Faster Breach Detection, One Step at a Time

From Equifax to Yahoo to an unprecedented breach at the National Security Agency, the scope and sophistication of recent security breaches continues to grow—and so does the damage. Yet, data exfiltration remains extremely hard to detect, especially with any semblance of speed. On average, the median time for attackers to stay undetected from breach to discovery was 99 days (per Mandiant). In many of these recent breaches, hackers had free reign inside systems for weeks and sometimes even months, giving them ample time to identify and exfiltrate valuable and sensitive information including intellectual property, credit card and social security numbers completely undetected.

That’s unacceptable. The industry needs a better way to narrow the breach detection window to head off malicious network attacks and minimize data loss.

Security teams—with added pressure from leadership, boards and investors—are struggling to keep up, and justifiably so. While your logging systems hold a wealth of data that offers clues to when and where malicious activity might be happening, the sheer volume and velocity of that data makes it extremely hard to collect and analyze. When you’re drowning in tens of thousands of alerts generated by millions of log messages every day, it’s challenging to distinguish the critical from the nuisance.

In the face of innovative adversaries and threats that continue to evolve, it’s unrealistic to think that you can prevent every breach from happening. The challenge is sifting through data and log files quickly, in a way that yields actionable insights, and zeroing in on areas within your infrastructure where suspicious activity might be occurring. However, there are changes you can make to chip away at that exceedingly longtime gap between the breach and when it’s finally identified and investigated.

This isn’t about a complete overhaul of your security systems. Rather, the answer lies in discovering new ways to work smarter, not harder.

Shedding Alert Paralysis

This shift in approach isn’t just about implementing new or better security analysis technologies. To handle the pace and sophistication of new threats, it also involves a shift in approach and process for security teams. Already suffering from alert fatigue, it’s easy to want to throw up our hands in despair or to point fingers. That’s not going to help.

Frustration may be so great, and the task seemingly so large, that it leaves many security teams wondering if analyzing logs is a futile effort. Well, a pragmatic and incremental approach could be the way to get started. You don’t have to boil the ocean (at least, not yet!) by striving for 100 percent detection capabilities all at once. Don’t let “the perfect become the enemy of the good.” Map out the problem space, and get started with one source of logs in your infrastructure.

Many security experts suggest that if you have just one log source to analyze, start with your DNS logs, since they contain a tremendous amount of information regarding where on the internet your users and systems are visiting. Build a data platform that can hold even one day’s worth of DNS logs, and then put in place basic monitoring controls and detection mechanisms to identify activity likely to be associated with attacks and data breaches.

Know Abnormal, Find Evil

This requires a shift in tactics. Taking an approach popularized by the SANS institute in its Digital Forensics and Incident Response Program, “Know Abnormal … Find Evil” can get you started quickly and can pay dividends. Here’s a short list of ways to review your DNS logs each day.

  1. Compare each requested domain against a freely available list of say, the top 1 million domains (such as the Majestic list). In most organizations, it’s abnormal for users to visit such unusual sites, so activity associated with domains that are NOT on this list immediately identifies activity that might need investigation.
  2. Check the “age” of each requested domain using resources such as domain tools to see if any are very new (created in the past few days or weeks, for example). In most organizations, it’s abnormal for users to visit such recently created sites, and these young domains may be associated with temporary phishing sites, ransomware or malware botnet sites, so systems accessing these sites should be investigated.
  3. Create a baseline of the number of DNS requests generated by your infrastructure each day. If the number of requests is abnormal for a given day, it could represent some kind of abuse or exfiltration of data over the DNS protocol.
  4. Digging a bit deeper into the DNS protocol, use your data platform to monitor the number of distinct subdomains requested for each domain present in your DNS logs. You may need to filter out popular sites such as AWS and Dropbox. After doing so, any sites with an abnormally large number of distinct subdomains could be an indication of data exfiltration by encoding it and including it in the subdomain field of DNS requests, a technique sometimes called DNS tunneling. Systems involved in this type of activity should be investigated immediately.

Implementing these basic checks will take some work, but will likely increase your chances of detecting common attack and breach-related activity.

Better, Faster Automated Anomaly Detection

Today’s SIEM systems play an important role in monitoring security events, and with some amount of manual effort could be used to implement the basic DNS log analysis described above. However, you’ll get significant ongoing benefits by speeding and automating these checks. That may sound obvious, but automating these basic detection techniques may require you to augment your existing platform with technology that adds an analytics layer on top of your SIEM.

That’s where a practical application of machine learning comes in. In threat and breach detection, machine learning provides an arsenal of “algorithmic assistants” that help security teams automate the analysis of security-relevant log data by looking for potentially incriminating anomalies and patterns—but under the direction of human security experts.

Let’s take a closer look at how one of the detection techniques described above (Detecting DNS Tunneling) could be improved and automated with machine learning-based techniques.

Because DNS network traffic isn’t generally blocked by firewall policies it has become an attractive channel for sending unauthorized or malicious communication—essentially tunneling under an organization’s existing security defenses. There are many examples of malware, such as the Framework POS malware that use this technique to exfiltrate valuable data such as credit card numbers.

In this case, a security analysis tool with machine learning can be configured to analyze DNS logs and create a baseline of “normal” behavior. More specifically, the machine learning engine is instructed to create and maintain a baseline of the normal number of distinct subdomains per accessed domain. Once it learns the baseline, it automatically analyzes newly received DNS log data and flags abnormal behavior.

In other words, the security analyst doesn’t need to run queries, create “top 10” lists and try to remember if the number of subdomains at the top of the list is normal for that site. This is all handled automatically by the machine learning engine, freeing the analyst to start work on the next data source. Even better, the baseline models created by the machine learning engine do not need to keep the older data in the platform. So even if your platform retains only one day of DNS log data, your machine learning engine remembers the historical data, so that each day’s observations are compared against all the learned history.

Not all abnormal activity is malicious, but knowing what is abnormal helps security teams zero in on suspicious activity for further investigation. Essentially, it’s a faster, smarter way to identify the proverbial needle in a haystack.

Be Pragmatic: One Data Source at a Time, Detect, Automate

The examples above cover only one small part of today’s threat landscape and an organization’s attack surface, and are not intended to be a silver bullet to securing an enterprise. Rather, they offer a pragmatic approach to the cybersecurity version of putting one foot in front of the other. Data breaches will happen, but armed with the approach described above, and modern security analytics tools, security teams can limit their exposure, improve overall security coverage, and ultimately, close that breach detection window.

Mike Paquette

Avatar photo

Mike Paquette

Mike Paquette is Director of Product, Security Market at Elastic. Mike joined Elastic in 2016 from Prelert, where he was VP of Products for Prelert's machine learning technology. Starting his career as an ASIC designer, Mike has more than 30 years of technology product development experience, including executive roles with several startups in the areas of consumer apps, mobile app ecosystems, and Security Information and Event Management (SIEM). Previously, Mike held executive roles developing and bringing to market network intrusion prevention and DDoS defense solutions at Top Layer Security (acquired by Corero in 2011). He is co-author of a patent on DDoS defense.

mike-paquette has 1 posts and counting.See all posts by mike-paquette