Upcoming Web Security Technology
Security systems and technology have historically been designed around protection, detection, and infection. Create a perimeter around your assets and prevent threats for penetrating that perimeter. Detect any threats that have penetrated the perimeter and infected assets and then exterminate all evidence of the threats in any of the assets. This is an age-old approach to security and analogous to building a castle wall to prevent intruders from entering and to detect and extinguish enemies that infiltrate the perimeter. Some lessons can be learned from age-old defense mechanisms in that pickets were strategically placed miles from the castle walls in concentric circles to detect the presence of an enemy in advance of them reaching the actual fortress.
New technologies are emerging in the security industries that align with the age-old practice of picketing: technologies that detect the enemy in the early stages of an attack and prevent them from ever reaching the security perimeter. These technologies focus on the detection of new malicious identities associated with a threat actor prior to the deployment of the attack.
A malicious website begins its life like any other website. It must first be registered, a website created, and then deployed like any other website. It may differ from other benign websites in a variety of ways.
- The website may look like a common brand (ibmdownlaods.com).
- The website has geo-located attributes.
- The registrant of the website has both geo-located features and historical context (other websites registered under same identity).
- The cost associated with registration.
- The trust associated with the registrant.
Domain kinetics involve website gesturing. (See Figure 1) For example, what was the time between the registration of the website and a parking page? What was the time between registering the website, domain parking, and an actual website being created? Is the website recognized by standard search engines and how long for each search engine to identify the website?
By comparing existing information with historical registration information and historical known malicious domains combined with website gesturing data, we start to get a profile of malicious activity in the earliest stages of a threat. We start to build a graph that represents domain trust, identity trust, and registrant trust. A continual observation and correlation of previous malicious websites and associated identities with newly created domains and identities allow kinetic analytics to discretely identify malicious intent.
Global Real-time Visibility
Early detection of website registration is the beginning of detecting a threat actor prior to deployment of the threat. The next stage of detection begins when the malicious website is created and the threat actors hunts the prey. This is done by re-directing users to the website through adds, blogs, messaging, or email. The first observations of access to these websites are key in detecting malicious intent. These observations can take place on the endpoint, the enterprise, and globally. Imagine monitoring DNS activity on an endpoint over time. In a few months, a queasiest state is achieved, as we are all creatures of habit. In the first few days, all domains will appear as new, but as time goes on, the new domains that are visited decrease exponentially. (See Figure 2)
Once the queasiest state is achieved, we could easily assume that any new domain is a potential high value event and should be analyzed as malicious or benign. A newly observed domain on an endpoint can be compared to all newly observed domains for the enterprise (the real-time aggregation of endpoint data). This comparison assists in raising the value of the event or whitelisting the domain as recently observed by other endpoints. (See Figure 3) Simply, the more rare the domains in use, the higher probability that the domain may be a threat. An additional assertion can be made comparing the domain to enterprise relevancy. Is this domain unique among enterprises? The more unique the domain as we move to a global view, the more suspicious and focus the analytics become. Also, we can now compare the globally unique domain to the original registration for malicious activity. This process of primary (endpoint), secondary (enterprise), tertiary (global), and recursive analytics to the registration data set allow near real-time assessment of new threats as they emerge providing threat intelligence that is minutes old instead of days old. The same technique can be applied other entities such as tasks or elevating one’s privilege.
Like what you just read? To receive technical tips and articles directly in your inbox twice per month, sign up for the EXTRA e-newsletter here.