Detect Campaigns - Not Attack Traffic

Wesley Belleman
May 16 · 3 min read
by Pexels on Pixabay

In 2011, Rohan Amin and two of his colleagues at Lockheed Martin released a paper on the intrusion kill chain. Today, he is the Chief Information Officer for JP Morgan Chase, but this accomplishment pales in comparison with the impact of the intrusion kill chain. The kill chain, now often called the “cyber kill chain” propagated into every cyber professional’s toolkit and morphed into the famous, widely used MITRE ATT&CK Matrix. The idea is intuitive, but clever. An attacker needs to chain together a series of actions in order to successfully execute an attack on your network. If you can disrupt any of these actions quickly enough, the attacker will fail.

Security operations centers all over the world are clinging to the MITRE ATT&CK Matrix as a means to detect and disrupt their adversaries. SOC engineers go through each of the fourteen steps in the kill chain and create signatures for each attack technique. They push these signatures to their various network and endpoint sensors and follow up on the activity when a signature is matched. It works great!… until it doesn’t.

All detection signatures are imperfect. Those writing the signatures work hard to make sure that they accurately capture malicious activity. The authors are not the problem — the technique is. Any signature will have a certain sensitivity and specificity and these will have an inverse relationship. A security engineer can write the signature with higher sensitivity, lowering false negatives. This will also increase false positives. Engineers must expand their toolkit in order to improve both sensitivity and specificity.

Engineers must use data hydration to solve this issue. As campaigns progress, a security operations system should collect information related to a campaign into a data object. The import of data into these objects is called data hydration. The engineer must determine how to best generate these objects — one might start with network flows. If the engineer commands any influence over system development, keys can persist through the lifecycle of an interaction. For example, the web server can generate a key when communicating with the client browser; then the webserver can add that key to the database request which populates fields in the delivered web page. This way, if the attacker is pivoting to the database through the webserver, security operators will see these connected actions in a single object.

The use of data objects also enables correlation across multiple sensors. In the above example, network, host, and service sensors will all log the connection from the user to the webserver and also from the webserver to the database. The security operations system should import these disparate log entries into a single object which characterizes the interaction. The correlation of logs across multiple domains comprises the detection piece of extended detection and response (XDR).

Although no scheme will perfectly compile campaigns into a data object, data hydration will create visibility across multiple steps of the cyber kill chain. The security operations system may then adjust risk scores based on detection of a campaign. This architecture focuses your analysts on addressing true threats rather than closing out false positives.

Nerd For Tech

From Confusion to Clarification

Nerd For Tech

NFT is an Educational Media House. Our mission is to bring the invaluable knowledge and experiences of experts from all over the world to the novice. To know more about us, visit https://www.nerdfortech.org/. Don’t forget to check out Ask-NFT, a mentorship ecosystem we’ve started

Wesley Belleman

Written by

I write about computer science, computer security, and cyber policy.

Nerd For Tech

NFT is an Educational Media House. Our mission is to bring the invaluable knowledge and experiences of experts from all over the world to the novice. To know more about us, visit https://www.nerdfortech.org/. Don’t forget to check out Ask-NFT, a mentorship ecosystem we’ve started

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store