Artificial Intelligence Meets Mission-Focused Adversary Detection · 2018-04-16 · Current...

Artificial Intelligence Meets Mission-Focused Adversary Detection

AUTHOR

Peiter ZatkoAdvisor, Versivelinkedin.com/in/mudge-zatko-1aa6563

FOCUS ON THE THREATS THAT MATTER.

NET VIEW. TELNET. PWD. NETSTAT. SYSTEMINFO. WHOAMI. HOSTNAME. QUSER. IPCONFIG. JS-

NEMUCOD. MIMIKATZ. WCE. PWDUMP. RDP. SSH. PSEXEC. ZIP. IEXPLORER. PUTTY. RDPCLIP. NET USER. NET START. NET VIEW. TELNET. NETSTAT.

SYSTEMINFO. WHOAMI. DRIDEX. BRONZE BUTLER. WCE. SALITY. TICK. PWDUMP. KELIHOS. CARBANAK. RDP. CUTWAIL. CHARMING KITTEN.

SSH. PARITE. DARKHOTEL. PSEXEC. VIRUT. HOSTNAME. QUSER. IPCONFIG. MIMIKATZ. WCE.

PSSH. PSEXEC. POWERSHELL. FTP. GOTHIC PANDA. ZIP. IEXPLORER. SOWBUG. RDPCLIP.

NET USER. NET START. NET VIEW. TELNET. PWD. NETSTAT. SYSTEMINFO. WHOAMI. HOSTNAME. QUSER. IPCONFIG. MIMIKATZ. WCE. PWDUMP.

RDP. COMMENT CREW. SEXEC. POWERSHELL. FTP. RAR. ZIP. IEXPLORER. PUTTY. RDPCLIP. NET USER.

NET START. NET VIEW. TELNET. PWD. NETSTAT. SYSTEMINFO. WHOAMI. RDP. QUSER. IPCONFIG.

MIMIKATZ. WCE. PWDUMP. RDP. SSH. PSEXEC. POWERSHELL. FTP. RAR. ZIP. IEXPLORER. PUTTY.

RDPCLIP. NET USER. TICK. NEUTRINO.E. NET START. NET VIEW. WHOAMI. HOSTNAME. QUSER. IPCONFIG. MIMIKATZ. WCE. PWDUMP. RDP. SSH.

PSEXEC. POWERSHELL. FTP. RAR. ZIP. IEXPLORER. PUTTY. RDPCLIP. NET USER. NET START. NET VIEW.

TELNET. PWD. NETSTAT. SYSTEMINFO. WHOAMI. HOSTNAME. QUSER. MIMIKATZ. WCE. PWDUMP. RDP. SSH. PSEXEC. POWERSHELL. FTP. RAR. ZIP.

IEXPLORER. PUTT. RDPCLIP. NET USER. NET START. NET VIEW. TELNET. PWD. NETSTAT. POWERSHELL. SYSTEMINFO. WHOAMI. HOSTNAME. QU MIMIKA

PWDUMP. RDP. SSH. PSEXEC. POWERSHELL. FTP. RAR. ZIP. IEXPLORER. WCE. FIN10. PUTTY.


RDP. SSH. PSEXEC. PWD. POWERSHELL. FTP. RAR. ZIP. IEXPLORER. PUTTY. RDPCLIP. NET USER.

NET START. NET VIEW. TELNET. PWD. NETSTAT. SYSTEMINFO. WHOAMI. HOSTNAME. QUSER.

IPCONFIG.MP. RDP. SSH.

Current approaches to defending against cyber adversaries are failing to keep pace with threat actors, and the result is an environment of unbalanced advantage on the side of the attacker. Defending against cyber adversaries requires a new approach—one that considers the unique characteristics of adversary goals and behavior. By combining threat-hunting expertise with network visibility and artificial intelligence, we can uncover malicious campaigns in a way that is easy for a defender to implement and too costly for an adversary to bypass. This paper describes our Mission-Focused approach to advanced adversary detection and why we believe it will be transformational for corporations seeking to get the upper hand against sophisticated attackers.

EXECUTIVE SUMMARY

MISSION FOCUS: Generate meaningful cases by contextualizing key behaviors across adversary campaign lifecycles.

VISIBILITY: Utilize multi-source intelligence from within existing environments, bringing data together from across the network

ARTIFICIAL INTELLIGENCE: Dynamically adapt to each unique network environment over time, continually evolving to detect campaign-linked behavior from diverse data

OUR SOLUTION HAS THREE MAJOR COMPONENTS.



















