Written By Jesse Sampson And Presented By Charles Leaver CEO Ziften

 

In the first post on edit distance, we looked at searching for destructive executables with edit distance (i.e., how many character edits it requires to make 2 text strings match). Now let’s look at how we can utilize edit distance to search for malicious domains, and how we can develop edit distance functions that can be integrated with other domain name functions to pinpoint suspect activity.

Case Study Background

Exactly what are bad actors playing at with malicious domains? It might be merely utilizing a close spelling of a typical domain name to fool careless users into looking at ads or picking up adware. Legitimate sites are gradually picking up on this technique, sometimes called typo-squatting.

Other malicious domains are the result of domain name generation algorithms, which might be used to do all types of nefarious things like evade counter measures that obstruct recognized jeopardized sites, or overwhelm domain name servers in a dispersed DoS attack. Older variants use randomly generated strings, while further advanced ones include tricks like injecting typical words, additionally puzzling protectors.

Edit distance can aid with both use cases: here we will find out how. First, we’ll exclude common domain names, given that these are usually safe. And, a list of regular domain names provides a standard for spotting abnormalities. One good source is Quantcast. For this discussion, we will stick to domains and prevent subdomains (e.g. ziften.com, not www.ziften.com).

After data cleansing, we compare each prospect domain (input data observed in the wild by Ziften) to its prospective next-door neighbors in the very same top-level domain (the tail end of a domain name – classically.com,. org, and so on and today can be practically anything). The standard task is to discover the nearby next-door neighbor in regards to edit distance. By discovering domain names that are one step removed from their nearest next-door neighbor, we can easily find typo-ed domain names. By discovering domain names far from their next-door neighbor (the normalized edit distance we introduced in Part 1 is useful here), we can likewise discover anomalous domains in the edit distance area.

Exactly what were the Outcomes?

Let’s look at how these results appear in reality. Be careful when browsing to these domain names since they might include malicious material!

Here are a few prospective typos. Typo squatters target popular domains since there are more opportunities somebody will check them out. Numerous of these are suspect according to our threat feed partners, however there are some false positives too with charming names like “wikipedal”.

ed2-1

Here are some strange looking domain names far from their next-door neighbors.

ed2-2

So now we have produced 2 beneficial edit distance metrics for searching. Not just that, we have three features to potentially add to a machine-learning model: rank of nearby neighbor, range from next-door neighbor, and edit distance 1 from neighbor, showing a threat of typo shenanigans. Other features that might play well with these include other lexical functions such as word and n-gram distributions, entropy, and string length – and network functions like the number of unsuccessful DNS requests.

Streamlined Code that you can Experiment with

Here is a streamlined variation of the code to have fun with! Created on HP Vertica, but this SQL should run with many advanced databases. Note the Vertica editDistance function may vary in other executions (e.g. levenshtein in Postgres or UTL_MATCH. EDIT_DISTANCE in Oracle).

ed2-3

Written by Charles Leaver Ziften CEO

 

If your enterprise computing environment is not appropriately managed there is no way that it can be absolutely secure. And you can’t successfully manage those intricate business systems unless there’s a good sense that they are protected.

Some may call this a chicken and egg circumstance, where you do not know where to start. Should you start with security? Or should you begin with system management? That’s the incorrect approach. Think of this instead like Reese’s Peanut Butter Cups: It’s not chocolate initially. It’s not peanut butter first. Rather, both are mixed together – and dealt with as a single delicious reward.

Numerous companies, I would argue a lot of organizations, are structured with an IT management department reporting to a CIO, and with a security management team reporting to a CISO. The CIO team and the CISO team do not know each other, talk with each other only when definitely needed, have distinct budgets, definitely have different priorities, read various reports, and use different management platforms. On an everyday basis, what makes up a task, a concern or an alert for one team flies completely under the other group’s radar.

That’s bad, since both the IT and security groups should make assumptions. The IT group thinks that all assets are safe and secure, unless someone tells them otherwise. For instance, they presume that devices and applications have not been compromised, users have actually not escalated their privileges, etc. Similarly, the security team assumes that the servers, desktops, and mobiles are working properly, operating systems and apps are up to date, patches have been used, and so on

Given that the CIO and CISO groups aren’t talking to each other, do not comprehend each others’ functions and goals, and aren’t utilizing the same tools, those presumptions might not be appropriate.

And again, you cannot have a secure environment unless that environment is properly managed – and you can’t manage that environment unless it’s secure. Or to put it another way: An environment that is not secure makes anything you do in the IT organization suspect and irrelevant, and implies that you cannot understand whether the information you are seeing is correct or controlled. It may all be fake news.

How to Bridge the IT / Security Space

Ways to bridge that gap? It sounds easy but it can be difficult: Ensure that there is an umbrella covering both the IT and security teams. Both IT and security report to the very same individual or structure somewhere. It might be the CIO, it might be the CFO, it might be the CEO. For the sake of argument here, let’s state it’s the CFO.

If the business doesn’t have a safe and secure environment, and there’s a breach, the value of the brand name and the business can be reduced to zero. Likewise, if the users, devices, infrastructure, application, and data aren’t managed well, the business can’t work effectively, and the value drops. As we have actually talked about, if it’s not properly handled, it cannot be secured, and if it’s not protected, it cannot be well handled.

The fiduciary duty of senior executives (like the CFO) is to secure the value of company assets, which implies making certain IT and security speak to each other, understand each other’s concerns, and if possible, can see the exact same reports and data – filtered and displayed to be meaningful to their specific areas of responsibility.

