Tuesday, 20 June 2023
Estimated reading time:8 minutes
Many threats lurk in your network, hiding in external (north-south) or internal (east-west) traffic. So this is where we come in. We leverage machine learning capabilities and advanced analytics to detect the threats hiding in your network traffic.
To begin, threats hiding in external (north-south) traffic are attempting to do three things:
However, the malware activities that leave a footprint in internal (east-west) network traffic are attempting:
To start, anomaly detection using network traffic has a long history. Traditionally, it has been done for network performance monitoring and diagnostics. There are three main challenges in adapting this approach for threat detection. First, building representative baseline models for normal or benign network activities. Second, preventing a deluge of false alarms. And third, interpreting anomalies as threat related activities to enable response.
The Fidelis Network Detection and Response (NDR) Anomaly Detection addresses the first two challenges using two strategies. Number one, it casts a wide net by analyzing network behavior using five different contexts. These are External, Internal, Application Protocols, Data Movement, and Events detected using rules and signatures.
To continue, for each context, it learns up to five different families of models to learn high fidelity baseline models. For example, for the External Traffic context, we have a family of models that focus on outbound geo-location. So within this family, we have individual baseline models for different countries or groups of countries.
Together, these five contexts and their model families capture what is normal baseline behavior on an enterprise network. Because of that, we are able to correlate anomalies from different models to identify high confidence detections. Then, we provide an interpretation of our anomaly detections for analysts. So, we map them to the MITRE ATT&CK TTPs to enable a response.
In an external context, we focus on properties of external or north-south traffic that is independent of the application protocol. Using Unsupervised Machine Learning, statistical anomaly detection, and advanced analytics, we flag three types of suspicious activities that involve internal assets controlled by an enterprise:
With all of this, these models provide protection against threats mapped by the MITRE ATT&CK framework to the Initial Access tactics. In particular, Drive-by Compromise (T1189), and Data Exfiltration, plus the techniques related to Exfiltration Over Alternative Protocol (T1048), Exfiltration Over Web Service (T1567), and Automated Exfiltration (T1020).
Many organizations also deploy external-facing services hosted in a demilitarized zone (DMZ) that is open to the Internet. Fidelis NDR has anomaly models targeted at DMZ services. This can detect an increase in traffic to DMZ servers or traffic originating from a new location. Such anomalies often indicate that an enterprise might be the target of a new threat vector, campaign, or adversary.
In an internal context, we focus on internal traffic patterns along three dimensions. This includes who is talking to whom (I.e. connection patterns between assets), remote access and login behavior patterns, and volume of traffic exchanged between assets. Specifically, we flag five different types of suspicious activities.
(Web, DNS, Mail)
|Web/DNS/Mail servers used by only a small number of assets.
|Baseline models learn the access pattern for Web/DNS/Mail servers by different types of assets. Rarely used servers are flagged as anomalies.
|New or abnormal SSH or RDP login pattern.
|Baseline models learn who-connects-to-whom and when (work hours vs. late night, weekday vs. weekend).
Credential Access (TA0006),
Lateral Movement (TA0008)
Brute Force attack
|High rate of login failures
|Baseline models learn the normal level of login failures between different asset types and services.
|Lateral Movement (TA0008)
|An asset attempting to connect to all the IP addresses within a subnet, i.e. high fan-out.
|Baseline models learn the normal connectivity pattern between different asset types and services.
|Lateral Movement (TA0008)
|Increase in the amount of traffic from an internal server to an asset. This can be indicative of Data Collection prior to exfiltration.
|Baseline models learn the data transfer patterns between different asset types and file servers. These models capture both the traffic volume as well as transfer of different file types (Microsoft Office documents, PDFs, etc.)
Fidelis Network Detection and Response (NDR) uses a combination of these machine learning capabilities and advanced analytics to detect suspicious activities on an enterprise network. In a previous blog on Using Machine Learning for Threat Detection, our CTO Anubhav Arora talked about the advantages of using Machine Learning to detect patterns of cyber-attacks hiding in large amount of network traffic data. He defined the different approaches based on Supervised and Unsupervised Machine Learning algorithms. We also released a webinar hosted by SANS where we discuss this topic in more detail.
At the 9th InfoSec Awards annual ceremony #RSAC 2021, Fidelis Elevate was awarded the Best Product in XDR (eXtended Detection and Response) award.
ETA not only helps systems keep track of users' encrypted sessions, but also helps to deal with problems that arise as well as problems related to ban...