The cybersecurity industry has repeatedlyfailed to prevent threat actors from gaining illicit access, exemplifi ed by the six billion data records compromised via corporate network breaches in 20141 and the nearly 160 cyberattacks per week in 2015. These breaches represent an average cost of $1.9million per breach, with a maximum documented cost of $65 million.2

Existing approaches don’t work for at least one of three reasons. First, they are focused on isolated events that occur at the perimeter, missing the part of the attack where the adversary is most vulnerable.Second, current approaches fail to put the many pieces together, ignoring the big picture of the attack and burying analysts in false positives. Finally, existing tactics aren’t dynamic, getting stale and increasingly ineffective over time. In this section, we’ll examine current problems in detail.

PERIMETERS AND ENDPOINTS—THE NEED FOR CONTEXT

Perimeter defense is important, but intrusion detection and endpoint protection have proven themselves to be insufficient alone. To avoid Intrusion Detection Systems (IDS) and existing siloed machine learning, a threat actor can deploy myriad tactics and techniques to render its actions invisible.3, 4, 5 Even with both an internal and external IDS deployed, threat actors are aware of—and can rely upon—human fallibility to strategically undermine the IDS. In 2013, for example,Target’s intrusion detection and endpoint systems successfully identifi ed the threat actor’s initial intrusions into the network, but weekly alerts went ignored due to their sheer volume.6

Endpoint protection suffers from many of the same limitations. Endpoint protection

THE PROBLEM



















is largely based on legacy signatures and trust scores that are easily defeated by sophisticated threat actors. More importantly, endpoint protection continues to look for attacks and other blunt indicators of exploitation without realizing that, once inside an organization, an adversary’s ability to further exploit without attacking is maximized. Malicious actors occupy the highground: defenses are at a minimum within the network, and the ability to passively watch and learn allows the adversary to operate with considerable stealth and cunning. Indeed, with credentials and services available to the adversary, once inside, additional forced entry is unnecessary—rendering endpoint protection largely blind. According to Verizon’s 2016 Cyber Data Breach study,7 out of 40 million malware records, 20,000 hashes were discovered in more than one target environment (only .05%). Further, 99% of the hashes were observed for 58 seconds. Even unsophisticated adversaries know to immediately collect legitimate credentials to gain access to internal resources. These practices bring into question why so much effort is spent looking for perimeter-attack signatures and endpoint-

exploitation tools. To quote my friend, security evangelist Bruce Schneier, “modern cyber defensive mechanisms amount to more security theatre than an effective security posture.”8

IDS and endpoint protection have their place as pieces of the larger cybersecurity puzzle, but there are too many access vectors and even modestly capable malicious actors can

consistently avoid attack and exploitation detection. Ultimately, the strategic problem is that these tools focus too heavily on the wrong area of the network and are blind to the larger context of the adversary’s campaign.

MISSING THE FOREST FOR THE TREES

Existing approaches also fail because next-generation tools that focus beyond the perimeter generate decontextualized alerts, which Security Operations Center (SOC) analysts have to manually synthesize to understand if there’s a real threat. This takes time and expertise that SOC analysts often don’t have, and they end up missing the forest for the trees.

Why so many trees? Most next-generation tools, even ones that use machine learning, stop with anomaly detection. They assume that anything abnormal is, by definition, of interest. What this does not take into account is that network normalcy is very noisy. In addition, the campaign artifacts that these tools try to detect are non-essential to the attacker’s fundamental campaign mission, meaning that they are trivial and inexpensive for the adversary to alter or replace. In effect, this works well for many defensive tool providers, as their revenue model is often that of a subscription service. In that model, providers are financially incentivized to chase features that are very easy for an adversary to change—and, therefore, do change frequently.

In the best cases, these systems attempt to rank-order and produce alerts on top anomalies, but such ranked anomalies are typically isolated events, presented without the context of an adversary campaign. This brings into question the ranking system itself. It is certainly better than no visibility, but it leaves the SOC with a large-scale manual effort to somehow make sense out of all the alerts and understand what the actual threat

“…modern cyber defensive mechanismsamount to more security theatre than aneffective security posture.”

