Chapter 1
Network attacks and the data they affect
Matthew Morgan*, Joseph Sexton, Joshua Neil, Aleta Ricciardi and Joshua Theimer
In this chapter, we discuss techniques to improve the detection of intruders within a computer network. We begin with an understanding of the behaviours of intruders, the actions and steps they must take in order to gain access, and the actions they may take to realise their objectives and the constraints imposed on them by the systems and networks they target. Each of these actions leaves evidence in system logs and we show how to use the knowledge of the intruder behaviour to hone statistical analyses of these logs. By understanding the sequence and coincidence of an intruderās actions we improve the accuracy of detections. When compared against the historical activity within a network, these rare events, and even rarer sequences of events become highly suggestive. Our approach contrasts to the so-called signature-based detection, which examines activity against known attacks. One consequence is that signatures can only detect what has been seen before. Moreover, signatures are generally used to detect the initial system breach; they do not address the free-range activity of an intruder once successfully inside the target network (indeed, detecting malicious activity from insider threats is a particularly sensitive issue). Statistical analysis of system and network activity, informed by the knowledge of threat actors behaviour, addresses both these shortcomings.
1. Introduction
The dominant approach to commercial intrusion detection in computer networks is based on detecting signatures or indicators of previously uncovered and analysed attacks. Examples include file hashes, known-bad IP addresses and domains, and traffic characteristics of known Command and Control (C&C) protocol. When a signature is detected, it may be evidence of an ongoing intrusion, and typically warrants investigation.
Unfortunately, signature detection can be easily evaded: recompiling a malicious program with a minor modification will alter its hash, and changing C&C servers will circumvent the use of blacklists to identify known-bad IP addresses and domain names. These weaknesses have been known for many years by both attackers and defenders and recent years have witnessed a steep rise in the number of successful network intrusions.
Behaviour-based detection is a relatively new approach that uses statistical models to reflect normal behaviour, and alternative hypotheses can be formed that reflect attack behaviour when deviation from the model is evident. While the paradigm may be new in practice, the data-centric approach is not (e.g. Ref. 1 argued in 2013 that extensive network monitoring is the key to successful detection). This approach requires the analysis of data from a wide variety of sources. Statisticians have an important role to play in these developments. The magnitude of the dataa requires automated approaches to baselining activity, and careful calibration of anomaly scores to assess activity patterns extracted from data sets with widely varying distributions. In addition, it is critical that statistical approaches be guided by security expertise, to ensure that the methods employed are sensitive to real attacker methodology. Blind application of statistical methods without subject matter guidance is likely to fail.2, 3
This chapter captures both the attackerās and the defenderās perspective. In Section 2, we give a detailed description of the behaviours of attackers and provide some concrete examples. In Section 3, we describe the types of evidence these behaviours leave behind in system logs. Section 4 presents statistical analyses, emphasising ways to make the signal more prominent. Finally, in Section 5, we introduce the further complication of detecting insider threats and suggest ways to incorporate indicators of these type of attacks.
2. Behaviour of Attackers
To develop a behaviour-based approach to detecting attackers, it is important to understand the general characteristics of an attack. Hutchins4 examined targeted network intrusions, and identified the following seven steps, sometimes referred to as the attack chain or kill chain:
ā¢ Reconnaissance ā the attacker gains information about the target to identify potential sources of entry and intended data and systems to disrupt.
ā¢ Weaponisation ā the attacker prepares the means of exploit or malware.
ā¢ Delivery ā how the malware is launched.
ā¢ Exploitation ā the means by which the attacker actually gains entry.
ā¢ Installation ā the attacker establishes a base from which to execute.
ā¢ C&C ā the attacker establishes communication back to its own servers to receive stolen data or initiate actions from outside the target network.
ā¢ Actions ā achieving the specific objectives against the target network.
Because the first two steps typically occur outside the target network, we will focus on the last five steps.
An advanced persistent threat (APT)5 is characterised by the attacker maintaining access in the compromised network for a long period of time. As an example, consider a highly publicised attack campaign of late 2009, dubbed āOperation Aurora,ā that successfully targeted, among others, Google, Adobe, Juniper Networks, Rackspace, Yahoo and Symantec. According to Ref. 6, the attack targeted source code repositories within the companies, called software configuration management systems (SCM) (reconnaissance). The attacks typically started with spear-phishing emails (delivery) including a URL link. When the victim clicked on the link, a zero-day vulnerability (exploitation) in Internet Explorer resulted in malware (previously weaponised) being executed (installation) on the machine. The malware set up a backdoor into the compromised host, which then initiated a connection back to one of the attackerās servers (C&C). The attackers were then poised to carry out the main goal of their attack, accessing and exfiltrating code from the SCMs (action). Table 1 associates these steps with the evidence they left in system logs (we will discuss the evidence in greater detail in Section 3).b
Table 1.Operation Aurora attack chain.
Attack phase | Mechanism | Log visibility |
Delivery | Phishing w/URL | Email/Web |
Exploit | URL, website w/malicious JavaScript JS exploited zero-day Internet Explorer vulnerability Downloads trojan Roarur.dr | Behavioural malware detection |
Installation | Roarur.dr saves and executes %Application Data% \a.exe Downloads roarur.dll, and injects | Event logs New process |
| into svchost.exe, creating service and Reg.Key...\Services\RaS [.. 4 random char ..] | Registry modification New service |
C&C | RasMon backdoor connects back ex. 360.home[REMOVED].com | Web New domain traffic |
Actions | SCM poorly secured easily accessed by attackers | |
| Downloading entire source-code trees | High bandwidth outbound |
2.1. Understanding network security practices
In order to be truly effective, attackers need to understand the networks of the enterprises that they target. Often, the culture and business of an enterprise give hints about the network and resources supporting it, which in turn suggest vulnerabilities (in both technology and practices) likely to exist within the network. Conversely, an attacker must perform certain actions to progress through a network in order to install, establish C&C and achieve their objectives. Thus, understanding the confines of an attacker and the stages of an attack lifecycle further contextualise events seen in system logs; this context helps to prioritise security monitoring resources and identify that an attack is in progress.
While it is reasonable to assume that larger networks can leverage more sophisticated infrastructure and apply complex security measures in a thorough and consistent manner, the reality is much different. The pace of growth, both in the improvement of existing technology as well as new technology being added to replace manual or analog processes and machinery, has made the concept of consistent security service delivery impractical. Many corporations do not have the resources to keep up with the changes resulting in asset inventories that are incorrect and incomplete, patches that are not at recommended levels, non-hardened default configurations in production, and unapproved hardware and software existing in the environment. The current trend in the so-called āInternet of Thingsā is to provide network connectivity for all technology, often before even a cursory vulnerability assessment is conducted. This results in ad hoc security practices added onto the technology, rather than those services being built-in at the design phase. Cyber security is typically handled by a series of periodic projects based on budget surpluses or drastic events, rather than a holistic integration with the business.
Attackers continue to seek ways to exploit lack of resources, poor situational awareness and inadequate security postures. For instance, if an attacker is able to determine that an organisationās security department is understaffed, they may assume the network contains systems that have not been sufficiently hardened and will prioritise their activities to target vulnerabilities in default configurations of common services. Alternately, if an attacker believes that the administrators of the network are security-minded but that the organisation as a whole does not provide adequate security awareness training for its personnel, the attacker may focus their attention on low-level users as opposed to attempting to gain administrator privileges at the outset.
This ability to adapt is the main reason the scales are tipped in the attackerās favour. Cyber security has traditionally been a c...