Finding Low-Variance Behaviors

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 42 minutes
Difficulty
Intermediate
CEU/CPE
5
Video Transcription
00:00
>> Hello and welcome to lesson 2.3,
00:00
finding low variance behaviors.
00:00
In this lesson, we describe
00:00
low variant behaviors and
00:00
their applications to threat hunting.
00:00
We also discuss the process and
00:00
considerations for finding low variant behaviors.
00:00
As we continue to more closely examine attack behaviors,
00:00
it's important to emphasize that there are often
00:00
several ways for an adversary to carry out an attack.
00:00
We need to look across implementation methods
00:00
for indicators that can be used to
00:00
provide more robust detection.
00:00
Looking across these indicators,
00:00
we can plot them on
00:00
a variant scale to help us
00:00
get a sense of their robustness.
00:00
As an example, say I want to travel from
00:00
my house to the miter headquarters building
00:00
that is some distance away.
00:00
One option is I leave home,
00:00
drive to the airport,
00:00
take a flight to get closer,
00:00
drive through to the security gate
00:00
and then get to the headquarters building.
00:00
I could also drive the entire distance from my home.
00:00
Again, drive through the security gate
00:00
and then reach the headquarters building.
00:00
A third option, although much more practical,
00:00
is I could walk the entire distance to
00:00
the security gate and then
00:00
proceed through to the headquarters building.
00:00
All of these are different methods for me to achieve
00:00
the same result of getting from my house to miter HQ.
00:00
If we were trying to examine
00:00
these different methods with respect to variance,
00:00
we would see that only one option
00:00
each uses flying or walking.
00:00
That's if you were trying to detect me
00:00
traveling to the miter headquarters,
00:00
based on these behaviors,
00:00
you would most likely not catch me,
00:00
as these behaviors have a high level of variance.
00:00
If you focus detection on my
00:00
passing through the security gate, however,
00:00
you will most likely catch me as
00:00
that behavior is present across all three options.
00:00
This behavior is an example of one that has low variance.
00:00
Or more specifically, it's an invariant behavior.
00:00
An important subset of
00:00
low variance behaviors are invariant behaviors.
00:00
Invariant behaviors are activities or
00:00
events that are fundamental to the technique
00:00
and thus do not change by
00:00
altering the procedural implementation of
00:00
that technique as opposed to actions that
00:00
may vary depending on invocation or tools use.
00:00
Software developers created technologies that
00:00
an attacker is attempting to exploit or misuse.
00:00
Thus, there are a limited number of options
00:00
for the adversary as dictated by the terrain design.
00:00
If we can base our hypothesis around invariant behaviors,
00:00
they would be much more resilient
00:00
to invasion by the adversary.
00:00
If we can execute an attack
00:00
without confirming behaviors, however,
00:00
it's likely we haven't found or
00:00
adequately focused on invariant behaviors.
00:00
For some techniques, we might see that there may not be
00:00
a single invariant behavior or
00:00
even a sequence of invariant behaviors.
00:00
Then we might need to look at
00:00
the technique level or break it
00:00
down into use cases to find those associated indicators.
00:00
In developing behavior-based hypotheses
00:00
using low variance behaviors,
00:00
we can follow the simplified process outlined below.
00:00
We began by choosing a technique to focus on.
00:00
The technique you choose are really be driven by
00:00
the objective of your threat hunting
00:00
and your associated hypothesis.
00:00
It's also important to define the scope for
00:00
the behavior that you want to find invariants for.
00:00
This scope should take into
00:00
consideration important elements and constraints of
00:00
your environment with respect to
00:00
factors of the technique that we'd like to address,
00:00
including platforms, implementations, and functionality.
00:00
To enable this step,
00:00
it is important that we understand
00:00
our own system as well as or
00:00
better than the adversary in
00:00
order to stay ahead of any malicious action.
00:00
Next, we will conduct open-source research to get
00:00
a thorough understanding of
00:00
the technique or sub technique itself,
00:00
including detailed information about how it is employed,
00:00
as well as learning more about
00:00
what is possible through reading
00:00
documentation of operating systems, software, and APIs.
00:00
That leads us to conducting
00:00
a hands-on investigation of the technique,
00:00
which can include reverse engineering,
00:00
debugging, executing the behavior ourselves,
00:00
examining any relevant logs that are
00:00
generated and getting help from
00:00
season emulation experts to explore
00:00
the second and third order effects of
00:00
the behavior and the resulting logs.
00:00
All of these steps help us to
00:00
identify possible invariant behaviors
00:00
which will work to optimize
00:00
recall when you use as the basis for an analytic.
00:00
In step 5, defining conditions,
00:00
we begin to introduce certain conditions
00:00
or characteristics that can help us
00:00
differentiate benign use cases from
00:00
malicious one and help us to dial in precision.
00:00
Ultimately leading to hypothesis refinement
00:00
in the creation of an abstract analytic.
00:00
We will cover this step in later lessons.
00:00
Although the process for finding
00:00
low variance behaviors is outlined sequentially,
00:00
it's important to keep in mind that
00:00
this is an iterative process.
00:00
It may be necessary to repeat steps
00:00
and update information to achieve our goal.
00:00
That it can be modified depending on
00:00
the limitations or resources of the environment at hand.
00:00
It is also important to note that low variance behaviors
00:00
themselves are not necessarily
00:00
indicators of malicious activity.
00:00
Rather, they are fundamental activities
00:00
that occur in the execution of a certain technique.
00:00
That is the reason we eventually
00:00
look to identify conditions
00:00
that help us distinguish between
00:00
benign and malicious activities.
00:00
This then becomes a balancing act between
00:00
keeping an analytic focused on behaviors for
00:00
maximum detection and defining conditions
00:00
that help us improve precision.
00:00
That our analytic is still
00:00
useful for detection without being
00:00
too brittle against bearing indicators of compromise.
00:00
Putting this information in perspective,
00:00
it's important to remember
00:00
that not every technique will have
00:00
strong invariant behaviors or
00:00
even strong low variance behaviors.
00:00
It's important to understand how variable
00:00
a behavior is to help create a robust detection scheme.
00:00
Employing detection in depth with
00:00
several layers of defense can help when behaviors
00:00
have an especially high-variance to maximize
00:00
your defensive coverage and
00:00
help strengthen your defensive posture.
00:00
In conducting this research,
00:00
the process of breaking down and
00:00
investigating techniques will help identify
00:00
other choke points and higher variance indicators that
00:00
may still be useful for developing detection analytics.
00:00
In summary, invariant and
00:00
low variance behaviors help make
00:00
analytics that have high recall
00:00
and are difficult to evade by an adversary.
00:00
Finding invariant behaviors is
00:00
an iterative process itself that
00:00
optimizes recall and contextual data,
00:00
careful exclusions and complimentary analytics
00:00
can help reduce false positives.
Up Next