Using Application Telemetry to Reveal Insider & Evasive Threats>
Dark Reading – Andy Hawkins
It all starts with a process. Consider a shell script or Java app â the time, process identifier (pid), arguments, and checksum of the process are all important factors. So, implementing techniques with the fidelity to detect rogue process behavior is a critical front-line defense. It is essential to have in-depth understanding of both interprocess and interapplication network traffic to gain and develop the context necessary to understand what’s normal and what’s not. Observing only process data is insufficient and doesn’t matter if it’s the commercial off-the-shelf (COTS) or operational support system (OSS) variety. Instead, it’s necessary to verify and validate that no Web application resource (WAR) files, binaries, secrets, or configurations have been compromised. This may be accomplished via file system scans and focused tests against manifests or checksums. However, a better practice is to build this capability into the toolchain. Many organizations already implement controls on users and are perhaps even using UEBA. However, many users don’t exist in the directory and are not part of user management processes. Infosec and attacker philosophies are orthogonal â while the endpoint is the unit of measure for IT, the attacker’s currency is the target’s data. And attackers look to exploit any weakness in the network, UI, APIs, or operating systems to get to it. To realign, organizations must observe an entire service and how services interact. Taken in isolation, each of the metrics discussed lose their value without context. The full picture of relationships between apps and their underlying hardware platforms, operating systems, network connections, performance, processes, and the identities and time of usage are required to detect threats as they unfold.
Link: https://www.darkreading.com/attacks-breaches/using-application-telemetry-to-reveal-insider-and-evasive-threats/a/d-id/1337438