Gaining the Upper Hand on Cyber Threats

Interset’s Model Builder changes your security posture from reactive to proactive.

We hear about it every day: another breach, another hack, another thing we need to worry about. The rate and variety of threats are always increasing, as are threat surfaces. It often seems as though we only just get a handle on what is happening when, suddenly, another threat pops up. How can we effectively protect ourselves against both current and emerging threats?

We do our best with the tools we have. We use security information and event management (SIEM) systems to centralize and normalize logs. We use rules, thresholds, and correlations to find threats. Yet it does not seem to be enough. The problem is that current methods cannot adapt quickly enough to the changes that attackers make every day. Nevertheless, we keep doing the same things: write more rules, change a threshold, and add yet another correlation. We are constantly on our back foot with attackers at an advantage, and we need to know ahead of time how to detect a threat. But attackers will never tell us what they are going to do next, so what can we do to get the upper hand?

We have to start by assuming a new threat stance. It is important to recognize that we need to move from reactive to proactive threat prevention. Instead of waiting for an attack and then creating rules to stop the next one, we should get ahead of the threat and look for zero-day attacks and unknown threats differently. What if we could start thinking about the attacks in terms of behaviors instead of Tools, Tactics, and Procedures (TTP)?

If we look back at past attacks and breaches that we have investigated, there are often similarities in the “unusual” behaviors of compromised users, machines, and resources. These changed behaviors would be the same regardless if the attack happened with a spear-phish, zero-day attack, or any method. When you think in terms of these behaviors, it becomes easier to identify an attack or breach sooner.

Using behavior as a foundation for spotting threats can significantly evolve our threat hunting. What if we could take a set of behaviors and bring them together to identify a new or emerging threat? Let’s look at ransomware and cryptojacking as examples.

With ransomware, the goal is to hold hostage the victim’s resources. Think about the behaviors we would see:

  • A higher volume of file accesses
  • A higher volume of writes
  • A process showing a greater number of file accesses
  • The user account accessing more files in an hour than before
  • A network connection to a location the machine has never connected to before
  • Time-of-day activity

With cryptojacking, the goal is to compromise the browser, load malicious code, or add a browser helper object to mine cryptocurrency. Again, envision the behaviors we might see:

  • A higher volume of CPU usage by the browser or script-processing engine
  • A higher memory usage
  • Rare site access
  • Human or machine traffic identification
  • Time-of-day activity

In each of the above, not once did we outline any TTP—never specified a port, never specified known good locations, never provided a threshold or a rule. Yet, Interset would have detected each and every one of those behaviors.

Does this imply that Interset knew these behaviors reflected ransomware or cryptojacking? No, but that doesn’t matter. Interset would have recommended these behaviors most likely as compromised account and data theft based on machine learning models associated with those behaviors. Interset won’t know what the next threat type is. What Interset will know is that there is a threat, thanks to the change in behaviors.

What if security teams could mix and match Interset’s 400+ machine learning models representing 10,000 or more man-hours of work to look for threats more effectively in their unique environments? New threat types could be created by security professionals in the field without relying on a company to release a threat type. New threats can be accounted for as they emerge or as they are anticipated, and current threats that are being iterated on by attackers can still be caught since behaviors, not TTP, are being identified.

As luck would have it, this capability is just around the corner. At RSA Conference 2018, Interset announced Model Builder, an upcoming tool in our security analytics platform that will give security teams the analytical building blocks to leverage our machine learning algorithms uniquely for their organizations—without the need for coding or data science expertise. Model Builder allows you to take those 400+ models and associate them in customized ways to find threats based on behavior. This feature will give threat hunters a powerful new advantage by significantly increasing threat detection and putting attackers on their back foot instead. 

It’s time for a new way of thinking about threats. Model Builder is an important step to allowing any security team transform its security posture to one of readiness and resilience.

To learn how Interset can help your security team become proactive, contact us.