Identifying evasive threats hiding inside the network

There is no greater security risk to an organization than a threat actor that knows how to operate under the radar.

Malicious insiders and external cybercriminals are getting savvier. They are better at blending in without tripping any alerts. They skip over tools and techniques that trigger standard security systems. How can a company tell them apart from the noise created by legitimate logins to the network that day?

The answer lies in context. It is not enough to monitor and log activity throughout the network – organizations need to be able to combine multiple sources of data to spot the subtle signs of a stealthy attacker at work.

Evasive manoeuvres

The reason context is so important is that advanced attackers can use a variety of tactics and tools to counter established security measures. Attackers will also commonly route their communications through HTTPS and DNS, making it extremely easy to hide. An average user produces up to 20,000 DNS queries a day, which creates a mind-boggling amount of data to analyze to have any chance of detecting something – especially if the communications themselves have no overtly malicious content.

Without any context to enrich this data, analysts will spend too long going through logs to determine if an alert is a genuine threat, or a false alarm.

Additionally, activity such as logging into a valid device during business hours, focusing on data in mailboxes and extracting only a small amount of data at a time, will all create little impression. Creating shadow accounts with more privileges and granting and removing permissions as needed will also help them to keep a low profile.

How can evasive threat actors be caught?

Even the most skilled and meticulous intruders cannot entirely mask their presence within a network. The most important factor in detecting them is developing a thorough understanding of the organization’s people, processes and technology.

Key actions for detecting hidden threat actors include:

Identifying sensitive data and file access: The first step is to define where your sensitive data is, prioritizing Personally Identifiable Information (PII) and other data governed by regulatory requirements, as well as its ‘owners’ and the accounts it can be accessed by. Any data no longer actively used should be archived to reduce any unnecessary threat vectors.

Managing user permissions: There should be a clear view of all the accounts on the system, including normal users as well as service and privileged accounts, and the permissions and access capabilities they possess. Monitoring permission changes can be a goldmine of valuable information for spotting suspicious behavior. A least privilege approach should be used to ensure all users can only access files essential for their job role: information access should be determined on a ‘need to know’ basis.

Monitoring key systems: It is essential to have visibility of the many systems that can be exploited by attackers. With Windows Active Directory for example, the company should know information such as account types and server types, privileges, groups, peers, and the difference between personal devices and public workstations.

Initiating high-value user profiling: Correlating user activity to specific devices will help to detect subtle signs of an intruder logging into different machines but not doing anything overtly malicious. Understanding the difference between how public and personal devices are used will also help to reduce noise and false positives.

Correlation is key

The most important step is to correlate all this data. The signs of an evasive intruder will often be too subtle if data sets are viewed in isolation, and many patterns of suspicious behavior are only apparent with a unified view. Considering the vast amounts of data flowing through an organization on any given day, this can only be achieved with an automated approach powered by machine learning.

Armed with a thorough understanding of what normal behavior looks like and a unified view of all activity on the network, organizations will be able to make high value correlations that identify some of the most elusive signs of malicious activity. For example, a user accessing a VPN and then logging into another employee’s device will not trigger a standard security system. But such behavior would be very unusual for a legitimate user and is a clear sign someone has had their credentials phished.

With sufficient data, organizations can go beyond individual users and build peer relationships into their behavioral analytics. This will allow them to quickly spot a user that is displaying unusual file activity compared to their peers, significantly reducing incident response times. Once organizations can reliably detect these signs, even the most evasive attackers will have few places left to hide inside the network.