In the recent times we have seen how from Yahoo to Equifax the breaches even at the National Security Agency. The only thing that seems to be consistent is that the sophistication of these attacks are growing. Interestingly, the data exfiltration still remains a mystery as they are hard to be detected. The attacker still manages to remain undetected for a period of 99-days. In some case they remain undetected for months and years, and that gives them enough power to and time to leak out important or sensitive data, intellectual property, bank dtails and off course social security numbers.
This is something that sounds so strange, because going at this level, the industry needs to find new and better way to counter such attacks. The dire situation was to detect breaches and to push the malicious code in to the network to trash, and safeguard data loss.
Nevertheless, the security experts are under pressure to act and bring in methodologies to curb such malicious operations. Systems that carries mammoth of information and data should have a thing where it could react or alert when malicious activity happens. Again, when you look at the thousands of alerts that you get on a day, it becomes extremely difficult to understand which alert is critical.
Shedding Alert Paralysis
Too much alert at too much intervals isn’t helping to implement new and better security analysis. The pace at which the sophistication of threat is happening, which clearly means one needs to change the approach and process. Already perplexed with alert management, the best way to deal with it is to find ways that helps in the long run.
The problem is complex and may test your nerve, but that is not going to help you at large. Keeping a tab on the log to analyze may look futile task, but it could be a way to get started. It’s no rocket science involved to understand that to aim for 100 percent detection for the time being may not work, but you need to initiate. Chalk out the issues and get started with log source in your network.
Security experts believe that even you have one log source to keep a track, it’s a good sign. Start with DNS logs since it holds all the information about the visitors from where they visited. Keep a record of each day’s DNS logs, and then put in place monitoring control detection system to find the detection mechanism, that is associated with data breaches.
Know Abnormal, Find Evil
“Know Abnormal … Find Evil” a term coined by SANS institute in its Digital Forensics and Incident Response Program, can get you started quickly and can pay dividends. Here’s a short list of ways to review your DNS logs each day.
Compare each requested domain against a freely available list of say, the top 1 million domains (such as the Majestic list). In most organizations, it’s abnormal for users to visit such unusual sites, so activity associated with domains that are NOT on this list immediately identifies activity that might need investigation.
Check the “age” of each requested domain using resources such as domain tools to see if any are very new (created in the past few days or weeks, for example). In most organizations, it’s abnormal for users to visit such recently created sites, and these young domains may be associated with temporary phishing sites, ransomware or malware botnet sites, so systems accessing these sites should be investigated.
Create a baseline of the number of DNS requests generated by your infrastructure each day. If the number of requests is abnormal for a given day, it could represent some kind of abuse or exfiltration of data over the DNS protocol.
Digging a bit deeper into the DNS protocol, use your data platform to monitor the number of distinct subdomains requested for each domain present in your DNS logs. You may need to filter out popular sites such as AWS and Dropbox. After doing so, any sites with an abnormally large number of distinct subdomains could be an indication of data exfiltration by encoding it and including it in the subdomain field of DNS requests, a technique sometimes called DNS tunneling. Systems involved in this type of activity should be investigated immediately.
Better, Faster Automated Anomaly Detection
Today’s SIEM systems play an important role in monitoring security events, and with some amount of manual effort could be used to implement the basic DNS log analysis described above. However, you’ll get significant ongoing benefits by speeding and automating these checks. That may sound obvious, but automating these basic detection techniques may require you to augment your existing platform with technology that adds an analytics layer on top of your SIEM.
That’s where a practical application of machine learning comes in. In threat and breach detection, machine learning provides an arsenal of “algorithmic assistants” that help security teams automate the analysis of security-relevant log data by looking for potentially incriminating anomalies and patterns—but under the direction of human security experts.
Let’s take a closer look at how one of the detection techniques described above (Detecting DNS Tunneling) could be improved and automated with machine learning-based techniques.
Because DNS network traffic isn’t generally blocked by firewall policies it has become an attractive channel for sending unauthorized or malicious communication—essentially tunneling under an organization’s existing security defenses. There are many examples of malware, such as the Framework POS malware that use this technique to infiltrate valuable data such as credit card numbers.
The security analysis tools with machine learning tool can be configured to analyze DNS logs. It means the machine learning engine is instructed to create maintain a baseline of subdomain. Once it learns the baseline, it automatically analyzes newly received DNS log data and flags abnormal behavior.
One Data Source at a Time, Detect, Automate
The examples above cover only one small part of today’s threat landscape and an organization’s attack surface, and are not intended to be a silver bullet to securing an enterprise. Rather, they offer a pragmatic approach to the cybersecurity version of putting one foot in front of the other. Data breaches will happen, but armed with the approach described above, and modern security analytics tools, security teams can limit their exposure, improve overall security coverage, and ultimately, close that breach detection window.
Reference: Paquetteke, Mike (2017, December, 14). Faster Breach Detection, One Step at a Time