The ultimate goal of any security monitoring program or Security Operations Center (SOC) team is to automate threat detection, to detect earlier in the attack lifecycle and to stop the threat actors from achieving their desired objectives of disrupting their business or stealing their IP or money. "Automating Threat Detection", sounds simple enough, but how can it be achieved? It can be accomplished by having the right data and understanding and profiling attacker TTPs (Tactics, Techniques and Procedures).
Take the case of an attacker using a Command and Control (CC) server to further compromise a target system. In this case, the attacker will implement a series of TTPs to establish communication and take control of the target system. In many cases, organizations detect CC activity after it is too late, well after the time the attacker has taken action and impacted the organization negatively.
What if you could automate detection such that CC exploits are detected earlier in the attack lifecycle just as the attackers is trying to gain a foothold? How can this be done? It goes back to having access to the right data, understanding and profiling attacker TTPs and detecting anomalies using UEBA. A series of attacker actions and a combination of anomalous activities by users and entities could be leading indicators of a CC exploit which will require further investigation and counter-strike to stop the attacker.
Let's take a look at some leading indicators and activities that individually are modest indicators of CC activity, but taken together form a much clearer picture:
- Beaconing - Periodic traffic to a URL at specific intervals or specific times of day
- Communication with Rare Domains - Rarely visited domains not visited by many hosts in the organization
- Rare User Agents - Software used by a small number of enterprise hosts that is making http traffic but is not a standard browser
- Missing Referrers - No prior history of previous site visited in HTTP Header. A sign that no one is clicking on a link in a browser to get that Web site
- Domain Age - Domain being visited by enterprise host is newly registered (WhoIS)
- Suspicious Domain - Blacklisted, only used by infected hosts, ...
The above listed are just a few indicators, but there are others. Generally speaking, a security analyst will triage and identify the root cause of a CC exploit by confirming the above activities and indicators manually. But, what if CC detection could be automated and thus detected as it is happening? A combination of the above activities in sequence over a period of time could signal that an exploit is being planned and the SOC team will need to take immediate action to stop the threat actor from compromising the organization (Confidentiality, Integrity or Availability of organization's systems affected). By using machine learning, organizations can correlate data from the above indicators into a general risk score - all without manual input, tuning or signatures.
Automating the detection of CC activities early in the attack lifecycle is like achieving security Nirvana. SOC teams can take action before the attacker negatively impacts the business.