1 2 IND IC AT O RS O F C O MP RO MIS E
12 Indicators of Compromise
Human Behavior • Alert Visibility • Return on Intelligence • Social Engineering Machine Behavior• Autonomous System Behavior • Policy Violations
• Botnet C&C Traffic
Volumetric Behavior
• DDoS Noise Reduction • Unusual Inbound Traffic • Unusual Outbound Traffic
Anomalous Behavior
• Geographic Anomalies • Protocol Anomalies • Long-Term Trending
21CT.COM
Using security analytics to
identify patterns of network
behaviors that indicate an
active network attack
As a security analyst, much of your day-to-day operational
work involves tracking perimeter defense alerts, responding to
end-point alerts, and running down user reports of suspicious
activity. While these tasks are important, you know that there’s
probably malicious activity on your network beyond the alerts.
So how do you find it?
Perimeter defense tools identify the identifiable—events they are already aware of and looking for—but these known-knowns are not the
whole story. There are unknown-unknowns that perimeter defenses
miss that you must find to fully secure your network. Security analytics can guide you directly to the malicious behavior you knew existed, but could never see.
Security analytics use fused disparate network data, from IPS/IDS alerts and malware notifications to flow and application metadata, to identify patterns of behavior that are indicative of network compromise. They quickly and (in many cases) automatically identify and classify these malicious behaviors so that you can move fast to remediate infected and misconfigured systems or thwart an ongoing attack missed by the perimeter.
In this paper we look at the four categories of malicious behavior that concern organizations the most. It is important to understand these behaviors, what they are, and why they are dangerous. When the presence of any of these behaviors becomes evident using
security analytics, they become Indicators of Compromise (IOCs),
something discussed throughout the industry including Dark Reading.
Understanding these 12 IOCs is critical to identifying network breaches. In the first half of 2014, the security researchers at 21CT will release
analytics that you can use to both identify these 12 Indicators of
Compromise before they damage your business and, in some cases, prevent the compromise from happening. We will highlight newly published IOCs in our monthly newsletter with links to learn more about the IOCs as well as download the analytics.
The 12 Indicators
of Compromise
AT O RS O F C O MP RO MIS E
Human Behavior
Human behavior as used here includes known-known and social engineering behaviors. The known-knowns provide context and visualization around perimeter defense alerts and threat feed blacklists, while social engineering IOCs identify patterns of behavior that deviate from human norms, indicating potential points of exploitation.
Alert Visibility
Why Alert Visibility?
The context surrounding an alert (alert visibility) is important information that security organizations need for a more complete understanding of the activity on their networks. What happened immediately before and after the alerted event? What hosts were the affected systems talking to? What was taken? Security analytics help you find answers to these kinds of questions.
Increasing Alert Visibility Using Security Analytics
An alert from your anti-malware device that a host on your network has communicated with a new botnet command and control server identifies a known bad host on your network that you can open a ticket on to remediate the host. As a security analyst, you need to remediate that host, but you also want to know if the alert indicates a larger infiltration than just the one host. How was the host infected? How long has it been infected? Who communicated internally with the now infected host? Was it a file download? Using security analytics, you can get answers to these questions for a fuller understanding of the scope of the attack so you can mitigate all affected systems. Security analytics do this by fusing secondary data sources from devices such as next-generation firewalls or application metadata sensors with other network data to transform alerts into indicators of compromise, intelligence that leads to faster and more complete mitigation of a compromise.
Using security
analytics you can:
• Accelerate mitigation
of a compromise
by extending your
perimeter defense to
find missed breaches
• Increase operational
insight by identifying
patterns of previously
hidden malicious
behaviors
• Avoid catastrophic
damage to your network
by quickly identifying
suspicious behavior
and accelerating your
investigation and
mitigation
• Enable faster, easier,
and more repeatable
investigations
by transforming
your experience
and creativity into
executable analytics
• Sigh with relief when
you discover your
network is more secure
1 2 IND IC AT O RS O F C O MP RO MIS E
Return on Intelligence
Why Return on Intelligence?
