Charles Leaver – 5 Top User Endpoint Behaviors That You Need To Be Aware Of

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

Standard security software applications are not likely to detect attacks that are targeted to a specific company. The attack code will most likely be remixed to avert known malware signatures, while fresh command and control infrastructure will be stood up to evade recognized blacklisted network contacts. Resisting these fresh, targeted attacks needs protectors to identify more generic attack characteristics than can be discovered in unlimited lists of known Indicators of Compromise (IoC’s) from formerly analyzed attacks.

Unless you have a time machine to retrieve IoC’s from the future, understood IoC’s will not aid with fresh attacks. For that, you have to look out for suspicious habits of users or endpoints that could be indicative of ongoing attack activity. These suspicion-arousing habits won’t be as conclusive as a malware signature match or IP blacklist hit, so they will need analyst triage to validate. Insisting upon conviction certainty prior to raising alerts indicates that new attacks will successfully evade your automated defenses. It would be equivalent to a parent neglecting suspicious kid habits without question until they receive a call from the police. You do not desire that call from the FBI that your enterprise has actually been breached when due analyst attention to suspect behaviors would have provided early detection.

Security analytics of observed user and endpoint habits looks to recognize attributes of prospective attack activity. Here we highlight a few of those suspect behaviors by way of general description. These suspect behaviors function as cyber attack tripwires, signaling protectors to prospective attacks in progress.

Anomalous Login Activity

Users and organizational units show learnable login activity patterns that can be examined for anomalous departures. Abnormalities can be either spatial, i.e. anomalous with respect to peers, or temporal, i.e. anomalous with respect to that user/endpoint’s earlier login pattern. Remote logins can be evaluated for remote IP address and geolocation, and login entropy can be determined and compared. Non-administrative users logging into numerous systems can be observed and reported, as it differs from expected patterns.

Anomalous Work Practices

Working outside typical work hours or outside established patterns of work activity can be suspect or a sign of insider risk activity or compromised credentials. Once again, abnormalities might be either spatial or temporal in nature. The workload active procedure mix can likewise be examined for adherence to established workgroup activity patterns. Work loads might differ somewhat, however tend to be reasonably constant across engineering departments or accounting departments or marketing departments, and so on. Work activity patterns can be device learned and analytical divergence tests applied to find behavioral abnormalities.

Anomalous Application Attributes

Common applications show relatively consistent attributes in their image metadata and in their active procedure profiles. Considerable departures from these observed activity standards can be a sign of application compromise, such as code injection. Whitelisted applications may be utilized by malware scripts in unusual ways, such as ransomware utilizing system tools to remove volume shadow copies to stymie recovery, or malware staging stolen data to disk, prior to exfiltration, with substantial disk resource demand.

Anomalous Network Activity

Typical applications exhibit reasonably constant network activity patterns that can be learned and characterized. Uncommon levels of network activity by uncommon applications are suspect because of that alone, as is unusual port activity or port scanning. Network activity at uncommon times or with unusual regularity (perhaps beaconing) or unusual resource demand are also worthy of attention. Unattended network activity (user not present) must constantly have a possible description or be reported, particularly if observed in considerable volume.

Anomalous System Fault Behavior

Anomalous fault habits could be indicative of a vulnerable or exposed system or of malware that is repeatedly reattempting some failed operation. This could be observed as applications crashing or hanging, as service failures, or as system crashes. Compliance faults are also worth noting, such as not running mandated security or backup agents, or consistent faulting by those agents (causing a fault-restart-fault cycle).

When searching for Endpoint Detection and Response software, don’t have a false sense of security just because you have a huge library of recognized IOCs. The most effective services will cover these leading 5 generic attack characteristics plus a whole lot more.