Many threats lurk in your network, hiding in external (north-south) or internal (east-west) traffic. So, this is where we come in. We leverage machine learning capabilities and advanced analytics to detect the threats hiding in your network traffic.
First, what are your cyber threats attempting in your network traffic?
To begin, threats hiding in external (north-south) traffic are attempting to do three things:
- Break into an enterprise
- Communicate with an infected host within an enterprise, OR
- Steal data.
However, the malware activities that leave a footprint in internal (east-west) network traffic are attempting:
- To observe and discover an enterprise’s systems and internal network
- To attempt lateral movement to control remote systems such as network attached storage, and
- To collect information needed to follow through on the adversary’s objectives, like stealing or exfiltrating sensitive data.
What is normal on a network?
To start, anomaly detection using network traffic has a long history. Traditionally, it has been done for network performance monitoring and diagnostics. There are three main challenges in adapting this approach for threat detection. First, building representative baseline models for normal or benign network activities. Second, preventing a deluge of false alarms. And third, interpreting anomalies as threat-related activities to enable response.
The Fidelis Network Detection and Response (NDR) Anomaly Detection addresses the first two challenges using two strategies. Number one, it casts a wide net by analyzing network behavior using five different contexts. These are External, Internal, Application Protocols, Data Movement, and Events detected using rules and signatures.
To continue, for each context, it learns up to five different families of models to learn high fidelity baseline models. For example, for the External Traffic context, we have a family of models that focus on outbound geo-location. So, within this family, we have individual baseline models for different countries or groups of countries.
Together, these five contexts and their model families capture what is normal baseline behavior on an enterprise network. Because of that, we are able to correlate anomalies from different models to identify high-confidence detections. Then, we provide an interpretation of our anomaly detections for analysts. So, we map them to the MITRE ATT&CK TTPs to enable a response.
Using Machine Learning to Detect Threats in an External Context
In an external context, we focus on properties of external or north-south traffic that is independent of the application protocol. Using Unsupervised Machine Learning, statistical anomaly detection, and advanced analytics, we flag three types of suspicious activities that involve internal assets controlled by an enterprise:
- Traffic going out to a new location or country
- Increase in the volume of traffic going out to a location or a domain
- External services that only a small number of clients are communicating with, particularly using less well-known or higher number of ports
With all of this, these models provide protection against threats mapped by the MITRE ATT&CK framework to the Initial Access tactics. In particular, Drive-by Compromise (T1189), and Data Exfiltration, plus the techniques related to Exfiltration Over Alternative Protocol (T1048), Exfiltration Over Web Service (T1567), and Automated Exfiltration (T1020).
Many organizations also deploy external-facing services hosted in a demilitarized zone (DMZ) that is open to the Internet. Fidelis NDR has anomaly models targeted at DMZ services. This can detect an increase in traffic to DMZ servers or traffic originating from a new location. Such anomalies often indicate that an enterprise might be the target of a new threat vector, campaign, or adversary.
Using Machine Learning to Detect Threats in an Internal Context
In an internal context, we focus on internal traffic patterns along three dimensions. This includes who is talking to whom (I.e. connection patterns between assets), remote access and login behavior patterns, and volume of traffic exchanged between assets. Specifically, we flag five different types of suspicious activities.
| Potential Threat | Behavioral Footprint | Anomaly Model | MITRE ATT&CK |
|---|---|---|---|
| Proxy Circumvention (Web, DNS, Mail) | Web/DNS/Mail servers used by only a small number of assets. | Baseline models learn the access pattern for Web/DNS/Mail servers by different types of assets. Rarely used servers are flagged as anomalies. | Proxy (T1090) |
| Stolen Credentials | New or abnormal SSH or RDP login pattern. | Baseline models learn who-connects-to-whom and when (work hours vs. late night, weekday vs. weekend). | Credential Access (TA0006), Lateral Movement (TA0008) |
| Password spraying, Brute Force attack | High rate of login failures | Baseline models learn the normal level of login failures between different asset types and services. | Lateral Movement (TA0008) |
| Discovery | An asset attempting to connect to all the IP addresses within a subnet, i.e. high fan-out. | Baseline models learn the normal connectivity pattern between different asset types and services. | Lateral Movement (TA0008) |
| Data Collection | Increase in the amount of traffic from an internal server to an asset. This can be indicative of Data Collection prior to exfiltration. | Baseline models learn the data transfer patterns between different asset types and file servers. These models capture both the traffic volume as well as transfer of different file types (Microsoft Office documents, PDFs, etc.) | Collection (TA0009) |
So what does Fidelis do to combat these threats lurking in your network?
Fidelis Network Detection and Response (NDR) uses a combination of these machine learning capabilities and advanced analytics to detect suspicious activities on an enterprise network. In a previous blog on Using Machine Learning for Threat Detection, we talked about the advantages of using Machine Learning to detect patterns of cyber-attacks hiding in large amounts of network traffic data. We defined the different approaches based on Supervised and Unsupervised Machine Learning algorithms. We also released a webinar hosted by SANS where we discuss this topic in more detail.
Conclusion
The Fidelis NDR Anomaly Detection framework involves five contexts. They include External, Internal, Application Protocol, Data Movement, and Events detected using rules and signatures. As mentioned earlier, these contexts capture what is normal baseline behavior on the network, which then helps detect any anomalies.
