Threat Intelligence is Dead
Long live security analytics!
At AlphaSOC we process network traffic to uncover compromised systems without relying on threat intelligence or indicators of compromise (IOCs). The rationale being that emerging threats without signatures are far more dangerous to our customers than off-the-shelf Trojans which are known to antivirus, content filters, and other tooling.
In this post, I describe the current state of affairs within many enterprises, and outline the way in which security teams are significantly improving the efficacy of their operations by increasing visibility and fidelity, and reducing unnecessary costs (e.g. hardware, software, API keys, and people).
The Status Quo
Incumbent vendors have maintained a status quo within the security market. Over recent years, CISOs have been forced to make multiple investments to operate an in-house security operations capability, including:
- Security apparatus (network sensors, appliances, and alert sources)
- Data aggregation and storage software (e.g. Splunk, Elasticsearch)
- SIEM software (e.g. Splunk ES, IBM QRadar, AlienVault USM)
- API keys for data enrichment (e.g. WHOIS, VirusTotal)
- API keys for threat intelligence feeds (e.g. Anomali)
- Hardware to support the data aggregation, storage, and processing
- People to deploy, configure, maintain, and operate all of the above!
The flow of alert data from the security apparatus, through the SOC, and out to the orchestration and ticketing components is summarized below.
The SOC, as highlighted in orange, has a critical purpose: to provide a complete picture of the current threats posed, which are then dealt with (via the gray boxes to the right) to maintain the integrity of the environment.
Reliance on threat feeds and signatures however introduces gaps in visibility and erroneous alerts. Many anomalies simply cannot be identified using one-dimensional correlation with IOC lists, including:
- DNS tunneling and data exfiltration
- Phishing attacks using Unicode homoglyphs
- Infected hosts using contemporary DGA algorithms
- Infected hosts beaconing to unknown C2 destinations
- Suspicious request clusters indicating infection (e.g. dynamic DNS traffic)
False positives are generated by products using both threat feeds and basic analytics tools (e.g. the Splunk Machine Learning Toolkit). Inaccurate DNS tunneling and DGA alerts are commonplace as advertisers and CDN operators increasingly use perplexing labels within their domains, for example.
SIEM products lack the context and processing power to differentiate good from bad and provide an accurate picture of the threats posed to an environment.
Benchmarking your SOC
You can measure the efficacy of your SIEM and SOC with regard to flagging new C2 destinations, DGA traffic, DNS tunneling, and other threats, by using Network Flight Simulator to generate malicious network traffic, as below.
Increasing Visibility with Analytics
To fill the gaps in coverage and alert upon emerging threats and anomalies, security teams use the AlphaSOC Analytics Engine to process network traffic. Most users consume our cloud service which is run in a secure enclave, and we provide a Linux package for on-premise deployment to the others.
The engine exposes an API which receives and processes network telemetry from our Splunk apps or Network Flight Recorder, as demonstrated below.
NFR is a lightweight open-source utility that allows us to gather data from disk for processing (e.g. Bro IDS, Suricata, Microsoft DNS, or BIND logs) or monitor a network interface to run as a traditional sensor on a mirrored port.
The AlphaSOC Analytics Engine performs a lot of heavy lifting, e.g.
- Analysis of individual labels within each FQDN to identify anomalies
- Time series analysis to identify beaconing and suspicious patterns
- Retrieval of WHOIS data for each domain
- Retrieval of reputation data for each FQDN (e.g. VirusTotal scores)
- Generation of threats based on analysis of the above elements
Known good (benign) and known bad (malicious) categories are assigned and corresponding alerts generated. The remaining unknown items are inspected further to identify suspicious traffic patterns, as demonstrated below.
Through gathering reputation data, querying WHOIS, and evaluating the domains and IP addresses that flow through the system, we suppress false positives and errors that have plagued SOC analysts in the past. Every high- and critical-severity issue we flag via the cloud service is manually reviewed to minimize errors and provide actionable alerts to users.
Threat Hunting Benefits
Within high assurance environments that are largely quiet, the sensitivity of the analytics means that individual requests to odd destinations to be flagged (e.g. a new request to a dynamic DNS provider domain). Teams can use this material to actively hunt threats from suspicious weak signals, as below.
Anomalies of particular interest may include:
- Unknown dynamic DNS provider traffic
- Traffic to new hosting provider and VPS domains
- DNS requests with regular timing deltas (beaconing) to uncommon TLDs
Identifying Targeted Phishing Threats
Determined attackers (including red teams and state-sponsored actors) increasingly use homoglyphs and transpositions to set up domains used within phishing campaigns. Additional context allows us to identify a valid attack versus a typo or mistake on the user’s part.
AlphaSOC recently reported gitthub.io to GitHub upon finding traffic to the domain (which was valid, along with a Let’s Encrypt X.509 certificate) within a customer network, as below. We use the analytics engine to flag Unicode homoglyphs and other brand impersonation attacks. Read more here >
Closing Remarks
Upon using Network Flight Simulator to measure the gaps in your visibility, you can in-turn leverage security analytics to increase coverage and generate accurate alerts for triage and resolution.
The common use cases and coverage gaps that we fill include:
- DNS tunneling and data exfiltration
- Phishing attacks using homoglyphs (Unicode and others)
- Infected hosts using contemporary DGA algorithms
- Infected hosts beaconing to unknown C2 destinations
- Suspicious traffic patterns indicating infection (e.g. dynamic DNS events)
As the integrity of a network improves through iteratively resolving the high-severity alerts, the security team can start to actively hunt threats by focusing on the remaining low-severity anomalies and weaker signals within the data.
