Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

11:30 PM

Security Intelligence Starts With Detecting The Weird

As companies try to make sense of a greater amount of information on their networks, anomaly detection becomes more difficult but more important as well

Companies need to get more focused in their attempts to detect anomalous behavior on their networks that may indicate a breach because attackers are quickly adapting to defensive technologies and becoming more stealthy, states a recent report.

In its 2012 Mid-Year Trend and Risk Report, IBM noted that attackers are getting more creative -- by necessity -- in getting around a target's defenses. Companies with a hardened perimeter have seen attackers try to breach a partner's systems in hopes of gaining easier access. Businesses that rely on signature-based security will face custom malware. And firms looking for communications to known botnet controllers may miss more surreptitious communications using, for example, DNS.

These sorts of tactics mean that companies need to have a better handle on the state of their networks, and what "weird" behaviors are happening, says Robert Freeman, research and development manager for IBM's X-Force.

"It's not necessarily about seeing that machines are talking at weird times of the days," he says. "A lot is about seeing weird activity within your network, where machines are talking to the wrong systems, moving large amounts of traffic."

Take the recently reported VOHO campaign: The cyberespionage attack used compromised websites frequented by targeted companies to infect the victims. Nearly 1,000 companies and organizations had machines infected by the attack, which installed a variant of the Gh0st remote access Trojan (RAT) on compromised machines. With custom-compressed malware and infection starting at a legitimate site, the attack easily evaded firms' perimeter defenses. Early detection would then require that companies have a good understanding of their network traffic patterns.

[ After a major breach, the University of Nebraska used logs from all of its databases, applications, networks, and security tools to piece together a picture of the attack within 48 hours. See Lessons In Campus Cybersecurity. ]

Detecting such campaigns requires that companies go beyond just focusing on coarse network patterns, says Tim Van Der Horst, a malware researcher with network- and Web-security provider Blue Coat Systems.

"The more granular that you can get, the better," he says. "You can look at the network as a whole and detect anomalies. It is better if you can look and see what individual users are doing and what individual devices are doing."

Anomaly detection depends on establishing a good baseline of network activity. If the model is too strict, then even slight changes in employee behavior will set off an alert. But if the anomaly detection system (ADS) allows too much misbehavior, then companies will miss attacks. It's a typical feedback loop, where a company needs to learn from alerts and tweak their systems, IBM's Freeman says.

"In reality, it is something of an ongoing process, where anomalies are no superficial things, such as connecting to IRC at 1 a.m.," he says. "It is seeing the entirety of the network."

In its Mid-Year report, IBM recommends that companies heavily monitor privileged users and access to sensitive data. Detecting and blocking strange transfers of large amounts of data can also prevent some attackers from exfiltrating information. Finally, companies should monitor and block access from countries where they don't do business. To help better inform defenses, businesses should collect additional data, say, from a threat intelligence service and store network flows for later analysis.

"Where all this is heading is probably toward big data analytic engines that are going to consume information from anomaly detection engines and other sources, and produce more than what SIEM [security information and event management] provides or IDS [intrusion detection system] provides," Freeman says. "Really we are at the beginning, the initial stages, of where this goes."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...