–Bruce Scheier

may (or may not) be. The result is information overload. Sometimes as much as 25% of alerts are outright ignored. When every potential security event triggers an alert, and with no risk-level or indication of relationship between the alerts provided, analysts are forced to make ill-informed snap judgments about what to ignore. By focusing only on isolated events, these existing tools create a tremendous number of false positives. Most of the tools use agents (software or hardware) that collect pre-defined data, often looking for failures, rather than successes. Ironically, by using valid credentials inside an organization, the attacker seldom “fails”—and failures are, by definition, less interesting. Failure means the concerning event was prevented from proceeding. It is also common practice for adversaries to purchase security products to learn how to avoid being caught and how to modify the data and hide in normal traffic. This is made easier by current solutions because they focus on single points of visibility (or single data sources). Detection based on a single data source is significantly easier to circumvent than correlated data from multiple sources. This ultimately leaves the SOC and its analysts outgunned and outmaneuvered by threat actors, heading half-blind into the breach. The SOC analyst is then faced with a volume of alerts and false positives that means, at best, the analyst will miss some critical alerts. At worst, the analyst sees the alerts but mischaracterizes and chooses to ignore them. In any case, analysts must fi rst perform the tedious task of manually building a threat case to gain insight into a potential attack. Only then can they take any remediation action.

The SOC and its analysts need, and should be asking for, a change. Network defenders must focus on an intimate understanding of threat-actor behavior and tradecraft inside a network, applying that domain expertise to discern, via singular events, threat actor campaign activity—and ultimately gain actionable insight. To the defenders’

advantage, they are already sitting on a wide range of data sources that can be used to identify ongoing adversary campaigns within their networks. Various independent kill-chain components narrow the fi eld, and false positives approach zero as the probability of legitimate activity is multiplied away.

BECOMING STALE OVER TIME

Existing approaches lack dynamism as they fight an impossible timeline, rendering them stale the moment a current-generation tool is deployed. Malicious actors monitor the same forums, read the same reports, and attend the same conferences as network defenders; they are constantly adjusting their tactics.This state of play keeps adversaries one step ahead of network defenders.

Malicious actors are constantly probing andexamining a target network in search of the most expeditious attack vector. Signature hashes and rules that are in place now may be out-of-date within hours as attackers modify their tools and infrastructure toavoid signature-based detection. Machine learning-based systems are better positioned for keeping up in the face of malicious cyber actors; such systems can establish a sense of “network normal,” even though normal is very noisy, and begin, nearly immediately, to analyze network behavior and classify activity. A machine-learning system modifi es its understanding over time, as the network evolves, growing and contracting with various business conditions. As the system is deployed over the data lake and not

“McAfee Labs found that in 2016, 93% of organizations with some form of SOC were unable to respond to all of the relevant threats and alerts due to volume.9

NET START. NET VIEW. TELNET. PWD. NETSTAT. SYSTEMINFO. WHOAMI. HOSTNAME. QUSER. IPCONFIG. MIMIKATZ. WCE. PWDUMP. RDP. SSH. PSEXEC. PWD. PSEXEC. POWERSHELL. FTP. RAR. ZIP. IEXPLORER. PUTTY. RDPCLIP. NET USER. NET. GH0ST RAT. NET VIEW. TELNET. PWD. NETSTAT. SYSTEMINFO. WHOAMI. HOSTNAME. QUSER. IPCONFIG. MIMIKATZ. WCE. PWDUMP. RDP. SSH. FOCUS. PSEXEC. POWERSHELL. FTP. RAR. ZIP. IEXPLORER. PUTTY. RDPCLIP. NET USER. NET START. NET VIEW. TELNET. PWD. NETSTAT. SYSTEMINFO. WHOAMI. NAIKON. RDPCLIP. OILRIG. NET USER. PATCHWORK. NET START. SANDWORM TEAM. ON. THE. NET VIEW. QUEDAGH. TELNET. SOWBUG. PWD. SUCKFLY. TURLA. WATERBUG. STONE PANDA. THEDARKOVERLORD. HOSTNAME. QUSER. THREATS. IPCONFIG. MIMIKATZ. WCE. PWDUMP. RDP. SSH. PSEXEC. POWERSHELL. FTP. RAR. ZIP. IEXPLORER. PUTTY. RDPCLIP. NET USER. NET START. NET VIEW. TELNET. PWD. NETSTAT. SYS-TEMINFO. WHOAMI. HOSTNAME. QUSER. IPCONFIG. MIMIKATZ. THAT. WCE. PWDUMP. RDP. SSH. PSEXEC. POWERSHELL. FTP. RAR. ZIP. IEXPLORER. RDPCLIP. NET USER. NET START. NET VIEW. TELNET. PWD. NETSTAT. SYSTEMINFO. WHOAMI. HOSTNAME. QUSER. IPCONFIG. MIMIKATZ. WCE. PWDUMP. RDP. SSH. PSEXEC. MATTER. POWERSHELL. FTP. RAR. ZIP. IEXPLORER. PUTTY. RDPCLIP. NET USER. NET START. NET VIEW. TELNET. PWD. NETSTAT. SYSTEMINFO. WHOAMI. HOST-NAME. QUSER. IPCONFIG. MIMIKATZ. WCE. PWDUMP. RDP. SSH. PSEXEC. POWERSHELL. FTP. RAR. ZIP. IEXPLORER. PUT-

as an endpoint or deployed-sensor application, its ability to scale physically with the network and to understand network behavior during this scaling is essentially unlimited.

