en flag +1 214 306 68 37

Chasing Spyware with a SIEM Solution to Pull the Plug on an APT

Published:

When working within a computer network, it's impossible to tell for certain that no one has embedded spyware and uses it for the purposes of an advanced persistent threat (APT). An APT is launched to pursue financial gains, a company’s reputation damage or information leak; it evolves invisibly and when not detected in time, it may affect organizations’ wellbeing and even people’s lives dramatically. It takes a considerable amount of time and efforts for penetrators to plant spyware into a network as an APT root to further develop an attack until they capture the needed data. Disclosure of an APT at early stages would allow addressing negative consequences and avoiding destructive aftermath.

Spyware is a significant tool that helps intruders keep a targeted computer network under observation in an APT in order to analyze network users' behavior. Information security officers aiming to detect APTs look for different types of spyware such as system monitors, Trojan horses, keystroke loggers, screen loggers, tracking cookies. They all have common essential features that betray spyware presence in the network and, thus, can help to reveal an APT early on.

Chasing spyware with a SIEM solution

Why detect spyware with SIEM technology

There are several approaches to detect spyware nesting in a computer environment, hence to thwart an APT in proper time. Naturally, manual detection of spyware presence is the first thing that comes to mind. However, such an approach is time-intensive and demanding in human resources, while it does not ensure complete security.

When it comes to computer-aided tools, there is a misconception that antiviruses provide a 100% shield against malware, which also covers spyware, but in fact, it does not. Antiviruses can track just certain types of spyware, while those with unique codes, like most of spyware used in APTs, easily escape tracking. Also, standard security tools such as firewalls and Intrusion Prevention Systems (IPS) have a common limitation: they handle too narrow a problem to reveal an APT properly.

Thorough spyware detection in an IT network demands a comprehensive approach, such as Security Information and Event Management (SIEM). A SIEM system provides the holistic coverage of an IT environment from a single point of view. The system collects data to analyze security events for any abnormalities from audit logs and all the network tools, including antivirus, firewalls and IPS. Therefore, SIEM presents a convenient all-in-one solution for detecting spyware among other malicious processes.

The QRadar example

The pattern of a SIEM system spyware detection in an IT network can be illustrated with how IBM® Security QRadar SIEM does it. QRadar performs network and application monitoring based on both out-of-the-box and custom rules that cover certain search conditions for security events. To reveal spyware, it’s possible to develop custom correlation rules that will use the signs of spyware presence in a network as the base point for creating search conditions.

Although a range of spyware that can be applied during an APT is wide and these programs behave in their own ways, all of them give themselves away with similar symptoms. The consideration of all these symptoms facilitates proper QRadar fine-tuning, hence reliable detection of spyware in a corporate network. Let’s discuss the signs that betray spyware and the methods QRadar provides for revealing each of them.

Traffic monitoring to detect suspicious communication

By their nature, spyware programs necessarily share the acquired user information with the attacker and, consequently, send it to outbound sources. Therefore, the reputation of the traffic source and its destination identified by malicious IP address, URL, domain, etc. can reveal the presence of spyware. Therefore, it’s necessary to monitor traffic as it allows to notice suspicious communication that spyware produces. Here are the spyware characteristics warning that something probably went wrong in the network in case of outgoing traffic:

  • Traffic is directed to a bad reputation IP found on the IBM X-Force® Threat Intelligence list, which IBM provides to its subscribers;
  • Traffic goes to IP addresses registered in suspicious destination countries;
  • Traffic volume surges compared to its baseline.

Speaking of incoming traffic, data received from the sources, identified by IBM X-Force as malicious, should alert security administrators as it may well be that the communication endpoints are infected with spyware.

To provide sustainable traffic monitoring with reference to spyware revealing, traffic baseline should be determined in the first place. QFlow Collector monitors traffic in QRadar by processing flows in various formats, so a standard volume of traffic, normal destinations and flow information should be set for it. Then, correlation rules are developed in such a way that QRadar will trigger an offense every time traffic volume exceeds the baseline, or destinations and flow information differ from normal.

Operating system audit log monitoring for spyware program installation

In case spyware is designed as a standalone application, the fact of its installation is recorded in the operating system audit log as an ordinary software installation. So, spyware footprint can be identified by operating system audit log monitoring for the traces of unauthorized software installation. For this approach to work efficiently, a security policy should define appropriate mechanisms of centralized software distribution and such mechanisms should be enforced across the environment. So QRadar should be fine-tuned so that it will trigger an offense every time it detects unauthorized software installation.

Behavioral analysis for escalation of user privileges across assets

The self-replication of certain types of spyware requires administrating privileges. Registration of both successful and unsuccessful attempts to gain access to another asset in the network under the administrator’s authority from non-admin computers should raise suspicions trigger offenses in QRadar.

Also, a higher intensity of administrator’s logins may identify that a spyware tries to monitor the asset owner’s behavior. The key to catching such signs is to set the baseline of administrator’s logins to the asset. Based on it, correlation rules are developed in QRadar so that it will generate offenses every time it detects an abnormal number of administrator’s logins.

IBM Security QRadar Incident Forensics for spyware detection

Considering spyware detection specifics, IBM Security QRadar Incident Forensics and Packet Capture can also be used to monitor all incoming and outgoing data, allowing rapid investigation of security events. Operating on encrypted traffic, however, very much depends on encryption keys availability. Therefore, incorrect configuration may significantly reduce the efficiency of the tool.

Timely detection for proper prevention

Although an APT doesn’t have obviously revealing attributes like other types of attacks (DoS attack, botnets, spear phishing, etc.) and can even hide behind them, it may cause greater damage and losses. Therefore, its timely detection at the stage of spyware injection can keep an organization from huge financial and reputational losses. Because of the nature of spyware, detection of its certain types makes it challenging even for a specifically fine-tuned SIEM system. In any case, when customized correctly, a SIEM system becomes a catch-them-all and handy tool for detecting spyware, as it provides holistic monitoring and correlation of all security events, traffic flows, and user behavior.