A 100000/1 Shot Winner

Recently, Armis engaged with a heavily regulated energy company that had identified themselves as an Implementation Group 3 (IG3) organization under the definition set by the Centre of Internet Security. Essentially this means that:

• Part of their operation is regulated by law.

• They see Cyber as a strategic risk to their organization.

• They also wish to “abate” the damage from sophisticated cyber threat actors.

Also stipulated by the CIS Controls is the requirement to deploy a “passive asset discovery tool” and one of the reasons they selected Armis as their platform of choice. With our platform they were able to:

• Deploy a continuous passive asset discovery capability in their asset inventory safeguard.
• Prove their cyber risk governance is adequately mature.
• Populate their asset register in real time to underpin the appropriateness in the risk management process and to be considered diligent for an organization with an IG3 risk profile.

SOC Syndrome

Ensuring that their asset inventory capability was compliant with IG3 entities was part of their initial use case, which was building out compliance with the  CIS18 Controls. However, they soon began to look for other ways their organization could benefit from passive continuous network monitoring. One such request came from the Security Operation Centre (SOC) team who were suffering from classic SOC syndrome: too many alerts and not enough people.

• With an average of 100,000 alerts per day, these alerts were coming from Network Intrusion technologies, network proxies, firewalls, email and web gateways.
• There was a huge bias in the alerts towards early stage Mitre or Kill-Chain phases, often described as the delivery, exploitation and infection phases.
• The vast majority of alerts triggered on a user device encounters with known exploit domains, previously malicious IP addresses, connections to newly registered domains, operating system error reporting, and websites listed on threat intel feeds.

Now, not all alerts are created equal, and the SOC team was having a tough time prioritizing which alerts were the most severe and required the most urgent attention. There was no ability to easily distinguish between false positives, near misses, blocked attacks and actually successfully infected devices.

Phase-Chaining

Armis´s network detection capability allowed the SOC team not only to map to attack matrix or kill-chain phases but it also allowed the SOC to join behaviors across the killchain phases by linking activities together as they occurred over time to an individual device. This allowed the SOC to prioritize the triage of devices by identifying which ones have been seen to move through a kill-chain process, firstly in the delivery phase, subsequently in the exploitation and infection phase and finally in the compromise phase.

This “phase chaining” capability removes false positives, near misses and blocked attacks from the alerting funnel. In layman’s terms, you can get rid of a big source of inefficiency in the SOC.

Figure 1 above outlines a typical compromise process for a device: “laptop-6” encounters a malicious site – in Armis speak we call this suspicious hosts.

1. Our suspicious host definition is made up of newly registered websites, known bad sites, poor reputation, botnets, compromised domains and others, and is mapped to the delivery phase (Green) of a kill-chain.
2. Sometimes devices moving into the exploit phase after encountering malware, will crash and or reboot, sending error reporting information back to Microsoft in the case of Windows OS (Yellow).
3. As the device enters the infection phase often it will try to gather information about itself by contacting a plethora of public IP check sites (Amber), trying to gather its own IP address.
4. Finally as it moves into the compromise phase the infected device will POST data to a raw IP address (Red) over commonly allowed firewall ports. Each of these signals on their own can be considered weak, essentially noise.

However, if you are able to join these signals together per device they become a very strong signal indeed.

Figure 2, below shows how the multi-phase attack chaining engine in Armis with corresponding traffic light stages, captures the complex patterns of attack by linking activities across the kill-chain together. The specific example represents how Armis mimics the DNA of this particular form of attack that was represented in Figure 1. The engine can be dialed in to capture the DNA of any form of attack across its various phases.

A Daily Workload Reduced from 100000 to 1

In conclusion, the SOC team had 100000 alerts a day, but actually these alerts are just pieces of data, representative of many things, not just attacks. When the SOC plugged Armis into the network stream responsible for producing these alerts, they found that only 1 device matched a successful compromise pattern, and the rest of the alerts were false positives, stale intel, near misses or dead attacks.