Despite these improvements, machine learning continues to follow an unhelpful path. Most existing solutions start from a rule- or signature-based tool and layer on machine learning, failing to change thefundamental nature of the results. If a defender was looking for decontextualized adversary tactics with signatures, they will still be looking for those same decontextualized adversary tactics with machine learning. It may be more useful, but it won’t be game-changing. The system needs to identify normal activity and abnormal activity, but to be truly effective, it needs to determine which components of the abnormal activity fi t the multiple required adversary campaign stages. This last component has been missing until now.




















Our solution comprises three pieces, which we will examine in detail in this section. First, we explore the concept of Mission Focus, where we generate meaningful cases by contextualizing key behaviors across campaign lifecycles. With Mission Focus, we leverage our knowledge of how adversaries must interact with resources on the network and over time. When it comes to Visibility, we find subtle threats by synthesizing data from across a wide range of sources throughout the network and systems; analyzing the environment holistically makes it very difficult for adversaries to hide. Through Artificial Intelligence, dynamic adaptation in the evolving network environment provides critical insights, determining which activities are legitimate and which are truly anomalous and deserving of attention. Utilizing the framework of campaign stages, our AI focuses on sets of behaviors that adversaries must use,

but which are statistically impossible for legitimate users and systems to accidentally perform in the course of normal operations. Here, machine learning augments the expert system, performing better than either human or machine could independently.

MISSION-FOCUSED THREAT HUNTING APPROACH

Categorizing and framing the adversary’s mission into five distinct stages is key to Mission-Focused Threat Hunting. While many stage-specific behaviors are based on long-standing tradecraft that can be modified to alter superficial signatures, the key purpose of each behavior is very resistant to change.This makes the behavior of the cyber adversary far more predictable “right of hack,”10 that is, after the initial malicious network access is established.

THE SOLUTION

Mission Focus also removes the torrential volume of false positives, found in noisy network normalcy, that is commonly presented. SOC analysts can instead focus on areas where a threat actor’s activity is most exposed and predictable. While each individual activity may be found independently, Mission Focus providesthe analyst with context, indicating when a chain of events is logical only as part of a malicious campaign.

Fortunately for threat hunters, campaign stages found to the right of hack are identifi able by examination of data from across the network and internal systems. By definition, activities to the right of hack take place within the target network and are therefore of significant interest. These behaviors do not represent fleeting initial access at the perimeter, nor are they threat intelligence prior to any campaign being launched. At the same time, right-of-hack should not be so far into the malicious campaign that it focuses on identifying internal data that is already being shared on underground or public markets. In the Mission-Focused approach, logs from network infrastructure (proxies, DNS servers, etc.), hosts, and servers are combined with repurposed nontraditional security11 data from already-deployed endpoint systems (with Netflow or Netflow-like data). With this broad base of intelligence, the SOC analyst builds a foundation for the discovery of a threat actor’s campaign—no matter how the actor tries to obfuscate any individual activity.

Understanding normal data flows across internal networks is surprisingly straightforward. There are obvious exceptions, but in general, clients consume and servers produce. Clients initiate communications and servers respond, with data flowing from the source to the sink. Similarly, clients tend to talk to servers instead of other clients; the neighbor-graphs showing the distribution of unique data sources in use by any particular

system are nicely constrained. From these models arise deviations, or anomalies, andthese anomalies (singular events contained within log data, for example) are mapped to the stages of an adversary campaign lifecycle. This approach— requiring multiple hosts and observing the activity of multiple required adversary stages—almost entirely eradicates false positives; no single host should exhibitall of the behaviors across the several stages indicative of a sophisticated threat actor’s campaign.

If anomalies successfully map to the stagedstructure of an adversary campaign, they areno longer anomalies, but evidence of a complete campaign lifecycle. Superficial features are replaced by strong indicators related to data accesses and movements. Only with astronomical odds would innocuous activities happen to trigger all of the rare independent variable values needed in the Mission- Focused framework.

