Charles Leaver – The Reasons Why Narrow Indicators Of Compromise Are Not Sufficient For Total Endpoint Monitoring

Presented By Charles Leaver And Written By Dr Al Hartmann Of Ziften Inc.


The Breadth Of The Indicator – Broad Versus Narrow

An extensive report of a cyber attack will usually provide information of indicators of compromise. Frequently these are narrow in their scope, referencing a specific attack group as viewed in a particular attack on an enterprise for a minimal time period. Usually these narrow indicators are specific artifacts of an observed attack that might constitute specific proof of compromise by themselves. For the attack it suggests that they have high specificity, however frequently at the cost of low sensitivity to comparable attacks with different artifacts.

Basically, slim indicators provide really limited scope, and it is the reason that they exist by the billions in huge databases that are constantly broadening of malware signatures, network addresses that are suspicious, harmful registry keys, file and packet content snippets, file paths and intrusion detection guidelines and so on. The continuous endpoint monitoring system supplied by Ziften aggregates some of these third party databases and risk feeds into the Ziften Knowledge Cloud, to benefit from known artifact detection. These detection aspects can be used in real time as well as retrospectively. Retrospective application is vital with the short-term characteristics of these artifacts as hackers constantly render conceal the details about their cyber attacks to annoy this narrow IoC detection technique. This is the factor that a constant monitoring solution must archive monitoring results for a long period of time (in relation to industry reported normal attacker dwell times), to supply an enough lookback horizon.

Slim IoC’s have significant detection worth however they are largely ineffective in the detection of new cyber attacks by skilled hackers. New attack code can be pre tested against common business security solutions in laboratory environments to confirm non-reuse of artifacts that are detectable. Security products that operate just as black/white classifiers experience this weak point, i.e. by providing an explicit determination of malicious or benign. This method is very quickly averted. The protected organization is likely to be thoroughly attacked for months or years before any detectable artifacts can be recognized (after intensive investigation) for the particular attack instance.

In contrast to the simplicity with which cyber attack artifacts can be obscured by normal hacker toolkits, the characteristic techniques and strategies – the modus operandi – utilized by attackers have actually been sustained over numerous years. Typical strategies such as weaponized sites and docs, new service installation, vulnerability exploitation, module injection, delicate folder and computer system registry area modification, new scheduled tasks, memory and drive corruption, credentials compromise, harmful scripting and numerous others are broadly typical. The proper use of system logging and monitoring can find a lot of this characteristic attack activity, when appropriately paired with security analytics to concentrate on the highest threat observations. This completely gets rid of the chance for hackers to pre test the evasiveness of their destructive code, because the quantification of dangers is not black and white, however nuanced shades of gray. In particular, all endpoint risk is varying and relative, across any network/ user environment and time period, and that environment (and its temporal characteristics) can not be duplicated in any laboratory environment. The essential hacker concealment methodology is foiled.

In future posts we will examine Ziften endpoint risk analysis in greater detail, along with the vital relationship between endpoint security and endpoint management. “You can’t secure what you don’t manage, you cannot manage what you don’t measure, you can’t measure what you do not track.” Organizations get breached due to the fact that they have less oversight and control of their endpoint environment than the cyber attackers have. Keep an eye out for future posts…