Effective Behavior-based Defense

By CyberArk Labs

Analytics are a tricky business, no matter what purpose they’re applied to, let alone for use to stop a cyber-attack in progress. Take behavioral analytics, for example. What’s simply odd and what’s a threat? And if you’re creating security profiles based on behavior, can’t the bad guys simply game the models you’re monitoring for?

First, let’s tackle what distinguishes a behavioral threat. The Night Dragon attacks were coordinated, covert and targeted cyber-attacks conducted in 2009 against global oil, energy, and petrochemical companies. Once the bad guys infiltrated the network of target companies, they went about their business, extracting information. When investigated, it appeared the malicious network traffic occurred on weekdays from 9:00 a.m. to 5:00 p.m. Beijing-time, well outside the normal working hours of these companies. And based on the volume of traffic it was highly likely to be more than simply a late night for the IT department. Clearly this was much more than ‘odd’ network access behavior.

The recently reported Energetic Bear attack on similar energy sector companies around the world in 2011 took this a step further (see our earlier post for details). In this attack, forensics found the timing data related to malware build hours, and command and control monitoring activity was consistently between 8:00 a.m. to 6:00 p.m. Moscow-time. Again, repeated activity outside of a company’s normal working patterns was indicative of an attack.

It hasn’t taken long for the bad guys to figure out that ‘active hours’ are being monitored as a general course of defense. Such an example is the 2013 cyber-attack against retail PoS installations. In one high-profile attack, the bad guys designed malware to only exfiltrate data between 10:00 a.m. and 6:00 p.m. local time, so as to disguise themselves in regular working-hours traffic.

It would seem that yes, the bad guys can game this defense quite easily once they know what activity is being monitored. However, the beauty of behavioral analytics is that it is nearly impossible to game the system once you layer models on top of each other, creating many baselines and compound dependencies within those individual models. And since behavioral analytics are based on actual usage data and rather than list-based rule-sets, the number and character of what models become a baseline alerting structure are virtually limitless.

Tuesday, we unveiled CyberArk Privileged Threat Analytics 2.0 – a behavior-based analytics solution designed to help organizations to rapidly identify and respond to in-progress attacks.  Click here for more information. You can also watch a video introduction to CyberArk Privileged Threat Analytics.