Happy New Year!
2020 was quite a year. I am, of course, speaking about the amazing examples of using AI to detect and prevent cyberattacks.
In all seriousness, despite the pandemic, I was pleased to see more live deployments and of AI in SOC environments. No longer just a theoretical vision, properly implemented AI can really detect patterns of attack that would otherwise go undetected through traditional means. Products like ArcSight Intelligence (previously known as Interset) can dramatically improve the efficiency of your human team, by automatically analyzing large volumes of security data and pinpoint the most suspicious areas. The AI in ArcSight Intelligence works by automatically learning normal behavior of all machines, processes and users in your environment, and then continuously and automatically looking for threatening combination of anomalous behaviors that are then surfaced to your SOC team for investigation. This technology effectively turns a large volume of data into a short list of high-quality leads.
ArcSight Intelligence generated a number of successful detections for our customers in 2020, and I wanted to highlight a few of them here.
Active attempts to crack the Linux shadow password file
The victim company is in the defense, space and military space.
ArcSight Intelligence detected processes being executed by a privileged Linux account that were unusual for that specific account, including the use of usermod, gpasswd and perl, followed by unusual use of telnet on the LDAP and POP3 ports, and surfaced this account and its behaviors for immediate investigation. Examination of the command line history confirmed that the user was cracking the shadow password file, and testing the login and email credentials using telnet.
After confirming by the security team that this was not activity from their red team, this was immediately escalated.
Privilege escalation on the domain controller with help from legumes
The victim company is a consultant firm for the military, with several hundred employees.
ArcSight Intelligence detected an unusual tool being executed on a regular account, which was subsequently identified as juicy-potato, followed by unusual login failures and an unusual successful connection to the domain controller for that victim account, ending with a successful privilege escalation to become the domain administrator. The security team confirmed that this was not red team activity, and immediately escalated.
Detecting malware attempting to setup a C2 channel with an anonymizing proxy
The victim company is a large software vendor with several hundred employees.
By analyzing endpoint data from all its employees, ArcSight Intelligence singled out one employee’s machine that was observed running winhost.exe (a typical malware artifact) in an unusual way, an unusual process known as lantern (an anonymizing proxy), followed by the routing of all network traffic through the anonymizing proxy. Also detected for this employee were multiple processes that were unusual for this user, which were the result of the malicious script: the use of find.exe to determine the machine’s configuration, and use of rdp.exe, crashrpt.exe and netsh.exe.
Subsequent investigation confirmed that this employee is not in R&D and that the detected behaviors were indeed all very unusual for this user’s machine. Further investigation confirmed the installation of the C2 software via a dropper.
Stopping an attack on the Splunk server before it is too late
The victim company is a high-tech software company with several hundred employees.
ArcSight Intelligence detected the launch of PowerShell on a systems account on a privileged server machine, which was running Splunk. While it is normal for developers and administrators at this company to use PowerShell, the AI surfaced the risk of this behavior because it had learned that it was extremely unusual for PowerShell to be executed on this machine, by this account.
Investigation showed that the PowerShell was used with obfuscated command line arguments to assemble files together and ultimately form a single *.exe. The security team was also able to confirm that this was not part of Splunk or expected behavior. Only the assembly and initial infection was evidenced; no detonation appeared to have happened, so knowledge of the final goal of the assembled executable is pending further investigation, along with determining how access to the system account credentials were obtained.
Finding cryptominers using anomaly detection
The victim company is a global internet retailer with thousands of distributed employees.
ArcSight Intelligence surfaced anomalous process behaviors on one employee’s machine, including an unusual process (which upon investigation was performing cryptomining operations) and, comically, the Intel thermal management program (which was aggressively trying to cool the machine down from the cryptominer’s CPU impact). Investigation of the raw events around the time frame highlighted by the analytics showed that the employee had downloaded a free Bitcoin wallet on their work machine, and the software had included an undisclosed cryptopminer within it.
The application was removed from the employee machine immediately.
Uncovering the sneakiest of insider threats stealing data
ArcSight Intelligence’s sweet spot is in insider threat and compromised accounts, because many times when an insider behaves differently compared to their past or compared others, it can be worth investigation. There were many data exfiltration attempts that our AI detected in 2020, but the most interesting example for me is the insider who was very technical and, in an attempt to defeat the standard rules-based detectors, used disk partitioning tools to obfuscate the files and mask his behaviors before trying to exfiltrate the information off his hard drive. However, even though all the tools he used snuck past standard security mechanisms, his behaviors were so unusual (unusual use of disk partitioning tools, for example) that it was immediately surfaced to the threat hunting team by ArcSight Intelligence.
Catching bad guys with math in 2021
2020 has taken everything that a SOC team already has to do and made it harder than ever before. Users are all working from home, computer environments are more diverse than ever before, and visibility into the network is no longer possible. And yet incidences like SolarWinds reminds us that adversaries don’t rest.
The good news, however, is that there are tools like AI and anomaly detection that can be very helpful to the SOC team. As a matter of fact, the "2020 State of Security Operations Report" reveals that "To Improve Detection of Advanced Threats" was the top reason for using AI. Environments may be unpredictable, but suspicious events associated with attacks are predictable. And, like adversaries, math doesn’t rest either. Properly implemented AI can be running 24/7 in your environment looking for clues to help your SOC and threat hunting team focus in high-risk areas more effectively. As hopefully my examples above highlight, this approach can be very powerful at helping 2021 a better year, at least from a security perspective, than 2020.
Have technical questions about Security Operations? Join our Community. Have technical questions about Security Operations? Visit the ArcSight User Discussion Forum. Keep up with the latest Tips & Info about Security Operations. Do you have an Idea or Product Enhancement Request about ArcSight? Submit it in the Idea Exchange. We’d love to hear your thoughts on this blog. Log in or register to comment below.