Software Engineering Institute

This presentation describes a scalable distributed system to identify hosts based on behavior rather than addresses. When hunting for particular threats or looking for anomalies in general, finding all the resources that could be a part of a malicious behavior can be challenging. Finding as many network flows as possible that tie with the threat can be very time consuming and prone to error depending on the sophistication of the attack. Even when an initial set of addresses has been discovered to be connected to a given threat, it can be difficult to track them across time since addresses can easily be spoofed. Tracking behavior can be more useful than tracking addresses since attack behavior is harder to modify than addresses, checksums, or email wording. We generate evolving statistical models per host, attribute all addresses seen from that host and automatically cluster hosts based on their statistical distance. The analyst can query the system with an address seen at a given timestamp to traceback the threat to its origin in time and location (geolocation or local subnet), other addresses it used, other hosts it may have potentially compromised and C2 IP addresses it communicated with etc. since all flow data is tied to a unique identifier rather than an IP or MAC address. Having a knowledge system that builds and keeps track of statistical models per-host in real-time not only can automate time-consuming parts of the analyst workflow, improve accuracy, reduce missed events and discover secondary threats but also proactively detect anomalies, improve damage assessment and find compromised devices in the network. Furthermore, with adequate amount of training data the system can be trained to proactively look for threats of known signatures and anomalies in real-time. This information can not only be used for threat hunting and anomaly detection but also assess risk to an enterprise to improve threat and risk modeling.