By Wednesday morning at Black Hat, the traffic profile switched from compartmentalized, per-classroom monitoring to a more distributed and chaotic sea of general conference wireless. This meant a shift from mostly student laptop-generated traffic, to about 90% of all Black Hat activity being generated by mobile devices.
Choosing how to monitor an environment like this, given no knowledge of the endpoints, a newly instantiated NOC network, and no concept of critical assets beyond the NOC walls, is a challenge. A network teeming with hackers of various intentions opens up an endless stream of shiny things and rabbit holes that could easily consume hundreds of analyst-hours per day, without any fruitful findings. So, we have to organize and prioritize. And while there are many approaches we can and have implemented throughout our Black Hat adventure, one in particular is worth mentioning - extending beyond the well worn concept of Indicators of Compromise, into a model that delineates and correlates Indicators, Behaviors, and Enablers of Compromise.
The concept is simple, valuable, and best shown through a few examples from our recent NOC dashboard.
Black Hat NOC - RSA NetWitness Indicators of Compromise
It's not about changing the definition of an IOC. In the RSA NetWitness vernacular, an indicator is anything anomalous or malicious that our parsers, rules, and feeds detect within network traffic. The charts above breakdown those indicators by the service in which they were detected and by a timeline of the specific indicators. Some are higher fidelity than others, but could be valuable launching points for investigation, as they are intended to be the technical artifacts of compromise.
Black Hat NOC - RSA NetWitness Behaviors of Compromise
Behaviors of compromise are certainly related to indicators, but generally represent later stages of an attack. Activity obfuscation, tool downloads, exfiltration and any other characteristics of network traffic that tend to be seen as behaviors of an attacker that aren't necessarily specific features of a connection or file.
Black Hat NOC - RSA NetWitness Enablers of Compromise
And finally, enablers. Many of these point back at poor operational security, policies, and network hygiene... Clear-text passwords, social engineering attempts, and data disclosure - all things that could push the door wide open for an attacker.
Using this simple re-organization effectively makes the data much more readable, especially when you need to dive in to terabytes of captured traffic. It gives the analyst a way to explore various potential attack stages in a more "human friendly" way. For the human analyst, this results in a much more efficient use of time. And for the Black Hat NOC analyst, (still human after seven days in Las Vegas!) this results in the ability to maintain a more concise level of visibility and understanding of the hacktivities.