Presented By Charles Leaver And Written By Dr Al Hartmann Of Ziften Inc.
The Breadth Of The Indicator – Broad Versus Narrow
A comprehensive report of a cyber attack will generally offer information of indicators of compromise. Frequently these are slim in their scope, referencing a particular attack group as seen in a specific attack on an organization for a limited amount of time. Generally these slim indicators are specific artifacts of an observed attack that could constitute particular proof of compromise by themselves. For the attack it implies that they have high specificity, however typically at the expense of low sensitivity to comparable attacks with other artifacts.
Essentially, slim indicators provide really restricted scope, and it is the factor that they exist by the billions in enormous databases that are continually expanding of malware signatures, network addresses that are suspicious, malicious computer system registry keys, file and packet content snippets, file paths and intrusion detection guidelines and so on. The continuous endpoint monitoring solution provided by Ziften aggregates a few of these third party databases and threat feeds into the Ziften Knowledge Cloud, to gain from understood artifact detection. These detection elements can be applied in real time as well as retrospectively. Retrospective application is essential given the short-term qualities of these artifacts as hackers constantly render hide the info about their cyber attacks to frustrate this narrow IoC detection method. This is the factor that a constant monitoring system needs to archive monitoring results for a long period of time (in relation to market reported typical attacker dwell times), to offer an enough lookback horizon.
Slim IoC’s have substantial detection worth but they are mainly inadequate in the detection of brand-new cyber attacks by competent hackers. New attack code can be pre tested against typical business security products in lab environments to confirm non-reuse of artifacts that are noticeable. Security solutions that operate merely as black/white classifiers experience this weakness, i.e. by offering a specific determination of harmful or benign. This method is very easily averted. The protected company is most likely to be thoroughly hacked for months or years prior to any detectable artifacts can be recognized (after intensive examination) for the specific attack instance.
In contrast to the ease with which cyber attack artifacts can be obscured by normal hacker toolkits, the particular techniques and strategies – the modus operandi – used by attackers have been sustained over several decades. Common strategies such as weaponized sites and documents, new service installation, vulnerability exploitation, module injection, sensitive directory and computer system registry area adjustment, brand-new arranged tasks, memory and drive corruption, credentials compromise, destructive scripting and numerous others are broadly typical. The proper use of system logging and monitoring can discover a lot of this particular attack activity, when properly paired with security analytics to concentrate on the greatest threat observations. This totally removes the opportunity for hackers to pre test the evasiveness of their harmful code, given that the quantification of risk is not black and white, but nuanced shades of gray. In particular, all endpoint threat is varying and relative, across any network/ user environment and period of time, and that environment (and its temporal characteristics) can not be duplicated in any laboratory environment. The essential attacker concealment approach is foiled.
In future posts we will examine Ziften endpoint threat analysis in more detail, as well as the crucial relationship between endpoint security and endpoint management. “You can’t protect what you don’t manage, you cannot manage what you do not measure, you cannot measure what you don’t track.” Organizations get breached because they have less oversight and control of their endpoint environment than the cyber attackers have. Keep an eye out for future posts…