Most security organizations subscribe to various threat feeds that deliver monthly, weekly, or even daily updates on known bad domains, IP addresses, MD5 sums, or email addresses. These threat feeds are a potentially rich source of intelligence, but gaining operational value from them is often difficult and time-consuming. Their varying formats are not easily manipulated or searchable, and you can’t scan through them and quickly understand what is important to you and your organization. With security analytics you can leverage the full benefit of this powerful intelligence to gain visibility into the unknown-unknowns.
Enhancing Return on Intelligence Using Security Analytics
One way to utilize the information in threat feeds would be take a text dump of NetFlow records and write a shell script to grep the text file for blacklisted IPs that have been communicated with. Another way would be to grep Bro sensor logs for the MD5s that may come in from a threat feed. However, with attackers continually changing IP addresses, even if you can utilize the information in the threat feed, you still won’t discover additional instances of an attack from IP addresses not yet known to be bad. Security analytics provide the context you need to truly understand the behavior of your network. With security analytics and threat feeds you can:
• Identify connections between internal hosts and known bad external IP addresses
• Identify additional hosts that downloaded the same file as those connecting to the known bad IP addresses • Identify additional IP addresses now known to be bad
• Reduce time-to-detection and mitigation by utilizing the intelligence you care about in the threat feed With an easy way to gain actionable intelligence from the threat feeds you already subscribe to, you significantly improve their value and can now enhance your security posture even more by subscribing to additional threat feeds.
Social Engineering
Why Social Engineering?
According to Verizon’s 2013 Data Breach Investigations Report, nearly a third of all breaches in 2012 involved social
engineering. And because social engineering often uses common low-tech methods like emails and phone calls, these attacks can be some of the most difficult to protect against. Humans are naturally trusting of each other, especially when the appropriate context exists. That said, even social engineering leaves traces in your network that you can identify using security analytics.
Mitigating the Effects of Social Engineering Using Security Analytics
An employee receives a phone call from a malicious actor who warns of a computer compromise requiring immediate action in order to prevent catastrophe. While the phone call is in progress, at the direction of the caller, the employee visits a website that has never been accessed by anyone in the corporate network and downloads a malware-infected PDF with the pricing of the phantom services the scammer is trying to sell.
Since this phone call came into an office desk phone, you have access to the SIP logs and can see that the employee answered the phone call. That host has now been compromised. Using security analytics, you can identify a pattern of the attack: an incoming phone number (and related information such as geographic location), an MD5 sum of the PDF file, and the web domain where the download occurred. You can then use this pattern to search for similar activity elsewhere on the network. In seconds, you can identify the threat and take steps to mitigate it by setting up alerts, blocking domains and phone numbers, and—importantly—creating an alert to flag the MD5 sum even if the attacker changes phone numbers and domains. Furthermore, you can notify employees of the attack pattern to mitigate the front-end risk vector: the human. Using security analytics, you can quickly mitigate the effects of the breach and increase your defense against the same attack in the future... or sigh with relief when you discover that it was a one-off attempt.
AT O RS O F C O MP RO MIS E
Machine Behavior
Machine behavior encompasses all the network traffic and activity automatically generated by a computer beyond the user’s control or that violates corporate policy whether explicit or implied.
Autonomous System Behavior
Why Autonomous System Behavior?
In the Human Behavior category, we discussed network activity triggered by some explicit human action (by either the attacker or an unsuspecting employee). But computers also do things autonomously behind the scenes without explicit user interaction such as email retrieval, instant messaging alerts, and OS updates. While autonomous system behavior is essential to a user’s normal day-to-day activity, it can also mask potentially malicious behavior. With security analytics you can quickly filter out normal autonomous system behavior to help you zero in on the abnormal behavior that may indicate a compromise, so remediation is quicker and more complete.
Identifying Autonomous System Behavior Using Security Analytics
When employees arrive at work and turn on their computers, a flurry of network connections flow from their machines as they download email and sign on to the corporate instant messaging server. A handful of HTTP requests may then go out as employees pull up their personal email or check industry news sites. They may also launch business applications like revision control repositories, financial applications, or other databases.
These applications normally exhibit predictable behavior. With web-based traffic, for example, most web pages download pages, images, and scripts of varying sizes. When a host issues HTTP requests to widely different domains, but they’re all returning the same sized HTTP pages, for
example, that’s a good indicator of suspicious behavior. A host issuing bursts of HTTP requests is also suspicious. Even more interesting for the security analyst is multiple autonomous system behaviors on a host within a short time. Combinations of indicators are a powerful window into malicious behavior. The graph pattern matching capabilities of security analytics help you identify these combinations of behaviors that are telltale indicators of compromise, helping you to gain operational insight into this previously hidden behavior on your network.
