Analyze This: How IP Addresses Can Save the Day

AnalyzeThis-Map

By CyberArk Labs

Everyone in the security business is talking about analytics – threat intelligence, big data, mining, etc. Clearly, sifting through huge amounts of data has significant value for understanding the complex nature of IT infrastructure and advanced cyber threats. However, a serious challenge presents itself around what data is important and what should move to the top of the pile. As our recent 2014 Global Advanced Threat Landscape survey showed, Snowden and retail/POS breaches influence security strategies the most, and the common factor in these attacks is the exploitation of privileged accounts.

Focusing on pinpointing malicious privileged account activity should be at the top of the list, given the significance of these credentials in every advanced attack. The challenge is how to do this in real-time to stop an in-progress attack. A behavior-based approach makes this much easier. For example, let’s take a look at privileged account activity correlated with IP address location.

It’s been well established that attackers seek out privileged credentials as a means to move throughout a network – either hopping from user to machine credentials or escalating to more powerful ones. While the attacker may blend into the normal workflows related to a set of hijacked accounts, the IP address they connect from can be a giant red flag. Normal day-to-day running of a company may require a sysadmin to access servers and databases quite often throughout the day. IP location tells us if that sysadmin is working from his normal office or somehow logged in from Russia …

Similarly, every network has normal connectivity behavior that, once modeled, can be used to detect an attack. For example, patterns will develop that show certain privileged accounts are used to connect from a particular computer or workstation, to a server, and never are those credentials used from a different device. IP location will tell you if that changes, indicating a possible attack. This is what happened in the 2012 RSA attack and was one of the indicators that something was wrong.

Another way to look at correlation is segmentation and IP address changes. It’s common to have a range of IP addresses accessing a set of servers, with one or two being dedicated to access only one server. If, suddenly this IP address connects to all servers, there might be something wrong.

The beauty of taking a behavioral-based approach to ID in-progress attacks is that once you layer models on top of each other, you create many baselines and compound dependencies that become nearly impossible to game. Check out our approach here.