Chuck Leaver – Narrow Indicators Of Compromise Are Not Sufficient For Total Endpoint Monitoring

Presented By Chuck Leaver And Written By Dr Al Hartmann Of Ziften Inc.

The Breadth Of The Indicator – Broad Versus Narrow

An extensive report of a cyber attack will generally supply information of indicators of compromise. Frequently these are narrow in their scope, referencing a specific attack group as seen in a specific attack on an organization for a restricted amount of time. Typically these slim indicators are particular artifacts of an observed attack that might make up specific evidence of compromise on their own. For the attack it means that they have high specificity, but typically at the expense of low sensitivity to similar attacks with various artifacts.

Basically, narrow indicators offer really limited scope, and it is the factor that they exist by the billions in huge databases that are constantly expanding of malware signatures, network addresses that are suspicious, harmful computer system registry keys, file and packet content snippets, filepaths and invasion detection guidelines and so on. The continuous endpoint monitoring system supplied by Ziften aggregates some of these 3rd party databases and threat feeds into the Ziften Knowledge Cloud, to take advantage of understood artifact detection. These detection factors can be applied in real time and also retrospectively. Retrospective application is important given the short-term attributes of these artifacts as hackers continually render obscure the info about their cyber attacks to irritate this narrow IoC detection method. This is the reason that a continuous monitoring solution should archive monitoring results for a very long time (in relation to industry reported normal hacker dwell times), to provide an enough lookback horizon.

Narrow IoC’s have substantial detection worth but they are mainly inefficient in the detection of brand-new cyber attacks by knowledgeable hackers. New attack code can be pre checked against typical enterprise security solutions in lab environments to validate non-reuse of artifacts that are detectable. Security solutions that work merely as black/white classifiers suffer from this weakness, i.e. by supplying a specific determination of harmful or benign. This technique is really quickly averted. The protected company is most likely to be completely hacked for months or years prior to any detectable artifacts can be determined (after extensive examination) for the particular attack circumstances.

In contrast to the simplicity with which cyber attack artifacts can be obscured by normal hacker toolkits, the particular methods and strategies – the modus operandi – utilized by hackers have actually endured over numerous years. Common strategies such as weaponized websites and docs, new service installation, vulnerability exploitation, module injection, delicate folder and registry area modification, brand-new set up tasks, memory and drive corruption, credentials compromise, destructive scripting and numerous others are broadly common. The proper use of system logging and monitoring can spot a great deal of this particular attack activity, when appropriately combined with security analytics to focus on the greatest risk observations. This completely removes the chance for hackers to pre test the evasiveness of their harmful code, considering that the quantification of dangers is not black and white, however nuanced shades of gray. In particular, all endpoint danger is differing and relative, throughout any network/ user environment and period of time, and that environment (and its temporal characteristics) can not be replicated in any laboratory environment. The fundamental attacker concealment approach is foiled.

In future posts we will analyze Ziften endpoint risk analysis in more detail, as well as the important relationship between endpoint security and endpoint management. “You can’t protect what you don’t manage, you can’t manage what you do not measure, you cannot measure what you do not track.” Organizations get breached since they have less oversight and control of their endpoint environment than the cyber assailants have. Keep an eye out for future posts…

~leaverchuck1


No Responses Yet to “Chuck Leaver – Narrow Indicators Of Compromise Are Not Sufficient For Total Endpoint Monitoring”

Leave a Reply