Threat analytics Regardless of the motives of a hacker, the main component of damage is often associated with compromising, altering, or destroying critical information that is needed in order to run the business. It is an unfortunate reality, but organizations are going to get compromised. In designing security, especially for the endpoint, robust measures are deployed to prevent compromise, layered with defenses to minimize the damage that is caused by a compromise, but ultimately, we need to be able to detect the compromise within a timely manner. Since, on average, organizations are often compromised for close to a year before being detected (according to the 2016 Verizon Data Breach Investigations Report), IT organizations have concluded that finding a compromised system is very difficult. Fortunately, that is not the case. Revealing compromised systems is straightforward when the right tools and processes are implemented. Too many organizations still fall into the trap of putting all of their security eggs in the prevention basket. So when that fails, they have scant resources dedicate toward detecting and tracking an exploit that is in progress. When an endpoint becomes compromised, there are distinct differences in what activity a normal user performs and what activity an adversary would perform. By carefully monitoring, watching and tracking any changes in behavior, which include data access, applications, services and network activity, distinct differences can be detected to indicate that a compromise has occurred. This data can be derived from all of the disciplines discussed in this whitepaper. From a host-based activity perspective, software can carefully monitor what is happening on the system and detect subtle differences in behavior. Critical areas to monitor on the host are files and applications that run when the system boots. One of the goals of an adversary is to maintain persistence, and this is achieved by running malicious code when the system starts. Since there is only a finite number of ways that programs can run during boot up, this is an easy area to monitor and track. From a network perspective, a compromised system will often make a C2 (command & control) session back to the adversary so they can continue to monitor the system and cause additional harm. These connections are often fully encrypted and go to IP addresses that are not associated with legitimate or normal sites. Therefore, by carefully monitoring network connections including DNS lookups, suspicious activity can be detected. This general activity of looking for compromised systems is referred to as hunting. Threat hunting is the act of aggressively tracking and eliminating cyber adversaries as early as possible and is a key component of mitigating damage. There is no such thing as an invisible adversary. Carefully monitoring and tracking the system can reduce the dwell time, or amount of time an adversary is on a system, reduced, helping to limit any damage. To learn more about using behavioral analytics to protect your organization, view my on-demand webinar “3 Tips to Revealing Hidden Security Risks with Behavior Analytics.”
B in a circle

Dr. Eric Cole

SANS Instructor

Dr. Cole is an industry-recognized security expert with over 20 years of hands-on experience. Dr. Cole has experience in information technology with a focus on helping customers focus on the right areas of security by building out a dynamic defense. Dr. Cole has a master's degree in computer science from NYIT and a doctorate from Pace University with a concentration in information security. He served as CTO of McAfee and Chief Scientist for Lockheed Martin. Dr. Cole is the author of several books, including Advanced Persistent Threat, Hackers Beware, Hiding in Plain Sight, Network Security Bible 2nd Edition, and Insider Threat. He is the inventor of over 20 patents and is a researcher, writer, and speaker. He is also a member of the Commission on Cyber Security for the 44th President and several executive advisory boards. Dr. Cole is the founder and an executive leader at Secure Anchor Consulting where he provides leading-edge cyber security consulting services, expert witness work, and leads research and development initiatives to advance the state-of-the-art in information systems security. Dr. Cole was the lone inductee into the InfoSec European Hall of Fame in 2014. Dr. Cole is actively involved with the SANS Technology Institute (STI) and is a SANS faculty Fellow and course author who works with students, teaches, and develops and maintains courseware.