Anomaly Behavior Analysis: Your PC is now Stoned!
Stoned was the first virus I encountered, created in 1987 and still active in the early 1990s. It was detected using an antivirus program with an updated database that matched patterns with infected files. This simple pattern marching method helped keep our systems secure.
In the late 1990s, the first "network antivirus" was developed, known as the Intrusion Detection/Prevention System (IDS/IPS). This system allowed for the detection of hostile activity on a network by matching known attack signatures. It was an ideal complement to firewall perimeter security, with some firewalls even integrating IDS/IPS features into their offerings in the early 2000s.
Initially, this knowledge-based attack detection approach seemed simple: if it's known, it can be detected, and if not, it can't. However, as attacks became more sophisticated, this principle was challenged. For instance, a web attack signature could easily be bypassed by using an encoding method unrecognized by the IDS signature in the attack payload.? Ouch!
But in parallel, other detection methods began to appear that were not necessarily based on pattern matching but on anomaly detection. Antiviruses introduced heuristic methods to combat polymorphic viruses, IDS/IPS implemented “pre-processors” to detect protocol manipulation; and firewalls did the same when they evolved into their stateful form. Although in theory it sounds very nice, in practice what happened is that a significant number of false positives were generated. In other words, the overhead necessary to detect a real attack was still very high and sadly very ineffective.
In the early 2000s, the concept of honeypots began to gain popularity. In short, a honeypot is a program that impersonates a system to detect and engage with attackers performing reconnaissance. No one with good intentions has a reason to interact with a honeypot. The idea is simple: any interaction, no matter how small, is an anomaly that must be analyzed. For those who have to defend their systems, honeypots are an efficient solution because they generate events only when someone interacts with them, as opposed to generating false positives.
There are honeypots of different types: low interaction, high interaction, and even real systems waiting to be hacked. In many cases they are used to identify Tactics, Techniques and Procedures (TTPs) of real adversaries in order to discover their modus operandi and in many cases give the attacker a first and last name.?
I would like to make a special mention of Honeyd, a project by Niels Provos, which not only allowed to “create” different types of flavors of mimic operating systems but also allowed to configure “routable” networks. A wonderful project that stopped being maintained in 2007.
?
As threats continue to evolve, attackers are constantly developing new tactics, techniques, and procedures (TTPs) to bypass traditional security measures. While some detection methods may be universally applicable, others may be specific to a particular company's unique way of working and interacting environment.
Moreover, it's essential to note that traditional security measures may not effectively detect all types of threats, such as the abuse of privileges and excessive consumption of sensitive information by employees with valid access.?
These types of threats require new detection methods and solutions to address them:
Insider threats typically exhibit subtle behavior patterns that can go unnoticed, making it challenging to detect them through traditional security measures. For instance, instead of attempting an SQL injection or server-side request forgery (SSRF) attack, insiders may simply extract sensitive information through queries or other means, leading to data exfiltration.?
Edward Snowden's case serves as a paradigmatic example of how a seemingly innocent insider can exploit their access to cause significant damage to an organization. Snowden did not use sophisticated attack techniques; he simply abused his granted permissions to extract and disclose classified information.
An example of this type of threat was "Operation Aurora" that was first reported at the beginning of 2010 and whose targets were companies such as Google, Adobe, Juniper Networks, Akamai, among many others. The attackers were in their networks for at least several months.
In conclusion, to address the increasingly complex nature of cyber attacks, it's crucial to implement new detection methods and solutions that can adapt to evolving threats. These methods may involve monitoring users' actions and detecting deviations from their normal behavior. This may help to identify unusual activity that could indicate a potential insider threat, without generating excessive false positives.?
Behavioral analysis is one such promising technique that can help detect insider/advanced persistent? threats, which are often difficult to detect through traditional security measures. This approach differs from the knowledge-based approach discussed earlier. We do not need a “well-known” attack signature to detect weird actions in progress.?
The critical question for organizations is how to protect themselves from the growing threat of cyber attacks.??
At MercadoLibre Inc. (Meli),? we have developed a comprehensive cybersecurity model that includes four pillars of resilience, one of which is "Anomaly Behavior Analysis".?
This approach involves analyzing the behavior of users and devices in our ecosystem to identify potential threats, including internal and sophisticated persistent threats.???
领英推荐
By leveraging User and Entity Behavior Analytics (UEBA), we can detect anomalies that may be indicative of a potential security threat. This allows us to detect abnormal behavior patterns that may be missed by traditional security solutions, enabling us to respond proactively to emerging threats.
