Chuck Leaver – The Top 5 Suspicious Endpoint Behaviours To Watch For

Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver


Conventional security software applications are unlikely to detect attacks that are targeted to a specific organization. The attack code will more than likely be remixed to evade recognized malware signatures, while fresh command and control infrastructure will be stood up to evade recognized blacklisted network contacts. Preventing these fresh, specific attacks needs protectors to identify more generic attack characteristics than can be found in endless lists of known Indicators of Compromise (IoC’s) from previously evaluated attacks.

Unless you have a time machine to obtain IoC’s from the future, understood IoC’s won’t aid with new attacks. For that, you have to be alert to suspicious habits of users or endpoints that could be indicative of ongoing attack activity. These suspicion-arousing habits won’t be as definitive as a malware signature match or IP blacklist hit, so they will need analyst triage to verify. Insisting upon conviction certainty prior to raising notifications implies that fresh attacks will successfully evade your automated defenses. It would be equivalent to a parent overlooking suspicious child behavior without question till they get a call from the cops. You do not desire that call from the FBI that your enterprise has been breached when due expert attention to suspect behaviors would have supplied early detection.

Security analytics of observed user and endpoint habits seeks to recognize attributes of possible attack activity. Here we highlight a few of those suspect behaviors by way of general description. These suspect behaviors function as cyber attack tripwires, informing defenders to prospective attacks in progress.

Anomalous Login Activity

Users and organizational units display learnable login activity patterns that can be examined for anomalous departures. Abnormalities can be either spatial, i.e. anomalous with respect to peers, or temporal, i.e. anomalous with respect to that user/endpoint’s earlier login pattern. Remote logins can be examined for remote IP address and geolocation, and login entropy can be measured and compared. Non-administrative users logging into numerous systems can be observed and reported, as it differs from anticipated patterns.

Anomalous Work Routines

Working outside typical work hours or outside established patterns of work activity can be suspect or indicative of insider risk activity or jeopardized credentials. Again, abnormalities may be either spatial or temporal in nature. The work active process mix can also be evaluated for adherence to developed workgroup activity patterns. Workloads might vary somewhat, but tend to be relatively constant across engineering departments or accounting departments or marketing departments, and so on. Workload activity patterns can be machine learned and analytical divergence tests applied to spot behavioral abnormalities.

Anomalous Application Attributes

Common applications display relatively constant attributes in their image metadata and in their active procedure profiles. Significant departures from these observed activity norms can be indicative of application compromise, such as code injection. Whitelisted applications may be utilized by malware scripts in unusual methods, such as ransomware employing system tools to eliminate volume shadow copies to stymie healing, or malware staging thieved data to disk, prior to exfiltration, with considerable disk resource demand.

Anomalous Network Activity

Common applications show fairly constant network activity patterns that can be learned and identified. Unusual levels of network activity by uncommon applications are suspect because of that alone, as is unusual port activity or port scanning. Network activity at uncommon times or with uncommon consistency (perhaps beaconing) or unusual resource demand are also worthy of attention. Ignored network activity (user not present) ought to always have a possible description or be reported, specifically if observed in considerable volume.

Anomalous System Fault Behavior

Anomalous fault habits could be a sign of a vulnerable or unveiled system or of malware that is repeatedly reattempting some malfunctioning operation. This could be observed as applications crashing or hanging, as service failures, or as system crashes. Compliance faults are likewise worth noting, such as not running mandated security or backup agents, or consistent faulting by those agents (causing a fault-restart-fault cycle).

When trying to find Endpoint Detection and Response services, do not have a feeling of complacency even if you have a big library of recognized IOCs. The most efficient solutions will cover these top five generic attack qualities plus a whole lot more.


No Responses Yet to “Chuck Leaver – The Top 5 Suspicious Endpoint Behaviours To Watch For”

Leave a Reply