Identify Malicious Activity
Learning Objectives
After completing this unit, you’ll be able to:
- Explain the difference between threat intelligence and threat hunting.
- List the tools threat intelligence analysts use to identify malicious activity.
- Describe how to detect malicious activity within and across the cyber kill chain.
- Explain how to detect and monitor fraudulent user behavior.
- Describe the importance of minimizing breach detection delay.
Threat Intelligence Versus Threat Hunting
New cyber risks and threats arise daily. As a threat intelligence analyst, you take an active role to prepare your organization to handle and survive these threats. A spacecraft on a voyage of discovery needs to be able to identify malicious activity, whether it be an incoming asteroid, a black hole, or an alien being. Likewise, as a threat intelligence analyst, you identify malicious activity, detecting threat actors who are targeting your organization or have breached your systems. Your goal is to help your organization be cyber resilient by identifying malicious activity and minimizing breach detection delay, just like an astronaut seeks to guide their spacecraft to safety by quickly identifying and resolving any issues.
As a threat intelligence analyst, the information you produce identifies attack trends, and improves your organization’s security posture. But there’s more to defending your organization than just identifying and investigating known threats.
Threat hunting is the process of actively looking for bad actors on the network, with the goal of reducing the time between when your protections fail and when you respond. Threat intelligence and threat hunting are two distinct but complementary disciplines. As a threat intelligence analyst you may only be responsible for detecting and investigating existing threats. Or you may also perform threat hunting to identify threats even when they have not yet been seen in the wild. The responsibilities of your role depend on the size and structure of the organization you work for, and on which services are outsourced.
Let’s take a closer look at the functions of threat hunting that may be part of your job as a threat intelligence analyst. Regardless of whether you perform these functions yourself or rely on another team or vendor, it’s beneficial to be aware of them.
Tools for Identifying Malicious Activity
How can you identify malicious activity as quickly as possible and respond effectively to minimize damage? Threat intelligence analysts use a variety of tools to identify suspicious behavior on the network and act as an early warning system.
Software Tool
|
Use
|
---|---|
Intrusion Detection System (IDS) |
Analyzes activity on the network to search for patterns and indicators of known threats, raises flags for suspicious activity, and sends alerts to the IT team. |
Endpoint Detection and Response (EDR) |
In addition to doing the same thing as an IDS, it also takes action to block the suspicious activity and prevent the attack. |
Security Incident and Event Management (SIEM) |
Manages the volume of signals and data and correlates the information for a centralized view of the IT infrastructure. It helps monitor, record, and analyze network activity to identify potential security incidents. |
User Behavior Analytics (UBA) |
Establishes a baseline of what “normal” looks like on a network and provides real-time monitoring of traffic and activity to detect any unusual activity, events, or trends. |
Identify Malicious Activity Using the Cyber Kill Chain
Threat intelligence analysts make use of models to help them respond to threats in a systematic way. Some examples include the MITRE ATT&CK and Diamond Model, and the cyber kill chain. Let’s take a closer look at the cyber kill chain, which traces an attack from the time the threat begins until the attacker extracts data from a compromised system. Each phase of the kill chain is an opportunity to stop a cyberattack in progress. Let’s take a look at each phase.
Phase
|
Description
|
Example
|
---|---|---|
Reconnaissance |
Attackers observe an organization from the outside-in to identify targets for the attack. |
Attackers collect information on intended targets by searching social media. |
Weaponization |
The threat actor develops malware or uses commodity malware designed to be opened (attachment) or followed (link) by the victim, using compelling information discovered during the reconnaissance phase. |
Embedding a malicious link in a PDF, adding zipped malicious attachments using spear phishing themes, malicious documents with specially crafted macros, and so on. |
Delivery |
Transmission of the weapon to the targeted environment. |
Delivery methods may include social engineering emails (spear phishing); watering hole attacks; exploiting vulnerable internet-exposed services, such as websites; or infecting USB removable media. |
Exploitation |
Attackers compromise the system, network, or users for a foothold. |
Actions that may indicate malicious activity at this stage include anomalous connections, suspicious code uploads or downloads, or deviations in user behaviors. For example, if a new account is added to a privileged group, or a user accesses a system they don’t typically touch, this may warrant further investigation. |
Installation |
Attackers install malware to allow them to access data or maintain persistence inside the environment. |
An attacker installs a backdoor on the victim system. |
Command and Control |
The compromised host communicates with an attacker-controlled external host for the purposes of data exfiltration, malware configurations, and compromise persistence. |
A compromised machine may include abnormal outbound activity, such as connections to or from known malicious IP addresses or domains. |
Actions on Objectives |
Depending on the attacker’s goal, this can take the form of extracting data out of a compromised system, tampering with data, uploading malicious files, or any other number of actions. |
One way to detect this is if you observe unusual amounts of data moving in or out of a system, or unusual connections. |
To help in the identification of malicious activity earlier in the cyber kill chain, threat intelligence analysts can prioritize alerts, and use a SIEM to aggregate and normalize events, and help prioritize alerts. They can map alerts to the stages of the cyber kill chain to help this prioritization process. For example, alerts mapped to later stages of the cyber kill chain should be associated with a higher priority because they indicate an attack in a more advanced stage.
Identify and Monitor Suspicious Users and Devices
You now understand a bit more how to use the cyber kill chain, to identify and respond to threats. But how exactly do you pinpoint suspicious user and device behavior? It all comes down to monitoring and investigating data, statistics, and activity patterns, similar to what you would do as a detective solving a crime. For example, you can look for attempts to bypass security controls, requests from insiders for clearance or higher-level access, or whether a user is accessing a workspace outside of normal working hours. All of these behaviors can indicate a potential threat.
To detect and monitor potential threats from devices and other entities across the network, you can look for unusual traffic, content, or use of technology. For example, an unusual network traffic spike during off-hours, using an unusual protocol, or data movement using unapproved applications such as personal webmail or web-based file managers can indicate a threat. Traffic going to an unauthorized geographic destination, such as a File Transfer Protocol (FTP) site in a high-risk country where your organization’s main competitor is located, can be another indication of something amiss.
If a user is accessing unauthorized harmful content, such as hate or pornography sites, or violating company policy by sharing internal, confidential information with external parties, this can indicate a potential threat and can expose the company to potential legal liabilities. Other things analysts look for include high volumes of unmonitored USB/mobile storage use, data exfiltration, inappropriate use of encryption, unusual offline activities, and high printing volumes off-hours. Each of these can serve as clues of malicious activity.
Minimize Breach Detection Delay
For many organizations who experienced data breaches, it can take over a month or more to discover they have been compromised. And the longer it takes an organization to detect a breach, the more potential harm an attacker can do.
The good news is there are tools that can help you as a threat intelligence analyst minimize breach detection delay and stop attacks faster. Automated investigation and response capabilities save time and effort correlating content, devices, and people at risk from threats in your organization. Analysts can use alerts from these tools to begin investigations. They can also help tune these tools by adding indicators and data provided by the security operations team. This allows analysts to jump in and help with active incidents.
Resources
-
PDF: Lockheed Martin: Seven Ways to Apply the Cyber Kill Chain with a Threat Intelligence Platform
-
External Site: National Institute of Standards and Technology (NIST): How to Detect a Cyber Attack Against Your Company
-
External Site: SANS Institute: ATT&CKing Threat Management: A Structured Methodology for Cyber Threat Analysis