Perennial, for a problem to exist that cyber-criminals areahead of security measures deployed. Your own data can be used effectively to hit the achilleas heel of the attacker. Since the sophistication grows with time so must the traditional methods of security. Threat detection systems based on signatures, file checksums or blacklisted URLs are all passé.
So, what needs to be done-
Build A Strategy
It is important to understand the landscape where the security measure is being deployed. Cringing on huge data stack an industry might have without understand what is crucial and what is not is rather foolish. You would simply end up wasting multiple resource on it.Whenever an attacker lands on the system, a pattern can be established to algorithmically follow all parts of an attack.
So- knowing the data, its nature, industry landscape and organization priorities before starting is strongly recommended.
Playing with the data
The good news is, machines are good very efficient recorders of time-stamped events and metadata of just about everything that happened on the computer since it was first built. There is plethora of information about files being created, modified and accessed, user accounts being created, logging in or used, when programs were executed and by whom, and much more.
We are looking at the time-stamped metadata. The idea is to efficiently collect this data and ask the right questions to the organized data collected. The data coming for all the machines on the system is important. Asking the right questions can lead us to any malicious activities in the system.
Anatomy of an attack
A very common tactic used by attackers is to exploit running software endpoint. Web-browsers, browser plug-ins, media documents provide the most common targets for exploitation. Users are booby trapped after they click on any malicious links and the attacker can make a foothold in the system. It’s like opening the gate for thief to enter the house.
The attack is designed to render the system unstable and crash. Once a process crashes, all codes associated with it cease execution.
This provides an opportunity for attacker to detonate the “payload”code and hold the system hostage.
When an exploit detonates this is what happens-
Now using the details recorded, we can safely predict the attack pattern; the attacker will need time tomake a persistent foothold on the computer between the time the exploit triggers, but before the process crashes.
This analysis to look at the events that happened just before the crash occurred. The security analyst now has a root cause data to analyze coming from the crash reports recorded by Win OS.He can check to see if the compromised user account is in use on other computers in the network as an indication of lateral movement and then restrict the user account or change the account password. He can examine the network connections.