Endpoints Still Matter

Endpoint data can be the key to the clearest picture of a security breach.

I am privileged in my role with Interset that I get to spend time in the field with our customers—working with organizations’ cyber hunters to help them apply their vast experience and knowledge to security analytics. This is done hands-on with Interset installed and their own real-world data being ingested into analytics.

Interset supports a vast array of data sources that are ingested by our customers. Of the choices, most customers typically ingest three: authentication, web proxy data, and often a repo—either source code or enterprise document management. These logs provide a richness of behavioral content. You can see strange authentication patterns, websites never visited before, and data access that are anomalous. This often provides the needed detail to determine that malicious activity is underway. There are times, however, that if endpoint data were included (and sometimes only endpoint data), a much clearer picture of what is taken place could be achieved. Let me share with you two real-world examples of when this could have been beneficial.

Example #1: Enterprise SOC Investigating a Dismissed Employee

First, I know everyone has endpoint or agent fatigue. “You want to deploy another agent to my endpoint?” This is a common concern among security administrators. The good news is that Interset works with the endpoints you have already deployed. The existing endpoints can be mapped into Interset’s next-generation endpoint analytics, and once the endpoint models are mapped, they become part of analytics. This could have helped in the following two situations.

Working in a security operations center (SOC) for a large company recently, we had seen anomalous login activity for a user—let’s call him Chris. Interestingly, we could see the attempted use of a local admin account at the same time. What made this suspicious was that the local admin account being used was an exception to the corporate guidelines. The local account had been created to support a new type of drive array added to a large SQL instance. The account only had privileges to manage the array. Yet, we could see it failing to authenticate to other machines locally. These failures made sense since it was only on one machine. What we tried to understand was an attacker using the local account to breach other machines? We had the anomalous login activity for Chris and it appeared to take place on the machine a few minutes before the local account was used. What we wanted to know was, Was Chris the one trying out the local account? We suspected the failed login activity was coming from RunAs attempts by Chris using the local account. If we had endpoint logs, we could have seen if it was anomalous for Chris to use the RunAs command or other commands and if Chris or his peers had ever shown similar behavior. We could also have seen if other exploits were trying to be run like Mimikatz. The addition of endpoint data would certainly have helped provide additional clarity on what was taking place. Clearly, leveraging the endpoint in analytics with the other data sources would have given us the correlation between potential account misuse and attempted credential harvesting.

Example 1Figure 1: Leveraging endpoint data with other data sources enables a correlation between potential account misuse and attempted credential harvesting.

Example #2: Validating Interset Analytics with Red Team Attacks

In the second example, I was working with a blue team to validate the Interset technology in their environment. The red team had been attacking a series of simulated network segments for several days. These simulated segments and workstations did not have any endpoints deployed. We had access to web proxy and Active Directory. What we could see from web proxy were unusual agent strings being used in some of the connections. These strings were anomalous as they were never actually used. This was surfaced through a group of rare event models for this type of traffic. In addition, workstation risk scores grew as low-risk but frequent network activity was detected. We suspected this to be C2 traffic, and the low and slow part of the model family identified it as such. We could also see a large increase in traffic volumes to an external server. This appeared from the activity to be data exfiltration.   Example 2

Figure 2: Behavioral analytics with endpoint data can help identify attack tools and detect lateral movement and spawning of child processes to accelerate threat hunting.

From all of these anomalies, it was clear that malicious activity was taking place. We theorized that tools like metasploit were being used based on port activity and that more than likely some sort of python-based attack tool was being used. Here, endpoint data could have helped identify the attack tools being used, and identify if lateral movement was being seen between hosts. We suspected there was lateral movement based on the workstations that had the anomalous activity. Endpoint data would have helped to catch rare processes being run, as well as local workstations being utilized as attack points to other machines. There are model families in Interset’s analytics that look for spawning of child processes, known process behaving differently, file and network access, and other behavioral activity that would have provided additional clarity to our cyber hunt.

We can now understand that the use of an endpoint data source would have greatly increased the confidence we had in describing the attacks taking place. Without the endpoint data, additional investigative activity is required to get to the proper conclusions.  

So does this mean you must have endpoint as part of your deployment of Interset? No. What it does show is that the use of Interset with an endpoint can unlock additional behavioral indicators that could only be seen from an endpoint. It does mean that endpoint is a very important data source that should not be overlooked if available.

For more information about Interset’s analytics, be sure to check out our recent blogs on Interset’s upcoming model building capability and detecting fileless malware with endpoint UEBA.

Our team will also be showing live demos of our endpoint capabilities at Black Hat USA 2018 next week in Las Vegas. If you’re planning to attend the show, be sure to come by booth #L61 for a demo and rule-breaking giveaways!