In many ways, bring your own device may as well be bring your own infection. Nobody can deny the productivity benefits of allowing employees to use their personally owned devices for business, but BYOD also presents a security risk, and the traditional approach to security – platform-specific policies – has largely failed to protect the network from infected mobile devices. As a result, IT organizations face a significant challenge: How do you protect the network from an endpoint you have little or no visibility into, and which you have little or no control over?
The answer isn’t as complicated as one would expect. Attackers use a systematic process in the course of carrying out an attack campaign. This process is known as the kill chain. As attackers move from one phase of the kill chain to another, they leave behind clues about their activity. IT organizations can use this information to uncover hidden infections in what is known as network-based threat discovery.
Network-based threat discovery begins with an understanding of the kill chain:
* Reconnaissance – The attacker profiles the target and collects information such as the organization’s structure and basic security controls.
* Weaponization – The attacker prepares malicious code to exploit a vulnerability on a target device and creates malware that will be dropped onto the device after it is exploited.
* Delivery – The attacker creates a campaign to entice the targeted user to perform an action, such as clicking on a link or visiting a web page, which exploits a software vulnerability on the device.
* Exploitation – Exploit code is executed on the target device, enabling the attacker to download the initial dropper malware and providing the attacker control.
* Command-and-control – The compromised device contacts its control network to receive further instructions or retrieve additional malicious code in the phase.
* Exfiltration – Data is removed from the network.
Applying network-based threat discovery
By profiling a device’s network communications during the exploitation, command-and-control and data exfiltration phases, and asking how, when, what, where and who, IT organizations can uncover hidden infections. Evidence attributed to any one of these questions is not sufficient to identify an infection. However, if two or more questions are answered and corroborated, a case can be built to discover a previously hidden infection.
How and When?
Behavior analysis can be used to answer how and when. By profiling the behavior of individual devices, IT organizations can differentiate between human-based activity and that of automated software. Listening to the device’s Internet-bound communication attempts enables the discovery of automated communications such as temporal-based anomalies (when), domain fluxing activity (how), or non-benign peer-to-peer attempts (how).
The content of communications during the exploitation and command-and-control phases can serve as evidence of an infection. When a device is on the corporate network, signature-less identification and real-time analysis of the files transferred to or from a device can indicate potential infections and provide clues as to what infection is present.
Profiling where a device is communicating on the Internet can reveal command-and-control activity. By comparing the where and who a device is communicating with the how and when the communication occurs, IT organizations can pinpoint a hidden infection. However, beware the amount of noise and false positives that blacklists can generate, and consider the relationships of shady Internet destinations to malware families and to the attacker, as threat actors are not limited to one type of malware or one malicious destination.
Putting the information together
Today’s advanced threats are dynamic. Therefore, answers to the questions how, when, what, where and who must be gathered from the network in real time. In addition, information-gathering techniques must adapt to the attacker’s changing targets, algorithms, domains and everything else they use in the kill chain.
Few organizations have the ability to build tools themselves that meet these requirements. Organizations may want to consider a solution that can gather the pertinent answers to how, when, what, where and who in real time, as well as assess those answers to corroborate evidence and discover advanced threat infections. With the proper solution – one that has a full deep-packet inspection engine and a framework that allows new detection techniques to be added as threats evolve – IT organizations can achieve the goal of shortening the time between a compromise (infection) and detection.
Brian Foster is the CTO of Damballa (www.damballa.com).
Edited by Stefania Viscusi