Any cybersecurity analyst will tell you that there is a huge need to reduce the amount of false positive alerts they receive every day. In the first part of this blog series we described an Incident Response (IR) team that, instead of focusing on true threats, was all-to-often running down “suspect ping” alerts caused by harmless software updates.We discussed using ontologies to model alert data in graph form. By putting the original alert data into graph form, and using a description logic reasoner, Dark Light™ is able to apply expert knowledge to make inferences. In the case of the “suspect ping” problem, we use knowledge about related processes to reason if the alerts should be ignored, or classified as truly “suspect”. Read More »
A cybersecurity analyst recently said to me, "Bad guys don't do normal things." He was explaining his thought process behind a particular automated alert. Specifically, he was describing a Splunk alert that notified his team whenever a ‘suspect ping’ process was detected on one of the more than 20,000 devices within their enterprise. This particular alert detected whenever any Windows host executed the ‘ping.exe’ process with a ‘-n’ argument.
For example: ping 22.214.171.124 -n 1 -w 1000
The peculiar invocation above is not likely to be used by an IT person doing normal network troubleshooting. This non-default command, to send a single ping, might be indicative of malware or an intruder probing the network. This abnormal execution is what makes the ping interesting to a cyber network defender. At the mentioned organization, simply running the above command would be enough to launch a brief investigation by the Incident Response (IR) team.Read More »