I am a big believer in empirical evidence and I’d like to share a recent hunting experience I had on an engineering shadow system (a system deployed at a customer site, but used for engineering field test). In my recent blog post, ‘Investigation at the speed of thought,’ I talked a little bit about ‘hunting’ for threats. Hunting allows a more proactive approach to identifying threats that may pose a significant business risk, using visualization of threat indicators over time to allow an analyst to establish patterns in activity that might otherwise have gone undetected.
Hunting is one of the use-cases for Arbor Security Analytics (SA) and I spend some of the more enjoyable parts of my week utilizing engineering shadow deployments of Arbor SA so that I can maintain some practical experience. If you have never seen or used Arbor SA it is all about providing the analyst with the tools they need to speed up event triage, incident investigation and hunting. Arbor SA provides trending information on key metrics such as new attack types, new destinations of attack, new sources of attack etc., seen on a network. When I login to a shadow system, this is where I usually start my journey.
Sometimes there is nothing to see, but occasionally there is.
On this particular occasion, I saw a new ATLAS Intelligence Feed event being flagged within the New Attacks data, indicating a Fake AV download for a particular host. ATLAS Intelligence Feed data is derived from research undertaken by ASERT and is vey high-fidelity, and thus I usually take notice of these kinds of events. Arbor SA really comes into its own when you are trying to investigate something like this, as it has tremendously powerful filtering which facilitates investigation at the speed of thought.
In this instance, I narrowed my view of the data to only looking for this event, and then pivoted my filter around the source address carrying out the download (all in a few seconds). I then looked at the activity of the host in the week prior to the Fake AV download, and in the few days after and quickly identified a big change.
Immediately after the Fake AV download, I saw other events being detected for malware check-in. Arbor SA allows the user to drill all the way down to layer-7 metadata for detected events, and the metadata for this HTTP activity showed some very suspicious URLs being used. It was also apparent that an unusual HTTP User-Agent had also started being generated by the host in some communications at this point, and again by looking at the metadata we could see other suspicious activity. A couple of hours after that the host started to communicate regularly with a known Botnet command & control, again flagged by a series of ATLAS events. We notified the host organizations for the shadow deployment and they confirmed that one of their machines had been compromised, despite AV etc…
The whole process of identifying the host, and tracking its activity through compromise took around 7 minutes – and this speed is the true value of Arbor SA from a business perspective. From a personal point of view, the whole process is hugely engaging if you are a security professional. Having the ability to quickly and easily explore data and follow hunches really can allow you to identify threats that would otherwise have gone undetected – and it’s fun!
The post Engaging Security appeared first on Arbor Insights - Our People, Products and Perspective.