Blog, Uncategorized

10 Correlation Patterns Security Analysts Should Know About

By Peter
No Comments

Security Analysts receive lots of detections from numerous security monitoring sources. These atomic detections are easy to set up, but quickly contribute to the growing amount of alert fatigue felt by security analysts that find themselves overwhelmed with alerts. Contributing to this problem is the fact that as much as 26-50% of the security alerts they receive are reported as false positives or non-actionable, according to McAfee and Cisco. These atomic detections contain limited information and are rarely sufficient on their own to enable decision making. Unless the alert clearly indicates the existence of well-known malware or a known-bad phishing link, security teams must look at signals from different places to recover the story of the alert, in order to make a decision on its risk level and what if anything should be done about it.

Working with DTonomy customers and other security experts, we have seen a variety of different patterns across different detection-types that are very informative. Here are 10 common correlations we have seen across customers that may be helpful to know about.

1. Example of building up your kill chain: Unusual child process + privilege escalation + registry modification + unusual external connection

There could be variety of different and sometimes valid reasons why a security detection might highlight that process A started process B. Similarly for privilege escalations, registry modifications and other unusual external detections. On their own, they may indicate risk or represent a false positive. But when they start to line up, in the steps of an adversary kill chain, the risk starts to accumulate and becomes worthy of your attention and immediate response.

2. Phishing + abnormal cloud login information

If your employees are reporting suspicious phishing emails they receive, you may have come to the conclusion that having the users login history information and/or detections around abnormal logins in place is incredibly helpful. Only with this info can you identify any following on risk from the phishing attempts, as well as the broader risk surrounding these reported suspicious phishing emails.

3. Network alerts + severe machine vulnerability

It’s very commonplace to see a variety your online assets or IPs being scanned, triggering port scan alerts indicative of the possibility of an adversary performing reconnaissance to enable lateral movement. Correlating these scans with machine vulnerability information is very helpful, enabling the prioritization of patching needed for the machine.

4. Threat report + abnormal user login

Many vendors and open-source communities report threats and IOCs. During covid 19, for example, analysts received reports on employees indicating unemployment fraud being attempted. The threat intelligence you have received, automatically correlated with user login history, enables you to quickly identify which threats are the ones you need to prioritize.

5. Command and control detection + deployment/patch history

There are a variety of reasons why systems start beaconing to external servers, each one though potentially representing a botnet or command and control software. Automatically grouping these beaconing detections will enable you to view all suspicious outbound connections so you can correlate them with known valid deployment activities, enabling you to rule out the noise generated by valid deployment activities and highlight risky adversary-generated activity.

6. Compromised user detection + physical badge swipe alerts

Users that login to the same instance within a short period of time from locations which are many miles apart are worth investigating. Sometimes these are detected as compromised user login detections. In these cases, correlating this with badge swipe information is super handy in helping to verify if this the remote login is a false positive or not.

7. Phishing email from same campaign

As attackers send out large numbers of phishing emails to target your company’s employees or customers, they often send emails with similar content or content with only subtle differences between emails. These are patterns you can check among different alerts groups. Detecting these patterns and grouping all of the emails with the similar patterns enables you to quickly identify phishing campaigns and drill-into accounts which may have been compromised.

8. Repetitive alerts that happen at similar time frames

It’s not uncommon to see repetitive alerts happening at a similar time every day. This type of pattern will likely help provides insight into the possible root cause of the alerts and enable you to resolve them with better detections or better data clean up.

9. Similar alerts

Many alerts are extremely similar and only vary by a slight difference. For example, process names vary by one letter. Learning the pattern of these alerts or looking back at how similar alerts have been investigated in the past, enable you to quickly investigate them together and pay attention to these small nuances that are easy for the human eye to miss.

10. Abnormality on alerts

As analysts triage potential security risks they accumulate an enormous amount of knowledge as they perform daily investigation work. For instance, it’s easy for analysts to waste time digging into things that may have already been inspected. To drive efficiencies, Analysts want to pay attention to abnormal and new issues, instead of attributes that they have already investigated.

In reality, the subset of detections that are helpful in identifying any ongoing threat are often buried in hundreds of thousands of security detections. This makes it easy to lose sight of the insights that can be gained from the connections between detections. This is where machine learning can add tremendous value, by looking across the data and figuring out the interesting patterns and connections amongst them. These patterns help security teams to better understand the context of each of the detections. Looking only at this data, though, is only one means for speeding the analysis of alerts. Equally or more important is to leverage the learning from the decisions that experienced analysts have already made, based on their analysis of alerts, to help you investigate any similar alert. We developed DTonomy to enable both of these insight types and continue to learn about more patterns, like the 9 above, which customers became aware of through DTonomy’s Pattern Discovery Engine, Adaptive Scoring Engine, or Active Recommendation Engine.