Policy Violations
Why Policy Violations?
While a host may not be violating explicit company policy, it might be violating a well-understood, implied policy. Either way, the result is the same: behavior outside the expected norm. These policies exist to establish a specific baseline that a deviation from would indicate (at best) a misconfigured system or (at worst) a compromised system. Security analytics enable you to quickly distinguish compromised systems from misconfigurations and benign policy violations, dramatically reducing
1 2 IND IC AT O RS O F C O MP RO MIS E
Identifying Policy Violations Using Security Analytics
Internal network clients rarely need to communicate directly with other clients on the network. Most of their activity passes through application servers like instant messaging, email, source code repositories, financial applications, or other enterprise-level business systems. Worm propagation, however, spreads primarily through host-to-host communication. Visualizing host-to-host communication, therefore, would provide insight into a worm that was trying to spread throughout the network. Escalated or de-escalated privileged access to corporate data is another example of policy violations that could indicate a compromise. If the CEO, for example, accesses the source code repository unexpectedly, in most companies this suggests a network breach with data exfiltration as the end goal. Similarly, sudden access of the corporate finance by an engineer would suggest a possible breach with intent to steal corporate financial information. By fusing the data from these disparate systems with other network data, security analytics can detect combinations of these policy violations that are significant indicators of compromise, enabling you to find and mitigate network breaches before serious damage can be inflicted.
Botnet C&C Traffic
Why Botnet C&C Traffic?
The presence of botnet command and control (C&C) traffic represents one of the more obvious indicators of compromise. If C&C traffic is present on your network, you almost certainly have infected hosts, whether they’re acting as C&C servers or, more likely, bots that may be stealing corporate information or acting as drones in DDoS attacks. Security analytics can help you identify C&C traffic and stop it before it causes additional damage.
Detecting Botnet C&C Traffic Using Security Analytics
Typical web browsing produces web pages compiled from many different page elements from many different hosts and paths as the browser downloads images, scripts, and HTML files, and the resulting page is generally static once compiling is complete. Users do not usually refresh a webpage at regular intervals of, say, every 120 seconds. More likely, frequent and regular page refreshes and requests of only one or two paths to the same host likely indicate a compromised host calling back to the C&C server to give status updates and listen for new commands. The Zeus botnet, for example, almost always calls out to the same host and pulls only a single URI path. Security analytics can help you quickly identify this behavior and discover compromised hosts on your network before they can inflict serious damage.
Figure 4: Visual depiction of a security analytic to detect a single URI
AT O RS O F C O MP RO MIS E
Volumetric Behavior
Volumetric behavior revolves around the amount of traffic being generated by network activity. Significantly higher than normal volumes of network activity could indicate an incoming DDoS attack, compromised hosts exfiltrating data from your network, or simply a legitimate transfer of large files to a trusted customer or partner. As a security analyst, you need to be able to identify an abnormally high volume of network traffic and quickly determine if it is benign or malicious.
DDoS Noise Reduction
Why DDoS Noise Reduction?
Distributed denial-of-service (DDoS) attacks have garnered much attention in recent years as major corporations have suffered very public attacks. While most of the attention is focused on website downtime and resource unavailability, many DDoS attacks are now used as a smokescreen for penetration or exfiltration. As the DDoS attack is happening, security organizations scramble to deploy their best people to fix or mitigate the effects of the attack, while the attackers are busy with their true objective: gaining access to intellectual property and other sensitive corporate information. Using security analytics with all your disparate network data fused and visualized in a single solution, you can quickly filter out the noise to detect and mitigate the stealth attacks, as well as the obvious and noisy ones.
