Volume-based Use Cases for Detecting Malicious Activity
When it comes to security operations there are a variety of use cases we can apply and various ways to monitor data. One useful type of use case is behavioral analytics that monitors network activity for large changes in the volume of a particular activity. Fairly quickly, systems – using machine learning – can baseline what is normal and expected behavior for various functions and then we can look for anomalies outside of that norm. Here are three examples that demonstrate the value of volume-based alerting.
Once malware successfully compromises a system, it must call back to a command and control point to receive instructions or additional malware. In many cases the malware acts as a beacon where it will send out packets to the C2 host until it gets a response. Often, it is not an immediate reply. In fact I have seen malware send packets to the C2 for a few days to a week without a response, though it is not common. Because these beacons are usually very small, it may be difficult for your security tools to identify and block the activity. Looking for a significant, unexpected increase in the volume and frequency of outbound communications, without a response, to a not previously communicated with IP address or domain is a useful approach to identifying a malware infection.
Another way to look at volumetric alerts is looking less at the number of packets spiking between two hosts, but instead looking more for the amount of data leaving a network, especially to random locales on the internet. Sometimes, when hackers steal data off of a network, they aggregate data in one or more files on the network, and then compress and extract them either through email, file sharing sites, or simply FTP or similar protocols. Depending on the amount of data being stolen and normal behavior of the infected machine, monitoring for spikes in the amount of data leaving a particular machine that is outside its normal behavior is a useful approach to detecting data theft.
Communication with Foreign Sites
While generally speaking, I am of the opinion that focusing on and blocking foreign sites is of questionable valuable, considering that a majority of attacks occur from U.S. infrastructure being used as hop points for an attack. In many cases there is little to no reason for some businesses to communicate with countries like Russia, Iran, and perhaps even China. So, looking for a spike in volume for outbound traffic to (or inbound, allowed traffic from) such countries can help you narrow down your search for unauthorized, anomalous, or even malicious activity occurring on your network. This is especially true if you see a spike in activity involving protocols or ports that are non-standard (e.g. not port 80 or 443).
Just this past week, I was hunting on behalf of a client and saw a glut of outbound allowed traffic over a protocol that is only supposed to be used within a local area network and never to be seen traversing the global internet. The traffic was being sent to Russia. We were able to work with the client to mitigate the leak and further secure their environment.
These are just a few simple ideas to help get you started with expanding the effectiveness of your analytics and alerting. Volumetric alerting can go far deeper and more specific, only limited by our own imaginations and understanding. We have seen significant value for our customers as we continually design and implement new volumetric use cases.
If you are interested in learning more about alerting and hunting strategies, please check out our recent blog post about strategies for Identifying Anomalous Protocol Activity and our Introduction to Behavioral Analytics.
About Security On-Demand
Security On-Demand (SOD) provides full-spectrum threat management and advanced cyber threat detection services for hundreds of businesses and government agencies globally. SOD’s patented, behavioral-analytics ThreatWatch technology enables the detection of advanced threats to protect brand value and reduce the risk and mitigate the impact of a data breach. SOD is headquartered in San Diego, CA with international R&D offices and a Security Operation Center in Warsaw, Poland.