Regardless of the motives of a hacker, the main component of damage is often associated with compromising, altering, or destroying critical information that is needed in order to run the business. It is an unfortunate reality, but organizations are going to get compromised.
In designing security, especially for the endpoint, robust measures are deployed to prevent compromise, layered with defenses to minimize the damage that is caused by a compromise, but ultimately, we need to be able to detect the compromise within a timely manner. Since, on average, organizations are often compromised for close to a year before being detected (according to the 2016 Verizon Data Breach Investigations Report), IT organizations have concluded that finding a compromised system is very difficult. Fortunately, that is not the case. Revealing compromised systems is straightforward when the right tools and processes are implemented. Too many organizations still fall into the trap of putting all of their security eggs in the prevention basket. So when that fails, they have scant resources dedicate toward detecting and tracking an exploit that is in progress.
When an endpoint becomes compromised, there are distinct differences in what activity a normal user performs and what activity an adversary would perform. By carefully monitoring, watching and tracking any changes in behavior, which include data access, applications, services and network activity, distinct differences can be detected to indicate that a compromise has occurred. This data can be derived from all of the disciplines discussed in this whitepaper.
From a host-based activity perspective, software can carefully monitor what is happening on the system and detect subtle differences in behavior. Critical areas to monitor on the host are files and applications that run when the system boots. One of the goals of an adversary is to maintain persistence, and this is achieved by running malicious code when the system starts. Since there is only a finite number of ways that programs can run during boot up, this is an easy area to monitor and track.
From a network perspective, a compromised system will often make a C2 (command & control) session back to the adversary so they can continue to monitor the system and cause additional harm. These connections are often fully encrypted and go to IP addresses that are not associated with legitimate or normal sites. Therefore, by carefully monitoring network connections including DNS lookups, suspicious activity can be detected. This general activity of looking for compromised systems is referred to as hunting. Threat hunting is the act of aggressively tracking and eliminating cyber adversaries as early as possible and is a key component of mitigating damage.
There is no such thing as an invisible adversary. Carefully monitoring and tracking the system can reduce the dwell time, or amount of time an adversary is on a system, reduced, helping to limit any damage.
To learn more about using behavioral analytics to protect your organization, view my on-demand webinar “3 Tips to Revealing Hidden Security Risks with Behavior Analytics.”