Reducing DDoS Noise Using Security Analytics
A DDoS attack can be a highly visible indicator of compromise, yet it also may be masking the true intent of the attacker. Understanding the type of DDoS attack that you are investigating is very important in being able to properly reduce the noise so that the normal underlying behavior can be analyzed. When analyzing large datasets, time can be a useful filter to reduce the amount of data that you need to scan. For example, you could look at new inbound connections over only the past 60 minutes rather than over the past 24 hours. This is a useful technique, but during DDoS attacks new inbound connections may be happening orders of magnitude more
than during a regular time interval. For example, Slowloris is an HTTP-based attack where bogus HTTP headers are fed from the attacker to the subject HTTP server. These bogus headers are sent in large time intervals where a single request could potentially take hours or even days to complete. When tens or hundreds of thousands of these connections build up over time, the HTTP server is rendered inaccessible because of resource exhaustion. With security analytics you can quickly filter these types of connections out of the larger dataset so that you don’t see
millions of bogus connections but can instead focus on the connections that might be trying to deliver server-side exploits. This allows you to truly see infiltration attempts without being distracted by a large volume of otherwise meaningless Slowloris connections.
1 2 IND IC AT O RS O F C O MP RO MIS E
Unusual Inbound Traffic
Why Unusual Inbound Traffic?
Most companies should normally receive very little inbound traffic to their corporate networks. Most companies have websites, but they aren’t typically hosted on the internal corporate network. Most are hosted in the cloud or by a third-party provider so there would be no inbound traffic on the corporate network to the corporate web site. Other than VPN connections and requests to the corporate DNS servers, inbound traffic to the corporate network is very rare and is therefore a strong indicator of compromise. Security analytics can help you quickly separate the good traffic from the bad and remediate the cause sooner and mitigate its impact on your business.
Detecting Unusual Inbound Traffic
Using Security Analytics
Inbound SSH connections to externally exposed internal hosts are a strong indicator of compromise, particularly if there is a pattern to the connections. When an SSH brute force attack happens, an analyst would see lots of invalid SSH attempts, followed by a successful one. This could indicate that an external attacker has gained SSH access to an internal host. Inbound connections to ephemeral ports are another indicator of compromise. If there is inbound traffic expected, that traffic will be destined for well-known ports in the sub-1023 range. Inbound traffic for other ports likely indicates attempts to compromise the network or to at least try to gauge the security and openness of the corporate network to gain access. With security analytics, you can quickly and easily detect these types of network behavior patterns, leading to faster mitigation and prevention of large-scale data exfiltration.
Unusual Outbound Traffic
Why Unusual Outbound Traffic?
Unusual outbound traffic is an even more likely indicator of compromise than inbound traffic because it could represent actual data loss and theft. There are very few reasons that anyone on the corporate network should be uploading gigabytes worth of traffic externally. While there are exceptions, this outbound behavior would be a strong indication of compromise and behavior that security analytics can help you detect.
AT O RS O F C O MP RO MIS E
Detecting Unusual Outbound Traffic Using Security Analytics
RAR archives are the preferred archive and compression format for external attackers such as APT1. A spike in the numbers of outbound RAR archives can be a very telling sign. Abnormal database traffic can also be indicative of compromise. If an internal database receives a read request followed by large outbound requests, this may indicate a SQL injection attack where an external user is dumping a large table such as usernames and password hashes. This attack vector has been used to gain access to major corporations’ customer information. Other types of outbound traffic are also pretty unusual. SSH connections that transfer large amounts of data, SCP connections sending data out of the corporate network, and, like with unusual inbound traffic, unusual outbound traffic to ephemeral ports could also indicate compromise and data exfiltration. Using security analytics, you could quickly identify the exfiltration of an unusual number of RAR archives or large amounts of outbound traffic, enabling you to quickly stop an active data exfiltration.
Anomalous Behavior
Anomalous behavior is network traffic or activity that deviates from an established baseline or does not conform to standard protocol behavior.
Geographic Anomalies
Why Geographic Anomalies?
Many organizations do business with a limited subset of the world or have employees only in certain countries. The presence of geographic anomalies—traffic from unexpected locations—in network traffic can help to indicate compromise from foreign nations. The most convenient part about geographic anomalies is that they are easier to baseline than other traffic baselines. Here, too, security analytics, when run on your full range of fused network data, can identify traffic to and from specific geographic locations or traffic not from a specific geographic location, depending on what is typical on your network.
