in sophistication?
Attacks are always pummeling enterprise networks, but the vast majority tend to be generic and ineffective, failing to penetrate the firewall, anti-virus, and other protections — just background noise, really. However, if there is an uptick in the level of sophistication of attacks that you are seeing, this could be a sign that your organization is being specifically targeted. Keep track of the types of attacks that generally hit your organization, and compare them over time. Having that knowledge will fast track your ability to recognize when the level of sophistication elevates.
3. Are users attempting to scan or control other systems they don’t normally access?
When endpoints or servers are compromised, attackers typically use those systems to scan your network for other available services and then attempt to connect to those services as they try to expand their footprint in your environment. You can look within your network’s “control flow” data — use of network protocols to access and control remote systems using SSH, RDP, VNC, and so forth — for signs of this kind of spread. If you find it, it will usually mean an attack is in progress.
4. Are resources transferring data in abnormal ways?
If a process is consuming a lot more data or sending a lot more data than usual, this could be a sign that something is wrong, particularly if that data is being transferred outside your network. Even worse, it could be on its way to known bad actors out on the internet. Within the “data flow” of your network lies a gold mine of information about who is pushing what data where, and you can leverage that to find bad behavior that might indicate a problem, for example, by leveraging threat intelligence sources to tell you whether outbound connections are destined for a known bad internet host.
Even with today’s more sophisticated threats, putting basic security practices in place can ward off the vast majority of attackers. Attention to simple foundational security protocols, such as keeping your software patched, would certainly have made a difference for the law firm Mossack Fonseca of Panama Papers fame, which reportedly fell victim due to well-known vulnerabilities in their outdated software systems. But as cyber criminals employ more advanced tactics, setting a baseline for normal network activity can greatly help in identifying anomalous behavior that could signal a threat.
Systems that take advantage of security analytics and machine learning to identify the behaviors of an attack is the future of our industry. At the same time, deploying such solutions requires a more proactive approach and a willingness to be more investigative. As security professionals, this kind of inquiry is in our DNA, so it’s also a matter of asking the right questions to see what’s hidden in plain sight.