How Endpoint Detection and Response gave rise to Threat Hunting

4,517 views

Rather than reactively responding to malware threats, our security analysts are actively engaging in Threat Hunting looking for new threats.

Panda SecuritySep 24, 2019

In the past, a signature-based cybersecurity solution could be relied on to protect your organization against malware – with updates being posted to you on a floppy disk each month. Signature based solutions are very efficient and accurate at spotting known malware.

Signature detection was sufficient until polymorphic techniques (compression and encryption) increased the proliferation of malware, meaning signatures alone were no longer enough. With around 300,000 new malware samples being detected at PandaLabs every day, more was needed.

Heuristics (guessing if a file looked like a variant of known malware) and local behavior analysis (sandboxing) are able to identify variants of known malware. However these techniques are less accurate and more resource intensive on the local device.

Suspicious files need to be evaluated by IT staff to ensure no malicious files are allowed, or sometimes worse, a legitimate file is quarantined [false-positive] potentially disabling the system. Anything not identified as malware or suspicious, is allowed to run – despite being unclassified. This is a huge risk.

These traditional solutions struggle with unknown zero-day threats due to their isolated view of activity, and limited local resources. This has led to another cybersecurity approach—the simple idea of 100% classification, where no process is allowed to run until verified by as being goodware—a 100% attestation service.

All the unknowns are analyzed and classified prior to letting them run, and all suspicious files are actively classified as either malware, or goodware – all as a service. How does this happen?

Panda Security develops a new paradigm

Starting in 2010, Panda Security spent 5 years developing a system from the ground up to incorporate our knowledge of both malware and goodware, and harness the power of machine learning to classify new all new file executables. This solution became Panda Adaptive Defense 360.

When we find a process that we don’t know, we send it (only once) to our labs to be classified. In the vast majority of cases for PandaLabs this is an automated process (99.998%). For the small remainder, we have a team of security analysts who will manually inspect and classify, creating rules for the continuous improvement of our automatic detections.

The value of this 100% attestation virtuous circle was confirmed by the Technical Director of PandaLabs stating, “File-based malware is under control”. So, the risk of file-based malware infection is reduced to zero (well, almost; there is no such thing as 100% security).

This automatic classification has massively reduced the need for manual classification, so what are our experts at PandaLabs doing now?

File-based malware is just one of many attack vectors

When Panda Security started developing the technology to provide 100% classification, back in 2010, it provided the contextual information to recognize and classify a vast array of potentially anomalous activities on endpoints (that evade traditional techniques), and provide remediative actions or trigger alerts if they warranted further investigations.

This type of security solution was named Endpoint Detection and Response in 2013 and was recognized by leading analysts as one of the most significant advancements made by endpoint security vendors. To detect these types of attacks, you need complete visibility of every process occurring on each endpoint.

Video produced by Disruptive Live for Digital Transformation Expo

An active hunt for cyberthreats

Rather than responding reactively to malware threats, our security analysts are actively engaging in Threat Hunting. Using the information gathered through our 30 years of industry experience, they look for new threats, and running hypotheses against the data gathered through our EDR solution to check their legitimacy. Once proven, each new detection technique adds to the hundreds in place in our automatic Threat Hunting & Investigation Service (THIS).

THIS automatic rules include activity such as:

  • Brute force RDP attacks
  • PowerShell with obfuscated parameters
  • Active Directory interaction
  • Locally compiled programs
  • Documents with macros or internet links
  • Registry modification to run when Windows starts
  • Code injection of legitimate processes. An example of this was included in the most recent Microsoft patch Tuesday, where notepad was used to launch a command-line shell with System-level privileges.
  • Application and user profiling, and detecting deviations in their context of executions to spot anomalies (for example, this user in this machine has never executed this type of tools…)

THIS issues our clients with alerts about any anomalous behavior, with support from our technical team on remediating and increasing cyber-resilience.

If an attacker wants to get onto your network and has enough time and resources, they will eventually succeed. It’s not a matter of IF they can get onto your network but WHEN.

This can occur through numerous methods:

  • Unpatched vulnerabilities
  • Social engineering phishing attacks
  • RDP Brute force attacks
  • Wi-Fi – War-driving your company’s Wi-Fi network or a fake Wi-Fi spot in a coffee shop
  • Malicious USB stick plugged into the computer
  • Weaponised documents—macros or internet enabled content

Once the hacker has established a beachhead there are a number of objectives including:

  • Power—Privilege escalation
  • Persistence—establishing a backdoor for ongoing access
  • Exploration—Target identification
  • Movement—Laterally across network
  • Objective – Data/credential theft or data encryption [ransomware], destruction/denial of service, botnet or cryptomining.

As we have disarmed the hacker from using file-based malware, these objectives are achieved using Living-off-the-Land (LotL) techniques, in which the hacker uses legitimate software already installed (such as PowerShell & Active Directory) for their own malicious purposes.

Example:

  • Someone receives an email, and the recipient is fooled into “enabling content”, in fact, disabling macro security.
  • Once they do that, a script is downloaded, which invokes PowerShell and the Mimikatz exploitation tool to obtain credentials needed to search the network for their target, in this case data.
  • A search of the network found the required data and two other legitimate tools – Socat & TOR were used to transfer and exfiltrate the data.
  • In this case, no vulnerability was exploited, no malicious URL was used, and no malicious files were on disk to scan.

Many organizations have a hard time dealing with these Living-off-the-Land attacks, because their traditional defenses are not capable of dealing with them. You need complete visibility to see actions in their context to be able to identify these threats.

Recommendations

To keep your organization safe, there are certain vital measures that must be taken. The first is to patch all systems to close any vulnerability that could be used by attackers. The next step is to educate all users about the cyber-risks that the organization faces, and share protocols for dealing with any incident. Protecting personal data is a must in this day and age, given that stealing this vital asset is often one of cyberattackers’ key goals. Finally, all systems must be protected with EDR technology to ensure that all endpoints benefit from the most advanced cybersecurity.