Becoming proactive begins with detecting what is virtually undetectable with conventional tools. The next step would be to establish an early warning facility that could identify compromise conditions prior to an actual attack being launched. The final step would be to actively engage and neutralize threats proactively, based upon the unknown threat and early warning system.
Click Security RtSA Response
The detection of unknown threats has already been discussed. When looking at the anatomy of the common attack, we realize there are various early warning indicators to engage a threat before an attack is launched. As an example, reconnaissance occurs prior to an attack. This may involve semi-suspicious activities such as network scanning, or it could appear much more innocent, such as network browsing and public resource access. The beauty of analyzing data behaviorally is that the measurement is a deviation from norm rather than a positive fingerprint of evil. For example, profiling allows us to make an educated guess at an entity’s “type”, based on the kind of events it most often generates. As a case in point, by simply watching kerberos authentications come and go, we can pretty much determine that a particular machine is a domain controller. Similarly, by watching web-browsing activity, we can determine when we have a personal desktop computer at a particular IP address. Then, if we see, for example, outbound IRC traffic from a particular node, even if we don't have a good profile for "normal" for that particular node, the clustering/grouping analysis described above highlights that IRC traffic is a lot more suspicious for a domain controller than it is for a personal desktop. This allows us to recognize early-warning indicators, and neutralize threats before they become viable.
Once the threat has been identified, neutralizing it can be as lenient or harsh as desired. The system can be configured to alert, report, directly engage threats, or feedback new security meta-events – providing a means of having an even higher-level correlation analytic operating on the pre-correlated meta-events). Customers have already invoked system actions including:
- Template-style email generation
- SMS alert distribution
- Help-desk case creation and dispatch
- Active Directory account disablement
- Physical access revocation
- Increased logging levels and issuance of custom instructions to 3rd party systems