STAGE 1: PLANNING

Though the malicious actor spends considerable time in Stage 1, most of this activity is either undetectable or not of value to a SOC team. Initial targeting occurs outside of the network and can come from any number of public or private sources, many of which never need to touch the target network itself. In the case of the 2013 Target hack, for example, it is believed that the threat actor spent months doing open-source research to identify both the third-party vendor responsible for Target’s HVAC systems and to get details on Target’s internal network infrastructure.12 Our approach does not rely upon Stage 1 indicators, though if present they can augment the odds against campaign-like behaviors being coincidental innocuous activities.13

STAGE 2: INITIAL ACCESS

The initial access vector is key for the entire operation, and thus considerable effort and expense will be put into engineering initial access. Here, a threat actor has a number of options. Quite often, they simply rely on a single human user executing a binary supplied in a phishing attack. Usually this does not even need a zero-day, as the permissions of the local user are generally enough to gain basic credentials for internaldata services and other systems. On the other end of the spectrum is the throwing of valuable (zeroday) vulnerabilities at the network’s Internet-facing infrastructure, including web servers, proxy servers or firewalls, network infrastructure like routers, and other components.

Unfortunately, any time initial access fails, the threat actor can simply try again with a different vector. The defender seldom gains signifi cant knowledge about the adversary, other than perhaps a general understanding of their skill level. Once the system is breached, evidence of the initial access is commonly removed. This means that not only do perimeter monitoring solutions need to fi nd the proverbial needle in the haystack, but they have to do it very quickly, lest the needle be removed by the attacker. If a malicious actor is determined to gain illicit access, the sad reality is that they will do so irrespective of the IDS and endpoint protections deployed.

At least one in three cyber attacks succeed inbreaching the network,14 and in 2016

Symantec found 430 million unique pieces of malware (a 36% increase from the year before).15 However, focusing defensive action on initial access as the indicator of an actor’s malicious activity seldom produces actionable information; these pieces of malware typically only reveal that Stage 2 has been reached, not the threat actor’s ultimate mission. Stage 2 does not play significantly into our approach.

STAGE 3: RIGHT-OF-HACK RECONNAISSANCE

Stage 3 is where a malicious actor has a foothold inside the target environment and must work to gain more knowledge. This behavior is typified by mapping, reconnaissance, and lateral movement; this is where “right of hack” begins. Regardless of how much an attacker learned during the initial planning stage, the actor is now faced with a network for which they initially lack total visibility and understanding.

Some network reconnaissance is required to build and improve the attacker’s understanding of the target network—to include what hardware and software

Data source mapping activity conducted by a threat actor differs from activity conducted by a user enough that it can be highlighted by various log and network collection data.

PLANNING ACCESS RECON EXFILCOLLECTION

TRADITIONAL FOCUS VERSIVE SECURITY ENGINE FOCUS

comprises a typical host, where key data stores live, what (if any) endpoint protection is deployed, and other relevant information. Further, they do not want to miss the opportunity to fi nd new treasure-troves of data and previously unknown systems. Such reconnaissance activity, which may include reaching out and scanning hosts and servers, scraping memory, going through local logs, sniffing network traffic, identifying highvaluetargets, and more, is required to determine where the valuable data is located and how the attacker may need to move laterally for access and acquisition.

For an example that is relatively common for adversary campaigns, consider the PATCHWORK APT.16 Fooled by a deception campaign, PATCHWORK was observedusing an initial exploited host to scan mapped shared drives and log into cloud services that the attacker believed they had captured credentials for. Various network-data sources—including Netflow or Netflowlike data and internal DNS or internal proxy logs—captured signifi cant parts of this activity based on measurements like abnormally large or unusual social circles (e.g., a single host connecting to high numbers of other hosts, clients connecting to other clients).

Measurements focusing on client-serverschizophrenia (where a client’s activity and a server’s activity belies their status as a client or a server) can indicate devices acting out of character. Data source mapping activity conducted by a threat actor differs from activity conducted by a user enough that it can be highlighted by various log and network collection data. Users, browsing through a network data source, typically have a priori knowledge of their intended pieceof data, taking a relatively direct depth-centric path to reach it (through a file hierarchy, for example). A threat actor’s behavior, lacking this a priori knowledge, willinstead be characterized by a breadth-wise

search pattern as they look to map and understand data sources to determine their value. Stage 3 can exhibit a more aggressive pattern of exploration, depending on the attacker’s resource and time constraints.A malicious actor is looking to achieve theiroperational goals in the shortest amount of time possible—while staying within their risk tolerance for revealing their presence.

Once an adversary’s understanding of the network has reached a suffi cient level, the actor begins using some combination of captured credentials, exploits, and privilege escalations in order to move laterally throughthe network, aiming for high-value workstations and/or servers. Perhaps surprisingly, most security solutions perform poorly when it comes to identifying Stage 3.Normal monitoring solutions and network and system logs capture these activities quite nicely, but looking at this evidence in isolation leads back to the paradox ofthe false positive.

