How Fidelis Leverages Machine Learning to Combat Threats Hiding in your Network

Tuesday, 20 June 2023

Estimated reading time:8 minutes

Fidelis Network Detection and Response (NDR) uses a combination of these machine learning capabilities and advanced analytics to detect suspicious activity on an enterprise network.
Picture1.jpg

Many threats lurk in your network, hiding in external (north-south) or internal (east-west) traffic. So this is where we come in. We leverage machine learning capabilities and advanced analytics to detect the threats hiding in your network traffic.

 

First, what are your cyber threats attempting in your network traffic?

To begin, threats hiding in external (north-south) traffic are attempting to do three things:

 

  1. Break into an enterprise
  2. Communicate with an infected host within an enterprise, OR
  3. Steal data.

 

However, the malware activities that leave a footprint in internal (east-west) network traffic are attempting:

 

  1. To observe and discover an enterprise’s systems and internal network
  2. To attempt lateral movement to control remote systems such as network attached storage, and
  3. To collect information needed to follow through on the adversary’s objectives, like stealing or exfiltrating sensitive data.

 

What is normal on a network?

To start, anomaly detection using network traffic has a long history. Traditionally, it has been done for network performance monitoring and diagnostics. There are three main challenges in adapting this approach for threat detection. First, building representative baseline models for normal or benign network activities. Second, preventing a deluge of false alarms. And third, interpreting anomalies as threat related activities to enable response.

 

The Fidelis Network Detection and Response (NDR) Anomaly Detection addresses the first two challenges using two strategies. Number one, it casts a wide net by analyzing network behavior using five different contexts. These are External, Internal, Application Protocols, Data Movement, and Events detected using rules and signatures.

 

To continue, for each context, it learns up to five different families of models to learn high fidelity baseline models. For example, for the External Traffic context, we have a family of models that focus on outbound geo-location. So within this family, we have individual baseline models for different countries or groups of countries.

 

Together, these five contexts and their model families capture what is normal baseline behavior on an enterprise network. Because of that, we are able to correlate anomalies from different models to identify high confidence detections. Then, we provide an interpretation of our anomaly detections for analysts. So, we map them to the MITRE ATT&CK TTPs to enable a response.

 

Using Machine Learning to Detect Threats in an External Context

In an external context, we focus on properties of external or north-south traffic that is independent of the application protocol. Using Unsupervised Machine Learning, statistical anomaly detection, and advanced analytics, we flag three types of suspicious activities that involve internal assets controlled by an enterprise:

 

  1. Traffic going out to a new location or country
  2. Increase in the volume of traffic going out to a location or a domain
  3. External services that only a small number of clients are communicating with, particularly using less well-known or higher number of ports

 

With all of this, these models provide protection against threats mapped by the MITRE ATT&CK framework to the Initial Access tactics. In particular, Drive-by Compromise (T1189), and Data Exfiltration, plus the techniques related to Exfiltration Over Alternative Protocol (T1048), Exfiltration Over Web Service (T1567), and Automated Exfiltration (T1020).

 

Many organizations also deploy external-facing services hosted in a demilitarized zone (DMZ) that is open to the Internet. Fidelis NDR has anomaly models targeted at DMZ services. This can detect an increase in traffic to DMZ servers or traffic originating from a new location. Such anomalies often indicate that an enterprise might be the target of a new threat vector, campaign, or adversary.

 

Using Machine Learning to Detect Threats in an Internal Context

In an internal context, we focus on internal traffic patterns along three dimensions. This includes who is talking to whom (I.e. connection patterns between assets), remote access and login behavior patterns, and volume of traffic exchanged between assets. Specifically, we flag five different types of suspicious activities.

Potential Threat

Behavioral Footprint

Anomaly Model

MITRE ATT&CK

Proxy Circumvention

(Web, DNS, Mail)

Web/DNS/Mail servers used by only a small number of assets.Baseline models learn the access pattern for Web/DNS/Mail servers by different types of assets. Rarely used servers are flagged as anomalies.Proxy (T1090)
Stolen CredentialsNew or abnormal SSH or RDP login pattern.Baseline models learn who-connects-to-whom and when (work hours vs. late night, weekday vs. weekend).

Credential Access (TA0006),

Lateral Movement (TA0008)

Password spraying,

Brute Force attack

High rate of login failuresBaseline models learn the normal level of login failures between different asset types and services.Lateral Movement (TA0008)
DiscoveryAn asset attempting to connect to all the IP addresses within a subnet, i.e. high fan-out.Baseline models learn the normal connectivity pattern between different asset types and services.Lateral Movement (TA0008)
Data CollectionIncrease in the amount of traffic from an internal server to an asset. This can be indicative of Data Collection prior to exfiltration.Baseline models learn the data transfer patterns between different asset types and file servers. These models capture both the traffic volume as well as transfer of different file types (Microsoft Office documents, PDFs, etc.)Collection (TA0009)

 

So what does Fidelis do to combat these threats lurking in your network?

Fidelis Network Detection and Response (NDR) uses a combination of these machine learning capabilities and advanced analytics to detect suspicious activities on an enterprise network. In a previous blog on Using Machine Learning for Threat Detection, our CTO Anubhav Arora talked about the advantages of using Machine Learning to detect patterns of cyber-attacks hiding in large amount of network traffic data. He defined the different approaches based on Supervised and Unsupervised Machine Learning algorithms. We also released a webinar hosted by SANS where we discuss this topic in more detail.

Share this blog :

Related Blogs & News

2021 RSA Conference

4 min read

19June
Fidelis Cybersecurity Wins “Best Product in XDR” in the Global InfoSec Awards during 2021 RSA Conference

At the 9th InfoSec Awards annual ceremony #RSAC 2021, Fidelis Elevate was awarded the Best Product in XDR (eXtended Detection and Response) award.

Encrypted

5 min read

19June
Monitor network traffic with Encrypted Traffic Analysis

ETA not only helps systems keep track of users' encrypted sessions, but also helps to deal with problems that arise as well as problems related to ban...

Encrypted

3 min read

20June
Encrypted Traffic Analysis

With Flowmon's encrypted traffic analysis (ETA) solution, you have the ability to control potential threats in encrypted traffic without compromising ...