Time-Based Correlation of Malicious Events and Their Connections
January 2019 • Presentation
Steve Henderson, Brittany Nicholls (Enlighten IT Consulting), Brian Ehmann (Enlighten IT Consulting)
In this presentation, the authors discuss how to automate the use of statistics to help link events and connections in a timeline during an incident or forensic investigation.
Enlighten IT Consulting
In the cybersecurity arena, many events of interest occur in conjunction with network connection events. For example, a connection to a suspected malware command and control node might proceed a hidden process disabling security logging on a compromised computer. Associating such malicious events with their related connections is a critical task in network forensics. Often times a suspicious connection can tip off investigators to previously overlooked events and vice versa. However, in many cases, associating events with corresponding connections is difficult due to network layering, dynamic addressing, or gaps in sensor coverage. Inevitably, the investigator will invoke timestamps to help correlate events with possible connections. Included are the results of a validating discrete event simulation that identifies under which conditions this approach provides the best performance and fewest false positives. We discuss scaling this analytic to the DoD enterprise level and its use in helping detect various anomalies.