That’s the thinking that we adopted with the design of our Zenith platform. It’s not a security management tool with IT abilities, and it’s not an IT management tool with security abilities. No, it’s a Peanut Butter Cup, developed equally around chocolate and peanut butter. To be less confectionery, Zenith is an umbrella that provides IT groups what they need to do their tasks, and provides security groups exactly what they need also – without coverage spaces that could weaken assumptions about the state of business security and IT management.

We have to make sure that our business’s IT infrastructure is built on a protected foundation – and also that our security is executed on a well-managed base of hardware, infrastructure, software applications and users. We can’t operate at peak performance, and with complete fiduciary duty, otherwise.

Written By Roark Pollock And Presented By Charles Leaver Ziften CEO

 

A study just recently completed by Gallup found that 43% of US citizens that were in employment worked from another location for some of their work time in 2016. Gallup, who has been surveying telecommuting patterns in the USA for nearly a 10 years, continues to see more staff members working outside of traditional workplaces and more of them doing this for more days out of the week. And, obviously the variety of linked devices that the average staff member uses has increased as well, which helps encourage the convenience and preference of working away from the office.

This mobility definitely produces better workers, and one hopes more productive employees, but the issues that these trends present for both security and systems operations teams ought to not be dismissed. IT systems management. IT asset discovery, and hazard detection and response functions all benefit from real-time and historical visibility into device, application, network connection and user activity. And to be truly efficient, endpoint visibility and tracking ought to work no matter where the user and device are operating, be it on the network (regional), off the network but connected (remote), or disconnected (offline). Existing remote working trends are significantly leaving security and operational groups blind to potential issues and threats.

The mainstreaming of these trends makes it much more challenging for IT and security teams to limit what was previously considered higher threat user habits, for example working from a coffee bar. But that ship has sailed and today systems management and security teams need to be able to adequately track user, device, application, and network activity, identify anomalies and inappropriate actions, and enforce proper action or fixes no matter whether an endpoint is locally linked, from another location linked, or detached.

Additionally, the fact that many employees now regularly access cloud-based assets and applications, and have back up USB or network connected storage (NAS) drives at their homes additionally magnifies the need for endpoint visibility. Endpoint controls often offer the only record of activity being remotely performed that no longer necessarily terminates in the organization network. Offline activity presents the most severe example of the requirement for continuous endpoint monitoring. Clearly network controls or network tracking are of negligible use when a device is running offline. The setup of a proper endpoint agent is crucial to make sure the capture of all important security and system data.

As an example of the types of offline activities that may be identified, a client was just recently able to track, flag, and report uncommon habits on a business laptop computer. A high level executive transferred huge quantities of endpoint data to an unapproved USB stick while the device was offline. Because the endpoint agent had the ability to collect this behavioral data during this offline period, the client had the ability to see this unusual action and follow up properly. Continuing to monitor the device, applications, and user behaviors even when the endpoint was detached, gave the client visibility they never ever had in the past.

Does your company have constant monitoring and visibility when employee endpoints are on an island? If so, how do you achieve this?

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver

 

If you are a student of history you will observe numerous examples of extreme unintended repercussions when brand-new technology has actually been presented. It typically surprises individuals that brand-new technologies might have nefarious intentions in addition to the positive purposes for which they are brought to market however it happens on a very regular basis.

For example, Train robbers using dynamite (“You think you used enough Dynamite there, Butch?”) or spammers using email. Just recently making use of SSL to conceal malware from security controls has actually become more typical because the legitimate use of SSL has made this technique better.

Because new technology is frequently appropriated by bad actors, we have no need to think this will not be true about the brand-new generation of machine-learning tools that have reached the market.

To what degree will these tools be misused? There are most likely a number of ways in which hackers could utilize machine learning to their advantage. At a minimum, malware writers will test their new malware against the brand-new class of innovative hazard security products in a bid to modify their code to ensure that it is less likely to be flagged as destructive. The effectiveness of protective security controls constantly has a half life due to adversarial learning. An understanding of machine learning defenses will assist attackers become more proactive in reducing the effectiveness of artificial intelligence based defenses. An example would be an enemy flooding a network with phony traffic with the intention of “poisoning” the machine learning model being constructed from that traffic. The goal of the opponent would be to fool the defender’s machine learning tool into misclassifying traffic or to develop such a high degree of false positives that the protectors would dial back the fidelity of the notifications.

Machine learning will likely likewise be utilized as an attack tool by attackers. For example, some scientists forecast that attackers will make use of machine learning techniques to sharpen their social engineering attacks (e.g., spear phishing). The automation of the effort it takes to customize a social engineering attack is especially troubling provided the effectiveness of spear phishing. The ability to automate mass customization of these attacks is a potent economic incentive for hackers to embrace the techniques.

Expect breaches of this type that deliver ransomware payloads to rise dramatically in 2017.

The need to automate tasks is a major driver of financial investment choices for both attackers and protectors. Artificial intelligence promises to automate detection and response and increase the functional pace. While the innovation will increasingly become a standard part of defense in depth methods, it is not a magic bullet. It ought to be understood that hackers are actively dealing with evasion approaches around machine learning based detection solutions while also utilizing machine learning for their own attack purposes. This arms race will require defenders to progressively achieve incident response at machine pace, further exacerbating the requirement for automated incident response capabilities.