I've seen it splashed on Twitter and Dark Reading this past week: landing a successful zero-day exploit on a network can give an attacker a ten-month lead before detection methods catch up. There is always a lag between an attack and a signature released for it, but maybe ten months is a bit much for most.
You don't have a signature, what now?
Malware differs from other threat vectors, in that well:
There is so much of it.
So we start with that reality, then realize the challenge for zero-day exploits is there are very few of them (at least from a samples perspective). This bothers me less than others: perhaps, because I have worked with Insider Threat detection, where the number of samples is much smaller than anyone is really comfortable working with. In the case of Insider Threat, you take a different approach: look for indicators of risk and follow up when they start to stack up over a particular machine or identity.
I thought it would make a good blog post to list out some of the things a SIEM can do to detect indicators of a zero-day exploit. Let me know in the comments if you'd like to see these worked out specifically for the McAfee SIEM.
Anomalous Traffic Flows
Granted, computers on a network talk to each other a lot. There are packets going out for DNS requests, endless file types over HTTP, and the SMTP (email) garden hose is always turned uncomfortably high. Logs and deep packet inspection report back these connections via a source, destination, and a protocol. In a SIEM context, we call these network flows. In this mess lies an opportunity: flows can point to changes in behavior of a machine. Some examples:
- Most of the external IP addresses hat a source IP connects to are HTTP or HTTPS. A reasonable conclusion is these are web servers. We might want to know about the one that is taking HTTPS, TCP, and UDP connections
- External TCP connections to a certain range of IPs happen regularly with a machine. Maybe someone likes to use an IM service to connect with friends. But what about the TCP connections that suddenly spring up to a different IP outside that range?
If someone breaks into a network, that someone means to steal or damage something. In order to do that, on today's networks, you have to use some kind of account credentials. A SIEM takes logs and packet data and constructs a set of these account footprints through a network. While that's great, you need to measure those steps against what is normal. If someone is a power user on a machine, a lot of access is quite normal; if someone uses a system rarely, and becomes a regular user, that is a deviation from normal. It may have a perfectly normal explanation, but you want that explanation. Especially if you are looking at something else unusual happening with that account or that system.
Minor Threat's 1983 Album Out of Step, my first introduction to Outliers.
Changes in Phishing Activity
Think about the usual attack cycle or kill chain for an advanced threat: research the target, trick the target, land the exploit, start looking around. There are certainly volumes about detection at each step in the kill chain, but look at "trick the target". Most payloads are still delivered via email attachments or enticing URLs in email. You can measure your sketchy emails, but hold on for a minute. When the number of tricks going into your email inboxes is high, the attackers are step 2. When the number goes DOWN, they might have moved down the kill chain. Use your SIEM to notify you when phishing activity goes DOWN, not UP. Sometimes, threat correlation is all about flipping the data upside down to get what you need.
Sometimes the critical information you need is not in the log or packet itself; there is a critical piece of context that identifies the risk. If an account connects from two different IP addresses at the same time, this is beyond banal. I am connected to the same network right now as we speak via my phone and laptop using the same account. However, if you know that one of these IP addresses is in North America and one in Latin America, you have a more interesting story to tell. And you want to tell that story. Geo-location data can be a huge help in adding context to give you new indicators of risk.
No Rules? Go Risk!
Sometimes my more heartbreaking moments consist of watching respected security peers try, try some more, then give up hope on detecting a threat because they can't point to the concrete details needed to write a rule for it. From this despondence though, we find that we have identified several indicators of bad stuff, although none can confirm anything specific on its own. This is where I would say: "put them together into a risk model". If you can do risk-based correlation on your SIEM, you are ready to go. In the case of advanced threats or insider threats, you can adopt this approach. Think of the risk indicators as smoke detectors. If there is enough smoke, you'll find a fire. Risk-based thinking (and we do it naturally) tells you that it really doesn't matter what type of fire it is, if it's in your house.
So, bottom line, there is a lot that a SIEM can contribute to detecting zero-day threats. These are just a few of them.