Introduction
Recently, an AlienVault customer reached out to ask how AlienVault handles the detection of zero-day attacks, which are exploits against previously unknown vulnerabilities. In this blog, I shed light on how we approach this.
Modern security products rely on some definition of threats, whether that definition is as specific as a signature that identifies a unique strain of malware or as general as a behavior pattern that threat actors employ broadly across different strains of malware. The challenge of security is keeping those definitions up to date as attacks emerge and evolve in the wild every single day. Most organizations outside of the Fortune 500 do not have the resources to tackle this challenge on their own.
There are a few approaches to this challenge of staying ahead of the always-shifting threat landscape and new zero-day attacks. One is to discover vulnerabilities before threat actors discover them and figure out how to exploit them. Another is to identify the active exploit in the wild early and to quickly update your defenses immediately to detect and respond to it.
AlienVault uses both of these approaches to keep our customer environments secure in the face of zero-day attacks. Let’s take a deeper look at how.
Early Access to New Vulnerability Information
One way to stay ahead of emerging threats is to know about the vulnerability before threat actors have an opportunity to exploit it. As soon as a new software vulnerability or security flaw becomes public knowledge, threat actors go to work, taking advantage of the time it takes for security vendors to update their tools and for security teams to then identify and patch their vulnerabilities. That’s why it’s a security best practice for software researchers to inform security vendors of new threats and vulnerabilities before they announce them to the general public.
For example, AlienVault participates in Microsoft’s Microsoft Active Protections Program (MAPP). Through this program, AlienVault Labs receives early access to new vulnerability information for Microsoft and Adobe products before Microsoft publishes it in its monthly security update. This allows us to update the defenses in USM Anywhere ahead of a public announcement, giving our customers a headstart in identifying and remediating the vulnerabilities in their environments.
Discovering Zero-Day Attacks as they Emerge in the Wild
Of course, the “good guys” are not always the first to discover new vulnerabilities. All too often, threat actors find and exploit vulnerabilities before vendors have the opportunity to discover and release patches for them. Thus, zero-day vulnerabilities are often discovered after they’ve been exploited in a successful zero-day attack. That’s why it’s important to have a constant watchful eye on the global threat landscape as well as the ability to operationalize new threat information as soon as it becomes available.
The Power of the Global Threat Intelligence Community
AlienVault has a couple of strategies here. First, AlienVault USM Anywhere is unique in its ability to detect zero-day attacks thanks to its direct integration with the Open Threat Exchange (OTX), the world’s largest open threat intelligence sharing community. The global OTX community of over 100,000 security researchers and practitioners contribute 19 million pieces of threat data daily, and they often alert the community within the initial minutes or hours of discovering an attack in the wild. This threat data is available to any OTX user to consume in their security tools. For AlienVault USM Anywhere users, OTX threat data is integrated and ready to use in the platform. Users can subscribe to any OTX Pulse to enable security alerting on the indicators of compromise (IOCs) published within that pulse. Users can also subscribe to email notifications to stay aware of specific attacks, threat actors, or malware families as they evolve.
AlienVault Labs Security Research Team
In addition to the community-powered threat data shared in OTX, USM Anywhere receives continuous and automatic threat intelligence from the AlienVault Labs Security Research Team. This team works on behalf of all USM Anywhere customers, monitoring the global threat landscape daily, analyzing threats with a combination of human and machine intelligence, and curating the threat intelligence that is delivered continuously and automatically to USM Anywhere. AlienVault Threat Intelligence is ready to use and is written to proactively detect higher-level activities, patterns, and behaviors to effectively automate threat hunting activities across customer environments.
Behavioral-Based Detection
Detecting threats based on IOCs like file hashes and IP addresses enables security teams to identify emerging attacks quickly and with higher confidence. Yet, alone, IOCs are fairly volatile as threat actors can alter them very quickly, easily, and even automatically. Less volatile are the tactics, techniques, and procedures (TTPs) that threat actors use (and reuse) to carry out attacks. Think of these as the recipe for the attack - it’s the high level tasks they perform at each stage of attack. These steps are often the same for different malware or campaigns, so identifying them is more effective than focusing on other methods of detection.
For example, consider a network attack. The initial network intrusion may be done using a brand new, unidentified vulnerability. But, once the threat actor gains access to the system she attacked, her recipe calls for downloading tools needed to move laterally in the network and extract data. These tools can be identified when they are downloaded or when they communicate on the network. These tools are independent of the initial zero-day vulnerability that was exploited in order to gain access, so we can still detect the threat by detecting other tools used in the attack.
To do this, AlienVault Labs uses machine learning algorithms to extract threat characteristics and clusters to identify known and unknown threats. These "clusters" are based on observed network behavior, OS interactions, and more. The algorithms further analyze these clusters to identify anomalous behavior. The AlienVault Labs team uses this information to codify the tactics, techniques, and procedures, which are packaged as correlation rules and delivered continuously to USM Anywhere as part of the threat intelligence subscription.
Using this strategy, AlienVault was able to detect and block "ALPC zero day" months before it was actually identified in the wild and an IOC was written for it. This exploit is designed to take advantage of an API vulnerability in the Windows task “SchRpcSetSecurity” that controls the ALPC (Advanced Local Procedure call) interface allowing local users to obtain SYSTEM privileges.
AlienVault Labs detected this privilege escalation technique with generic detection mechanisms that are resilient to a changing attack vector. In other words, they came up with a way to detect this type of privilege escalation that is independent of the exploit it is wrapped in. So any attack, even a zero day, that uses this technique is effectively identified by AlienVault.
Another example is the well-known Apache Struts vulnerability. When it was first released, there was no defense against the attack. However, once it got onto a system, it leveraged a Webshell to communicate back to its masters. AlienVault USM Anywhere was already able to detect this Webshell because it was used by other attackers in previous campaigns as part of their TTPs.
Summary
In this blog post, I’ve outlined a few of the techniques that AlienVault leverages to detect emerging and evolving threats, including zero-day attacks. To quickly summarize:
- Early access to new vulnerability information allows us to update the vulnerability signatures in USM Anywhere ahead of public release.
- OTX acts as an early warning system of experts around the world, and they are bolstered by our internal threat team to quickly find and analyze new attacks.
- Advanced detection techniques like identification of behaviors and TTPs means AlienVault can detect many zero-day attacks even if the IOCs change frequently.
See the table below for some examples of how these efforts have resulted in early detection of several different recent threats by USM Anywhere.