STAGE 4: COLLECTION AND STAGING

After an attacker has gained an understanding of the network and knowledge of the location of their actual target (primarily data stores on specific machines), they move laterally to a position where they can reachout and touch the target machine. Here, collection and staging begins. The actor will begin to collect data from the target machine and stage it on a different machine—one which has the requisite storage space,likely 24/7 availability (providing the actor flexibility in timing exfiltration of data from the target network), and lower likelihood of discovery by defenders.

Indicators and measurements of this activity are similar to those in Stage 3, primarily size of social circles (at the system level) and client and server behavior. Stage 4 expands on connection graphs in order to understand

large-scale movement of data, which is likely to appear anomalous on the network.Also similar to Stage 3, collection for adversary purposes can manifest from too many disparate data sources, revealing a lack of the domain-specific interest and interactions typically seen in normalinternal data accesses. Collection may originate at one machine or many, and may stage on one machine or many. Each successive hop outwards from the collection target (host or server) gets closer to thepoint at which it can be exfi ltrated out of the target network to actor-controlled (external) infrastructure.

Multi-dimensional evidence of excessive Stage 4 activities combined with strong Stage 3 measurements is often enough to catch particular adversaries even when Stage 5 evidence is absent. This absence may be the result of out-of-band exfiltration, such as walking out hard drives and DVDs or performing a separate radio link “throw.”Even next-generation security solutions do very poorly at identifying this key component of adversary campaigns. To the best of our knowledge, our approach is the first commercial solution to tie together strong and weak indicators of Stages 3, 4, and 5.

STAGE 5: EXFILTRATION

Finally, the malicious actor must move the collected and staged data out of the network to their own infrastructure. Exfiltration will usually occur from one or a series of internal staging systems, and evidence of this activity can be captured in a variety of ways, including Netflow or Netflow-like data, proxy logs, etc. The method of data exfiltration used by the actor is nearly 100% determined by the configuration and security posture of the target network, and the actor may have to make a number of changes to enable exfiltration. This may include clandestinelyenabling specific services (such as RDP) on

the staging machines and/or modifying proxy or firewall settings to allow for previously-prohibited protocols (such as FTP). In the case of the 2013 Target breach, FTP was used to exfi ltrate at least 11GB of data over approximately two weeks.17 This activity further violates the notion that clients predominantly consume rather than produce, again revealing a client/server schizophrenia that is commonly observable within Stages 3, 4, and 5 of an adversary mission but whichdoes not manifest in non-adversary roles.The protocol and path used for exfi ltration depends on which services and pathways are permitted on the network, but no matter the path chosen, the movement of data at volume from inside to outside the network is measurable activity that can be detected andcategorized.

THE STRENGTH OF THE MISSION-FOCUSED CAMPAIGN STAGE APPROACH

The application of this Mission-Focused framework to the detection of malicious actor activity on the network is a monumental shift in how adversaries are detected. Perimeter defense and endpoint protection are important, but ultimately insufficient. As perimeter defenses are defeated by an attacker, their behavior inside the target network will take on the patterns explained in stages 3, 4, and 5. This predictable campaign behavior enables advanced analytics to surface potential campaign activity and then detect and understand the delta betweencurrent measurements and network normal. Even next-generation solutions fall short. Although they may find some important tells that indicate advanced adversaries operating in the environment, they stop short of putting the pieces together into a coherent narrative—a Threat Case18—that ensures a low false positive rate and enables analysts to focus on what’s most important.

CROSS-NETWORK VISIBILITY

Network and security administrators are interested in collecting and analyzing network data, and the growth of network IT and security requirements has driven the development of numerous tools that allow for its collection. When examined en masse, however, this data is heterogeneous and siloed across the network, often with haphazard access management. The resultis limited visibility; tactically-focused at best, but not strategic enough to detect larger trends and patterns. Security and IT applications are each working specificto their own types of data, limited in their visibility and configuration for ingestion and visualization.

To apply domain expertise and detect adversarycampaign behavior internally, the solution must allow for the ingestion of a wide range of network data, security-focused and otherwise, for computation. This is most easily accomplished via the establishment of a data lake, a network location (on-premises or cloudbased) that aggregates all of the heterogeneous data into a single location. With this centrality of network data, a new security solution would be able to ingestand transform the data into a canonical format. The collective data could then be used to understand the network and establish network-normal. With thisbaseline, anomalous behavior can be identified.

