Bad Guys Don't Do Normal Things - Part 2

Bad Guys Don't Do Normal Things - Part 2

Any cybersecurity analyst will tell you that there is a huge need to reduce the amount of false positive alerts they receive every day. In the first part of this blog series we described an Incident Response (IR) team that, instead of focusing on true threats, was all-to-often running down “suspect ping” alerts caused by harmless software updates.

We discussed using ontologies to model alert data in graph form. By putting the original alert data into graph form, and using a description logic reasoner, Dark Light™ is able to apply expert knowledge to make inferences. In the case of the “suspect ping” problem, we use knowledge about related processes to reason if the alerts should be ignored, or classified as truly “suspect”.  Read More »

Bad Guys Don’t Do Normal Things - Part 1

Bad Guys Don’t Do Normal Things - Part 1

 

A cybersecurity analyst recently said to me, "Bad guys don't do normal things." He was explaining his thought process behind a particular automated alert. Specifically, he was describing a Splunk alert that notified his team whenever a ‘suspect ping’ process was detected on one of the more than 20,000 devices within their enterprise. This particular alert detected whenever any Windows host executed the ‘ping.exe’ process with a ‘-n’ argument. 

For example: ping 1.1.1.1 -n 1 -w 1000

The peculiar invocation above is not likely to be used by an IT person doing normal network troubleshooting. This non-default command, to send a single ping, might be indicative of malware or an intruder probing the network. This abnormal execution is what makes the ping interesting to a cyber network defender. At the mentioned organization, simply running the above command would be enough to launch a brief investigation by the Incident Response (IR) team.

Read More »

Subscribe to Email Updates

Subscribe via RSS to the blog

Recent Posts