Understanding Geographic Anomalies Using Security Analytics
If a company is based solely in the United States, there is little reason why anyone from a foreign country should try to access the corporate network. This traffic would be a red
1 2 IND IC AT O RS O F C O MP RO MIS E
countries that you wouldn’t expect, this too would indicate some kind of compromise. Geographic anomalies are one of the easier indicators to keep the pulse of because so many perimeter devices have geolocation functionality built in. With security analytics, you can take this information and fuse it with other network data to provide the remaining context to more fully understand the behavior of anomalous geographic traffic on your network.
Protocol Anomalies
Why Protocol Anomalies?
All network protocols have distinct behaviors, many of which are well documented either through the IETF’s RFC process or simply from industry standardization. Deviations from these distinct behaviors could be an indicator of compromise, but also could simply indicate a misconfiguration of some kind. Using security analytics you can more easily detect deviations and sort out the suspicious behavior from simple misconfigurations or benign violations.
Identifying Protocol Anomalies Using Security Analytics
A typical host in an enterprise uses DHCP to retrieve an IP address along with other necessary information like default gateway, netmask, and DNS servers. The use of external DNS servers is rare on corporate networks. A corporate host using an external DNS server indicates at best
a grossly misconfigured endpoint and at worst an infected host waiting to unleash havoc in your network.
Similarly, HTTP traffic can display behavior that, while valid, is still anomalous. There are likely many different hosts on the corporate network that talk to the same external host. Google.com, Yahoo.com, and Gmail.com are all hosts that many different hosts may talk to on a daily basis as users engage in normal web surfing. While lots of different hosts communicating with a host is not necessarily an indicator of compromise, when every host uses the same user-agent string, a compromise likely exists. Since there will usually be tens if not hundreds of different user agent strings as users surf with different browsers, different service packs,
and different versions of the same browser, many different hosts all communicating with the same external server on a single user-agent is a strong indicator of compromise. Using the pattern searching capabilities of security analytics, you can identify this anomalous behavior so you can investigate its root cause and mitigate the behavior quickly to avoid further damage to your network.
Long-Term Trending
Why Long-Term Trending?
Long-term trending can help to identify anomalies occurring on a network. The key is establishing an accurate baseline. Luckily, the human mind typically identifies with establishing norms and identifying deviations, which is why long-term trending is so powerful.
About 21CT
At 21CT we create investigative
analytics products for the way
users think, look, and find.
Our innovative products and
services are used to detect and
neutralize healthcare fraud,
target and eradicate network
security attacks, and more.
21CT solutions shed light
on the intelligence hidden
within your data. Reward your
curiosity at 21ct.com.
21CT, Inc.
Corporate Headquarters
6011 W. Courtyard Drive
Building 5, Suite 300
Austin, TX 78730
Phone:
512.682.4700
Fax:
512.682.4701
Long-term Trending Using Security Analytics
Establishing an appropriate baseline represents a difficult challenge for many organizations. Companies that are growing at a rapid pace will likely see a corresponding increase in their network traffic. Also, the implementation of new applications makes previously established baselines obsolete. Many trending advocates go with the high-level aggregate traffic view, but many times baselining specific protocols is actually the path that could yield more fruit. Another way to look at baselining traffic is directionality. For example, even if your company is growing, the unusual inbound traffic volume likely would not change. Thus, it becomes easier to baseline that traffic and use security analytics to identify the outliers. A core benefit of security analytics is their flexibility in allowing you to turn your experience and creativity into an executable analytic, making the process of baselining easier and more repeatable.
Bonus: Time
While not technically an indicator of compromise, time is a lens through which to view the previous indicators of compromise. Take for example the policy violations indicator of compromise. If a CEO accesses the source code repository, it may not really be unusual if that access happens during the lunch hour and the CEO happens to have a technical background and is just perusing the code out of curiosity. But if that same CEO accesses the repository at 2:00 am, that is a likely indicator of compromise. Adding the dimension of time to the other indicators of compromise adds another investigative element that can yield real actionable insight.
Increase Your Operational Awareness with Security
Analytics
Security analytics and visualization can help you quickly and effectively identify and eliminate common network behaviors that may indicate a network compromise in ways that perimeter defenses—which identify only events they know about—cannot. This gives your organization much greater insight into the activity on your network, leading to faster remediation and a more resilient network security posture.
During the first half of 2014, the security researchers at 21CT will regularly publish new IOC use cases and security analytics available for you to download to help your organization increase operational awareness of your network.