This is in stark contrast to the current security approaches we have described, where individual applications support their own application-specific data collection (e.g. endpoint applications) but fail to achieve a higher understanding of network activity.Endpoint protection, insofar as it protects a single endpoint, is neutralized as soon as the adversary deploys a tool that is unknown to the endpoint application—becoming invisible to its signaturebased detection mechanism. Once this happens, the malicious actor is able to mitigate all endpoint protection on the network, because the application looks at, and is solely focused on, the specific datathat it collects and understands. When we extrapolate to a higher level, the benefi ts become clear: security applications sitting above a data lake can ingest and understand not only network log data, but also otherheterogeneous data, such as that sourced from other security applications. This global view allows for advanced analytics that can frame the entirety of the network and its activity.

Our solution is built in a way that enables siloed data to be brought together easily from across the network. Using Hadoop Distributed File System (HDFS) for datastorage, Kafka pipelines for data ingestion into the common store, and Spark with Yarn for multi-tenant data processing, it is possible to get the cross-network visibility that is required for advanced adversarydetection throughout campaign stages. Why is this level of visibility necessary? Because it’s easy for adversaries to modify data and evade single-source detection; what’s harder is modifying logs from across the network in a coordinated way that would evade a sophisticated system designed to understand all data in concert. Such evasion would require a deep understanding of the network being infiltrated—in addition to a great deal of time. Adversaries have a job to do, and this added vigilance takes valuable time that can

Adversaries have a job to do, and thisadded vigilance takes valuable timethat can make completing the missionmore difficult, if not impossible.

make completing the mission more difficult, if not impossible.

ARTIFICIAL INTELLIGENCE FOR BETTER-THAN-EXPERT RESULTS

The application of machine learning allows for the detection of anomalous activity within the context of the campaign stages described above. The average corporate network is generally rife with heterogeneity: diverse hardware and software, technical personnelof varying degrees of competence, and users that engage in all sorts of odd-seeming computer behavior.

In essence, the modern corporate network is filled with “anomalies.” Knowing this, machine learning shouldn’t be blindly applied against the corporate network in search of simple anomalies; this would generate the same volume (or more) of false positives that such a methodology seeks to remedy. Instead of focusing on singular events with no context, we should interpret anomalies in terms of a malicious actor’s activities.

Machine learning’s application to cybersecurity is twofold. First, machine learning is able to rapidly process and understand log and other network data, building an understanding of what networknormal looks like (and hence what is non-standard). Second, the application of machine learning allows for significant flexibility in the shift from signature/rule-based systems to a model- and learning-based system, focused on the threat actor’s mission. Such a model fits the large number of non-standard observations across the network into the five-stage campaign framework—the activities an adversarymust conduct—in the areas where the defender is superiorly advantaged. This systematic correlation allows disparate events to be linked into a single narrative, or Threat Case (see footnote on previous page).

The Threat Case comprises the distillations of key findings, developed as the machine learning model ingests and contextualizes network data. Instead of being presented as distinct alerts, as in the current generation of cyber-defense tools, individual findings are correlated and woven together into a fully contextualized narrative. This Threat Case isthen presented to the user as a complete picture of the sophisticated threat actor’s campaign inside the target network. Such information is immediately actionable, allowing network defenders a chanceto both understand the threat and immediately begin mitigation. In addition, this model and its understanding of the network aren’t static; the model will learn the network’s behavior (and adjust to changes in it) over time. Unlike current approaches,there is no downloading of updated signatures or application of new YARA rules. This solution instead starts with an initial understanding of network normal and learns over time how to understand the network based on its unique structure and complexity, and then apply this ever-evolving understanding to its knowledge of network normal, the detection of anomalies, and the generation of coherent Threat Cases. Our approach contrasts greatly with current generation protection systems where tools are installed, fi les must be updated for the tools to remain useful, and singular events are turned into alerts but present limited information with limited response options. Given the aforementioned increasing volume of malware and cyber attacks, the decreasingeffectiveness of perimeter and endpoint protection, and the challenges faced by SOC analysts, corporate enterprises that continue down the current cyberdefensive path accept substantially higher risk than those moving to a holistic model.


REAL-WORLD EXAMPLE

To see how our model works in the real world, let’s examine the case of a large, multi-national financial institution using a platform that has instituted the Mission-Focused framework. This new approach allowed for the identifi cation of malicious activity inside the network, which otherwise would likely have gone undetected.

