What Red Canary Detects, Part II: Suspicious Activity

At the risk of oversimplifying the threats and threat actors that organizations face, I’m going to assume for purposes of this article that they fall into one of two broad categories: opportunistic and targeted.

Opportunistic Attacks

Opportunistic attackers land where they land and attempt to extract as much value from each victim as they can in a ruthlessly efficient manner. Opportunistic attackers employ a “breadth-first” strategy: specialize on one easily-monetized and automated objective; for example, obtaining banking credentials, then carpet bomb the Internet for potential victims. King among the opportunistic actors are botnet operators who focus heavily on distribution of ransomware and banking-related crimeware.

Infection is the endgame. Infect, persist, monetize.

A hallmark of opportunistic attacks is that malware infections, numerous as they may be, are shallow. Infections typically do not spread far beyond the initial victim. If they do, they tend to spread in a highly automated fashion. In any event, the infection is the endgame. Infect, persist, monetize. It is absolutely possible for these actors to leverage this access to expand their footprint and exfiltrate high-value proprietary data from the target, however this is not their modus operandi—it is too slow and inefficient.

Targeted Attacks

Targeted attacks have distinctly different objectives. Victims do not appear by chance – they are chosen. There are a number of actor groups driven by varying motivations: some are state-sponsored, some derived from organized crime syndicates; some are motivated by long-term economic interests, some by more immediate financial gain.

Stealth is critical and introducing malware—or any new software—is a risk to be avoided.

The goal of a targeted attack often lies beyond the initial point of infection and the way to achieve the goal is to gain a foothold, expand that foothold and move toward the objective. Stealth is critical and introducing malware—or any new software—is a risk to be avoided. Get access by any available means, but acquire legitimate credentials as quickly as possible and move freely under the auspices of an internal user.

Detecting an attack that has progressed to this point is considerably more complex than finding a piece of malware, a suspicious email or an outbound network connection to a known bad domain or IP address. The defender is facing the proverbial “needle in a stack of needles” problem: the attacker has compromised at least one, possibly several internal accounts with varying levels of privilege and looks remarkably similar to an employee.

Actions that are commonly observed in later-stage attacks:

• Enumeration of and accessing network file shares
• Use of remote desktop tools
• Data exfiltration via email
• Use of native operating system tools to schedule recurring jobs
• Use of administrative tools such as Powershell, WMI and others to access resources remotely

Accurate detection of these actions taken by a malicious actor requires not only low level OS activity monitoring but also an understanding of what “normal” looks like in a given environment. A fun exercise is to append the phrase “excluding authorized use” to each of the above, and then ask whether the data collection and tooling in place today would allow the operations team to identify misuse–or general use–of these services.

Behind all of the firewalls, proxy servers, filtering devices and even Data Loss Prevention (DLP) tools, there lies an attack surface that cannot be minimized by erecting walls and turning off services. The same tools used by employees to make money for the company are the tools an attacker will (ab)use. An organization needs live endpoint visibility and an operations staff experienced in hunting to counter this threat.

Our approach to suspicious activity detection involves:

1. Collecting process-level activity including file and registry modifications, module loads and network connections. We also receive the relationships between processes, the command-line passed to start the process, and a copy of every process’s corresponding binary and its metadata.
2. Endpoint data passes through our battery of behavioral detectors that flag command shells and command-line tools such as Powershell, task scheduling tools, remote administration tools, tools for mounting remote file system, etc.
3. Analytics identify how these tools are used, including the process and user context in which we should expect to see them. We also do the easy thing: communicate with our customers, ask them questions, and ask them to validate our findings where we’re uncertain.
4. Expected behaviors and usage patterns are codified and fed into our engine so the most common and known good instantiations of these tools are noted but not shown to our analysts.
5. Our team of analysts eliminates the remaining false positives and notifies customers of any suspicious patterns of use.

Our service relies heavily on our engine and analysis platform that were built with these complex modeling and analysis cases in mind. Red Canary’s approach is very similar to the approach taken by security operations teams around the world, but there are shortages of both the tools and the people required to do this well. Assuming that one can find or train the people, that still leaves a massive gap in tooling that is geared towards the granular filtering and analysis required to identify this type of suspicious endpoint activity.

Make sure to read the last article in this series. It details the the third category of our detection service, Unwanted Software.