Analytics // Security Monitoring
9/28/2012
11:30 PM
Connect Directly
RSS
E-Mail
50%
50%

Security Intelligence Starts With Detecting The Weird

As companies try to make sense of a greater amount of information on their networks, anomaly detection becomes more difficult but more important as well

Companies need to get more focused in their attempts to detect anomalous behavior on their networks that may indicate a breach because attackers are quickly adapting to defensive technologies and becoming more stealthy, states a recent report.

In its 2012 Mid-Year Trend and Risk Report, IBM noted that attackers are getting more creative -- by necessity -- in getting around a target's defenses. Companies with a hardened perimeter have seen attackers try to breach a partner's systems in hopes of gaining easier access. Businesses that rely on signature-based security will face custom malware. And firms looking for communications to known botnet controllers may miss more surreptitious communications using, for example, DNS.

These sorts of tactics mean that companies need to have a better handle on the state of their networks, and what "weird" behaviors are happening, says Robert Freeman, research and development manager for IBM's X-Force.

"It's not necessarily about seeing that machines are talking at weird times of the days," he says. "A lot is about seeing weird activity within your network, where machines are talking to the wrong systems, moving large amounts of traffic."

Take the recently reported VOHO campaign: The cyberespionage attack used compromised websites frequented by targeted companies to infect the victims. Nearly 1,000 companies and organizations had machines infected by the attack, which installed a variant of the Gh0st remote access Trojan (RAT) on compromised machines. With custom-compressed malware and infection starting at a legitimate site, the attack easily evaded firms' perimeter defenses. Early detection would then require that companies have a good understanding of their network traffic patterns.

[ After a major breach, the University of Nebraska used logs from all of its databases, applications, networks, and security tools to piece together a picture of the attack within 48 hours. See Lessons In Campus Cybersecurity. ]

Detecting such campaigns requires that companies go beyond just focusing on coarse network patterns, says Tim Van Der Horst, a malware researcher with network- and Web-security provider Blue Coat Systems.

"The more granular that you can get, the better," he says. "You can look at the network as a whole and detect anomalies. It is better if you can look and see what individual users are doing and what individual devices are doing."

Anomaly detection depends on establishing a good baseline of network activity. If the model is too strict, then even slight changes in employee behavior will set off an alert. But if the anomaly detection system (ADS) allows too much misbehavior, then companies will miss attacks. It's a typical feedback loop, where a company needs to learn from alerts and tweak their systems, IBM's Freeman says.

"In reality, it is something of an ongoing process, where anomalies are no superficial things, such as connecting to IRC at 1 a.m.," he says. "It is seeing the entirety of the network."

In its Mid-Year report, IBM recommends that companies heavily monitor privileged users and access to sensitive data. Detecting and blocking strange transfers of large amounts of data can also prevent some attackers from exfiltrating information. Finally, companies should monitor and block access from countries where they don't do business. To help better inform defenses, businesses should collect additional data, say, from a threat intelligence service and store network flows for later analysis.

"Where all this is heading is probably toward big data analytic engines that are going to consume information from anomaly detection engines and other sources, and produce more than what SIEM [security information and event management] provides or IDS [intrusion detection system] provides," Freeman says. "Really we are at the beginning, the initial stages, of where this goes."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.