APTs, Advanced Persistent Threats, are the anti-script-kiddies approach to
penetrating an environment. Can static rule-based correlation catch these?
APT Attackers Love Correlation Environments
You remember that "False Sense of Security," the feeling that you are secure,
but in fact you're not...?
Attackers know that an attack is a process, it is not an event. And they use
this - and they use time - to their advantage. They use time scales that
static rule-based correlation simply cannot cope with.
If you want to correlate disparate events, you need to keep state information
on these events, and of course the longer you need to keep the state, the
more expensive it becomes, expensive in RAM, CPU, storage etc etc., to the
point where it is not affordable anymore.
Did you know that many/most static rule-based correlation engines cannot keep
state for more than a few mi... (more)
This week let's review why logs are such a popular and powerful tool when
performing forensics, and how to insure that investigators are working from a
clean stream of data.
Logs used in forensics have several distinct advantages.
First, logs can be used not only to solve the IT crime, but also as evidence
in a court of law, provided that they have been properly managed.
Second, logs are widely available. Logs have been around for the past 25
years and today all electronic equipments are capable of generating logs.
Third, best practices for log management are mature, all system adm... (more)
Performance Tolls - Why you cannot correlate 100% of your logs...?
Compounding the combinatory explosion in the number of static-based
correlation rules, it is impossible to correlate 100% of all your logs, it is
just too expensive and not practical. Read on...
A correlation engine works really hard, even when dealing with a limited set
Each scenario requires lots of rules and exceptions, and most of these rules
need to be interpreted further as dozen, if not hundred of simple checks and
tests. For example, you may want to flag loops with a simple rule such as "IP
During these past few weeks, we have looked at several reasons why a static
rule based correlation is not the "SOC in a Box", end-all be all that many
thought it was.
Indeed what to think about a "solution" that:
Can only address a very limited set of attack scenarios Requires meticulous
consideration on how to map out the few selected attack scenarios Doesn't
guarantee you to catch attacks in progress even when one of the few selected
scenario is taking place Obliges you to think of minute details to slightly
reduce false positives Yields hundreds and thousands of basic correlat... (more)
Catching fraud rings and stopping them before they cause damage is a
challenge. One reason for the challenge is that traditional methods of fraud
detection are either not geared to look for the right thing: in this case,
the rings created by shared identifiers. Standard instruments-such as a
deviation from normal purchasing patterns- use discrete data and not
connections. Discrete methods are useful for catching fraudsters acting
alone, but they fall short in their ability to detect rings. Further, many
such methods are prone to false positives, which creates undesired side