 |
In part 1 of this 2 part blog series, we took a look how data analysis could be used to spot an attacker’s “tell.” An attacker will, at some point, give away their malicious movement, and if the defender has the correct data and analytics and knows what to look for, either over a period of time or in real time, they can identify that tell. Today, let’s look at specific types of covert channel activity, the symptoms that they show, and the positive impact of utilizing data science has on detection. Spotting covert channel activity also falls into two areas – looking at both inbound and outbound connections, detecting internal hosts with anomalous outbound communication patterns and spotting those external hosts that are most likely to be compromised. Two common symptoms of covert channel activity are beaconing and suspicious domains. Beaconing is where an internal host periodically “phones home” to a “command and control” (C2) host controlled by the attacker, but this “phoning home” is designed to look like normal web browsing traffic. Suspicious domains are used where an attacker obfuscates the source of attacks by hiding itself among the millions of domains and users in the organization. The problem is, neither of these symptoms are easy to spot using signatures or any hard and fast detective rules. However, most covert channel activities do leave behind clues – those “tells” we discussed – that, if detected, can help to distinguish malicious from normal traffic. Making a determination as to whether an internal or external host is suspicious involves collecting and examining multiple pieces of data over extended time periods, detecting deviations for regular behaviors and creating a probability weighted “risk score” based upon the results. This is where utilizing data science has a true, positive impact on detection. First, let’s take a look at beaconing. Internal hosts “beaconing” to a C2 host at a high level looks very much like any other http traffic, say for example regularly polling news site, but there are often clues to distinguish it from communications activity with normal hosts if one looks more carefully. Among others, these indicators include: frequency of communications, bytes uploaded vs downloaded, use of cookie and referrer strings and URL lengths. By gathering and analyzing this data – over long time horizons and in real time – defenders can identify a beaconing host’s tell. Next, let’s investigate suspicious domains. They can be tricky to spot, and identification generally relies upon inspecting raw traffic going to and from those domains. For example, by identifying and analyzing the: number of IP addresses associated with a domain, the number of domain name owners associated with a DNS address, the number of users hitting those domains relative to its complexity, traffic content types and GETS vs PUT/POSTs, suspicious domains begin to show themselves. Correlating across these indicators shines a light on a domain that is acting out of the ordinary – even if the tell is slight. As any good poker player will note, every adversary has a tell. By definition, attackers are doing things that are outside the mainstream. At some point, they will look different than a legitimate user or process. The challenge is how to find them. The key is to utilize analytics that can evolve as the threats evolve, concentrating on the qualities of watching, understanding and taking action against threats. These analytics need to be both real time, and across large data sets and longtime horizons. To understand how RSA’s Advanced Security Operations Center’s platform and services help defenders detect and respond to attacker’s tells, check out our website. The post Spotting an Attacker’s “Tell” Through Data Analysis – Part 2 appeared first on Speaking of Security - The RSA Blog and Podcast. |