In short, this consists of establishing a baseline of behavior for each collaborator, each group of collaborators, each computer/server and each application. And from this, detect deviations from the expected behavior. Why does Romina consume this API when no one on his team does? Why does she consume 3x more than the rest? Why is she downloading so many files from the fileserver? Why access at such a time or from such a place?
The amount of possible deviations are infinite. Something to note is that from the attacker's perspective, there are fewer resources that he has to "bypass" the controls because any type of encoding would serve to mask his behavior. And he does not know the expected standard behavior either. His actions depend on something pre-established, the behavior of others.?
Ok, I agree. I need to detect anomalies. But how do I do it?
A short answer might be that I must have money to pay for commercial solutions to help me on this journey; or have skills that allow me to build them.
The reality is that commercial solutions, however focused on UEBA they may be, do not always allow us to adapt these principles to our reality. What solution do I apply to detect anomalies in an ecosystem of hundreds or thousands of APIs being consumed simultaneously by thousands of developers?
Sometimes building ad hoc solutions are necessary as part of a good defense strategy. Development skills for a security engineer is a must. Not only to automate and scale security but also to build these types of solutions. Data science skills are increasingly needed in a modern security team; and not because it is fashionable but because it is increasingly mandatory to find significant events in tons of data derived from multiple sources.
At Meli we apply these skills in various solutions. From the detection of DDoS or the detection of phishing to the consumption of information made by our collaborators and/or applications. In this last example, access control is not the last line of defense we have but the detection of unusual activity and/or abuse of a legitimately granted permission.
?
This is a central part of the Data Security (DS) strategy. Meli's DS team has data science skills that allow it to build “ad hoc” solutions for monitoring access to information. Its objective is to detect deviations in consumption and/or possible signs of exfiltration of information. This reaches the consumption of: databases, different types of storage, internal APIs, SaaS solutions and endpoints, among others. This is based on a profiling of the activity of each user group according to its own behavior and according to the behavior of the group to which it belongs.
The following graphically shows the detection of an anomaly in the event of a deviation from the group belonging to a user.
In this case, the detected anomaly was not the result of a port or vulnerability scan or the use of exploits. There were only allowed accesses and anomalous consumption. Neither more nor less than what an internal threat would do, hostile but not sophisticated.?
One of those solutions that allows us to do this user profiling is called Temis and it is a fundamental part of the strategy for detecting data access anomalies. Conceptually, the architecture that allows us to detect data access anomalies is as follows.
At Meli there are many teams that use this type of strategy to apply it in different domains. In security in particular, we believe that it is key to build solutions of this type to detect sophisticated and/or internal attacks.
Nvidia has the same look and created the Morpheus project. It is an AI framework with a focus on security and based on the same principles that I mentioned. Detect the non-obvious. The good news for those who were inspired by this post to start an initiative but don't know where to start; is that this framework is available to be downloaded and used.
There are also other projects to take the first steps in the world of detecting subtle threats. One of them is Stratosphere, from the Cybersecurity group of the Center for Artificial Intelligence at the University of Prague. This project, focused on network anomalies, allows reading pcap files or integrating with the Suricata and Bro IDS.
Even in the commercial world there are many proposals available to apply to UEBA. Microsoft with? SIEM Sentinel, Splunk (one of the pioneers), Elasticsearch and many other commercial solutions.
In short, there are several alternatives to take the first steps in the world of anomaly detection. The detection paradigm that we are going to apply is in our hands. Whichever we choose, keep in mind that the threats, and your techniques, are rapidly evolving and increasingly subtle.
EOF
Keep hacking!
Keep it simple. Live, laugh, learn, love and share!
1 年That is where the good stuff is! Statistical anomalies or outliers are indicative... a change in behavior or (Trinity, "A déjà vu is usually a glitch in the Matrix. It happens when they change something." - The Matrix (1999))
Fit-for-Purpose ---> GSD ITSM / Assets
1 年Thanks for writing this in a way that someone who is not even in cybersecurity could understand
Partner & Head of CONSULTING (Technology, Cybersecurity, Transformation, Digital) @ KPMG Argentina | HITEC50 20/21/24 | Driving Trustworthy Technology & Modern Operating Models
1 年Simpática la referencia al famoso Stoned, creo que el virus de Boot Sector más difundido. Programé varios virus (inofenesivos) en esa época, pero no llegué a ninguno de Boot Sector, me quedó pendiente (en realidad, rompí el boot sector de mi PC con Stacker en una prueba fallida). Con alguna encripción básica burlabas a los AV heurísticos (en general, buscaban el uso sospecho de Int 13h o 21h). Ha pasado mucha agua desde entonces! :) Buen artículo, abz.
Software Engineer | Backend Specialist
1 年Great article george!