Tuesday, May 13, 2014


I’ve been thinking lately about why so many attempts to identify attacks and detect intrusions result in such a large number of false positives. I believe one of the main reasons is because it is difficult for us to properly understand intent. Before I explain why, I think it helps to shift perspective to think about what an alert, and specifically a signature-based alert, means conceptually. The methodology of signature-based detection is essentially a packet by packet view of the world. Each “known bad” is checked against a snapshot -- a moment in time as the packet flies across the network. From this perspective, a packet by packet approach to detecting intrusions doesn’t quite seem rational, or at least not for intrusions that involve more than a small number of packets or take place over a period of time. We wouldn’t dream of identifying winning stocks solely based on their price as of 12:34:56 PM EST -- a single moment in time. Instead, we opt for additional context, so that we can better understand the complete picture and make a more informed decision.

The first step up from a packet by packet or alert-driven view of the world is to a session-driven view of the world. Building sessions allows us to put like activity together -- at least within the same type of data. Sessions have been in use for a while now for many different types of data, and they are quite a bit more useful for analysis and forensics than data that is not sessionized. For example, summarizing communication between two hosts is far easier with netflow data than it is with firewall logs.

Sessions point us in the right direction, but I believe that building narratives is the next logical step. In a piece in SecurityWeek (http://www.securityweek.com/security-operations-moving-narrative-driven-model), I explained the concept of the narrative-driven model. To understand the motivation for moving to a narrative-driven model, I think it helps to think about what detecting intrusions means in abstract. Essentially, when we want to detect or hunt for intrusions, we are looking to understand intent -- what does a particular sample of traffic intend to do. For example, is this particular packet a command and control or data exfiltration channel, or is it a false positive? The answer to that question requires understanding intent. And understanding intent requires more context than packets or sessions can provide. To understand intent, we need to understand the whole story around an alert. We need the narrative.

To me, it seems that where we don’t properly understand intent, we run into false positives. A command and control channel and benign activity might look nearly identical on the wire, until we understand their intent. In the analog world, what is the difference between a hard-working employee taking a laptop and proprietary information home to continue working on and an employee being paid to commit industrial espionage? At the packet level (what we see at a moment in time), there isn’t a difference -- to the human eye, both scenarios look exactly the same as the employee leaves the office for the day. The difference lies only in the intent, and that is something that we need additional information to understand. We can’t understand intent from a single packet, or even a single session. To understand intent, we need a richer context. We need the narrative. In my opinion, a better understanding of intent results in fewer false positives. The challenge lies in operationalizing this concept, of course, and the solution begins with building the narrative.

No comments:

Post a Comment