The platform was ingesting a variety of logs(database, DNS, router, proxy) and data from an endpoint-detection system on a network consisting of approximately 200,000 hosts. With 60 days of data ingested, the platform identifi ed a single host that was responsible for three terabytes of data transfer within the network (Stages 3 and 4) and more than ten terabytes that were exfi ltrated out of thenetwork (Stage 5). Of those ten exfiltrated terabytes, approximately five went to a domain that no other host in the network had connected to before. The single host responsible for this data transfer and

exfiltration was highlighted to the institution, bringing to light network confi gurations and activity that had been previously unrecognized. Many other anomalous events around this Threat Case immediately transformed from unknown incidents, which typically have a high likelihood of being labeled false positives, into corroborating evidence—further contributing to the very damning overall picture being painted Instead of presenting an extensive list of seemingly unrelated individual alerts from an IDS or a proxy server, a platform that pairs an understanding of cyberattack tradecraft with machine learning is capable of knitting together a series of network events into asingle coherent Threat Case, which is then highlighted to network defenders.




















The sophisticated threat actor is well-resourced and patient, knows their target, and may be prepared to use their most advanced tools and tradecraft against your network. No amount of intrusion detection and endpoint protection will dissuade or prevent such an attacker from gaining access. Threat intelligence tells you what happened last week or what may (or may not) be coming in the future, but it doesn’t show what is happening right now within your environment,where the adversary is presently operating. Current defensive systems, which focus exclusively on the most dynamic elements of the threat actor’s attack (initial access vectors, exploits, and malware), are attempting to work with factors that are easily changed and disguised—a setup for failure.

A more secure path is to strategically focus on a threat actor’s core mission imperatives, which are based in predominantly static tradecraft: gain illicit access, perform reconnaissance and map the network, stage data for exfi ltration, and then exfiltrate the data. Within the Mission-Focused framework, we apply machine learning to the network’s security and IT logs at a massive scale, submerging the false positives and benign alerts while surfacing and correlating signals that will expose the threat actor’s campaign. This shift in defensive posture will dramatically alter the state of play, at last giving network defenders the upper hand.

CONCLUSION



















1 http://www.gemalto.com/press/Pages/Gemalto-Releases-Findings-of-2014-Breach-Level-Index.aspx

2 http://www.heritage.org/cybersecurity/report/cyber-attacks-us-companies-november-2014

3 https://www.sans.org/security-resources/idfaq/how-does-an-attacker-evade-intrusion-detection-systems-with-session-splicing/2/21

4 http://cs.unc.edu/~fabian/course_papers/PtacekNewsham98.pdf https://www.sans.org/security-resources/idfaq/how-does-an-attacker-evade-intrusion-detection-systems-with-session-splicing/2/21

5 https://www.sans.org/reading-room/whitepapers/detection/intrusion-detection-evasion-attackers-burglar-alarm-1284

6 http://www.darkreading.com/attacks-and-breaches/target-ignored-data-breach-alarms/d/d-id/1127712

7 http://www.verizonenterprise.com/verizon-insights-lab/dbir/

8 Security theater is the practice of investing in countermeasures intended to provide the feeling of improved security while doing little or nothing to achieve it, from Bruce Schneier’s 2003 book Beyond Fear: Thinking Sensibly about Security in an Uncertain World

9 https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-dec-2016.pdf

10 Right of Hack characterizes the focus on threat actor activity that occurs inside the target network, once the target has already been hacked.

11 By non-traditional security data, we are referring to data dealing with the permitted communications and data flows representing accesses between systems and data stores, not the traditional security logs focused on failed attempts and blocked accesses.

12 https://www.commerce.senate.gov/public/_cache/fi les/24d3c229-4f2f-405d-b8db-a3a67f183883/23E30AA955B-5C00FE57CFD709621592C.2014-0325-target-kill-chain-analysis.pdf

13 This can be necessary when only a small number of unique data sources are being processed within a target environment. This is notideal, but has still shown the ability to reliably detect adversary campaigns within corporate environments that have gone unnoticed by current next-gen APT hunting solutions.

14 https://www.accenture.com/t20170406T052041__w__/us-en/_acnmedia/PDF-35/Accenture-Building-Confidence-Facing-Cybersecurity-Conundrum-Transcript.pdf#zoom=50

15 https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf

16 https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf

17 https://www.commerce.senate.gov/public/_cache/fi les/24d3c229-4f2f-405d-b8db a3a67f183883/23E30AA955B-5C00FE57CFD709621592C.2014-0325-target-kill-chain-analysis.pdf

18 A Threat Case, found exclusively in the Versive Security Engine, is a contextualized map of a potential adversary campaign in your network. These cases are highly accurate and always worthy of immediate investigation.

REFERENCES

Artificial Intelligence Meets Mission-Focused Adversary Detection · 2018-04-16 · Current...

Documents

Transcript of Artificial Intelligence Meets Mission-Focused Adversary Detection · 2018-04-16 · Current...