Malicious Actors are Hiding in Plain Sight

Most everyone is familiar with the series of books called “Where’s Waldo” by Martin Handford. The books contain pages and pages of pictures of people similarly dressed, with the title character, Waldo mixed in and challenging the reader to find him in the crowd. This is very synonymous with the challenges facing information security teams in identifying potential malicious actors that have infiltrated their networks among all user and services authorized activity.

There are two main types of logins used on modern information systems and networks to access and process information. Each type creates traffic and generates huge amounts of logs on every action taken.

• Users: A living, breathing individual (also known as a ‘carbon life-form’) who authenticates to a computer and gains access to information and resources based on their access rights or roles.
• Services: An automated process or application that is authenticated and processes information or makes connections to other services via API calls.

Managing Log Data

There are also numerous and various types of devices and operating systems connected to the network generating tons of log activity. These are devices that create the network itself (routers, firewalls, switches, servers, etc.) as well as IoT smart devices (cameras, security, environmental controls, medical devices, etc.) along with user workstations. By default, most keep logs locally on the device and most recycle or overwrite the log files due to the volume of log data being created. One technique used by malicious actors is to delete the local logs to cover their tracks.

If you don’t have a centralized log management solution, finding malicious activity is substantially harder. With a disparate collection of a very limited set of log data that cannot be easily correlated, it is difficult to find patterns of activities that would indicate bad things happening on the network.

All networks should implement a Security Information and Event Management (SIEM) system. This system will centrally collect and securely maintain logs from all critical devices in the environment. That data is parsed into useable data elements, including event date, time, source IP, destination IP, and other details that allow for correlation of activities across multiple devices.

Once log data is centralized, depending upon your network size, you may be collecting millions of events per day. How can one find logs of Waldo trying to gain access to systems and sensitive information in the vast ocean of log data? Especially since Waldo has become smarter and is using common tools like PowerShell to gain information about the network landscape? Rules or Directives and ingestion of public sourced Indicators of Compromise (IoC) will help automate the process but does not eliminate the need for Threat Hunting exercises.

Threat Hunting

Threat Hunting is a process of proactively performing queries on the log repositories identifying anomalies or activities that appear malicious (e.g. attempts to obtain credentials to move across the network). Upon gaining access to a network, most malicious actors will quietly run standard commands or applications that will provide them with information about users, domains, and systems. This is called “Living off the Land” and trying to blend in with expected normal activities. They used to download and run their own suite of tools (e.g. Nmap, John the Ripper, Metasploit, etc.), which is activity easily discovered. These actors may exist on a network for a long period of time – days, months, and sometimes years without detection. It is these Advanced Persistent Threats (APTs) that the hunter is looking for to cut them off before any significant damage is done. This makes Threat Hunting an essential exercise and must be performed by qualified personnel on a regular basis.

Being able to fully comprehend what is going on in your network is fundamental to a secure environment and is a key requirement in most compliance programs. Implementing a SIEM tool to capture critical log data and being able to analyze it by doing daily threat hunting is crucial to detection of malicious activity. Early detection will minimize any damage done by unauthorized access. On the other hand, collecting and reviewing your logs after a compromise event is just forensic data to determine how much damage was done.

If you’d like more information or to discuss your organization’s cyber security needs, please contact us at Connect@CompliancePoint.com.