Jul 31, 2013, 11:30 am EST
By Stephen Newman, Vice President of Products, Damballa
Detecting malicious network behavior isn’t as straightforward as it used to be. Organizations can no longer rely on their signature-based antivirus and intrusion detection systems to detect and remediate malware and botnets entering the network. Malware and botnets have evolved, rendering our defenses and controls ineffective and exposing an organization to the business risk of a breachIt is time to adopt a new set of best practices.
Today’s advanced threats change as they propagate, making it difficult to generate a signature by which to detect them. However, they make use of the very infrastructure that they infiltrate. By understanding the kill chain – the systematic process attackers use to carry out an attack or campaign – and performing network-based threat discovery, you can rapidly identify advanced hidden infections underneath a threat actor’s control.
Introduction to the Kill Chain
The kill chain consists of six phases:
- Reconnaissance – The attacker profiles and collects information about the target, including the organization’s structure, basic security controls, etc.
- Weaponization – The attacker prepares malicious code to exploit a vulnerability on a target device and creates malware that will be dropped onto the exploited device.
- Delivery – The attacker creates a campaign to entice the targeted user to perform an action, such as clicking on a link or visiting a web page that exploits a software vulnerability on the device.
- Exploitation – The exploit code is executed on the target device, enabling the attacker to download the initial “dropper” malware and providing the attacker control. This can be a multi-stage process wherein the dropper obtains control of the device and then downloads additional malicious code designed to perform data exfiltration or damage to the target network.
- Command-and-Control – The compromised (infected) device contacts its control network to receive further instructions or retrieve additional malicious code.
- Exfiltration – Data is removed from the network while attempting to avoid detection.
Understanding Network-based Threat Discovery
The final three phases of the kill chain – exploitation, command-and-control, and data exfiltration – take place over the network. During the process of carrying out these phases, attackers leave a trail of clues that can lead right to an infected system. This is where network-based threat discovery comes in. Hidden infections can be identified by profiling a device’s network communication as they persist (i.e. analyzing the clues left behind) and asking how, when, what, where and who.
How/When – Behavior Analysis
By profiling the behavior of each device on your network, you can differentiate between human-based activity and automated software-based activity, like that of malware communicating to an attacker. You can listen to each device’s Internet-bound communication attempts to detect automated communications, such as temporal-based anomalies (when), domain fluxing activity (how), or non-benign peer-to-peer attempts (how).
What – Content Analysis
The communications themselves during the exploitation and command-and-control phases can also be evidence of an infection. Signature-less identification and real-time analysis of files being transferred to and from a device while it is on the corporate network can indicate potential infections and provide clues as to ‘what’ infection is present. You can capture a copy of these files and run them in a virtual environment to see if their behavior is malicious. Analyzing the request header may also uncover clues as to the type of malware family it belongs.
Where/Who – Threat Intelligence and Attribution
Command-and-control activity can be revealed by profiling where a device is communicating on the Internet. Blacklists and cyber intelligence information sharing have limited value in this regard, as command-and-control destinations change frequently and attackers hack legitimate sites. This results in a lot of noise and false positive alerts. Therefore, it is important to consider the destinations the device is communicating to, and their relationships to malware families and the attacker, keeping in mind that attackers do not restrict themselves to one type of malware or malicious destination. You can pinpoint a hidden infection by comparing the ‘where’ and ‘who’ a device is communicating to with the ‘how’ and ‘when’ the communication persists over time.
Putting the Clues Together
The goal of network-based threat discovery is to shorten the time between a compromise (infection) and detection. Evidence attributed to any one of the five key questions above is not enough to detect an infection. But if you can answer and corroborate two or more of the questions, then you can build a case to discover a previously hidden infection.
Furthermore, given the dynamic nature of today’s advanced threats, it is important that the questions of how, when, what, where and who of network traffic are answered and corroborated in real time. Solutions that only alert on evidence from a single point in time are not sufficient. Attackers change their tactics throughout the kill chain, and you must adapt accordingly.
Few organizations have the ability to build the tools or staff the resources that can answer these questions about their network traffic, and do so in real time. But that is not necessary. A provider with a full deep packet inspection engine and a framework that allows new detection techniques to be added to ask the relevant questions of network traffic (how, when, what, where, who) can help. Consider partnering with a provider who can deliver evidence of an infection to you in a useful manner and enable you to be agile in responding to the discovery of new infections.
As attackers evolve and advance their techniques traditional best practices for detecting malicious network behavior become less and less relevant. It is time that we evolve our methods for detecting advanced malware and botnets. IT security teams need to adopt new best practices based on network-based threat discovery. By partnering with a provider who can help them answer the relevant questions about their network traffic IT security teams can once again close the gap between detection and infection, reducing business risk by removing the infection before it becomes a breach
Stephen Newman is the Vice President of Products at Damballa and can be contacted at firstname.lastname@example.org
(Source : Stephen Newman, Damballa)
Vice President of Products, Damballa