Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online
Authors: Sean Bodmer
Tags: #General, #security, #Computers
What kind of malware is it detecting?
You can trend this data. Are only droppers, adware, cookies, and so on being detected? If so, then what is not being detected?
Digital Forensics
Many client-based solutions provide host-based digital forensics. These come in hardware and software forms. They monitor system activities, such as hard drive activity, processes, memory monitors, hooking functions, VMs, sandboxes, and more.
These tools are only as good as the operating system’s security policy, as they can be detected and disabled just as quickly as antivirus solutions. However, they do play an important part in the defense-in-depth strategy.
At times, these systems can capture the information you need to identify a specific threat. You can develop patterns and behaviors exhibited during the crime if these tools haven’t been disabled.
Things to Think About
Here are some tips on how you could increase your digital forensics system as a force multiplier:
How can you best use this technology?
The best use of this technology is a hardware-based solution that resides outside the operating system and monitors hardware components. A great example is Tribble by Grand Idea Studios (
www.grandideastudio.com/portfolio/tribble/
). Another is Copilot by Komoku (
www.microsoft.com/security/portal/komoku/
), which was bought by Microsoft, and its functionality was added to the Microsoft line of security products.
How can you hide your digital forensics processes from the host itself?
This requires an out-of-band connection to the functionality of the forensics platform itself.
How does your digital forensics solution work for you?
What is the value of its data? Also, how often does your forensics team become bogged down with opportunistic threats versus collecting persistent threat information in near real time?
Security Management Tools
Security management tools have the largest market share. These include asset management tools, file monitoring, and corporate-based security solutions that monitor each client via a running agent.
These solutions have been receiving less and less attention over the past five or six years, but are still in use today. They are similar to other security agents you have running on your system (such as antivirus agents), but their value is in notifying you when unapproved applications or packages are installed. They can also monitor the attempted altering of specific files and perform regular integrity checking of known “benign” files for any changes that would infer alterations by unapproved actions.
In order for these tools to function properly, they must run with escalated or administrative privileges. While this provides the tool with the greatest ability to monitor the state of your systems, it also has a downside. If an attacker determined how to compromise the agent, or compromise the server to which it reports, the persistent threat just created another avenue of approach into your system. However, these tools can play a part in the attribution game and should not be overlooked as a tool to increase the security posture of your systems.
Things to Think About
Here are some tips on how you could increase your security management platform as a force multiplier:
What are some of the most important things to know about your host?
What is currently installed? What was recently installed, and did that application lead to the disabling of the security monitor? Were there any changes made to system files? If so, which ones? (This can lead to identifying the threat’s level of intelligence.)
Are heartbeats set up for your monitors?
They should be. They can generate noise in logs and network detection systems, but rather than tune the IDS and intrusion prevention system (IPS) for this communication or manage the logs properly, this feature is generally disabled.
What level of privileges do your users have?
Ensure your users do not have administrative privileges or elevate their account permissions. This should be one of the initial indicators of unauthorized activity.
What are you monitoring with your security agent?
There are many styles of employee handbooks. You should ensure that your employees understand and sign an employee agreement that states work computers are for work and work only, and any other use is subject to company scrutiny.
Network-Based Tools
Network-based tools are the more interesting of the two security focus areas and the most actionable. Over the past decade, crimeware has evolved into a kind of tsunami that just bears down on anyone connected to the Internet every day.
Two types of network-based tools are useful:
Firewalls