Who Needs Another Alert? CrowdScore Hunts Attackers Hidden in the Data

There’s another alert. It’s the 587th one that your security operations center (SOC) has received just today. Is it a threat actor working their way through your enterprise, an attack that was successfully blocked, or a false positive on the new infrastructure tool rollout that the IT department forgot to notify you of? It is your responsibility to find out and take the necessary actions to secure your organization. At CrowdStrike, we’ve developed an innovative solution that addresses these challenges head-on: the CrowdScore™ metric.

 

  • It provides an objective measurement of an organization’s threat level, giving leaders a real-time metric enabling a risk management approach to securing their enterprise,
  • It addresses alert fatigue by detecting attacks rather than detecting specific behaviors, resulting in a 98% average reduction in items requiring analysis (comparing alert counts to incident counts).
  • It offers comprehensive attack detection capability designed to find attacker activity on single devices, or across multiple devices as the attacker moves laterally toward an objective.

     

     

The Ongoing Saga of Alert Fatigue in Cybersecurity

Triaging, potentially investigating each alert and then taking action is time- and resource-intensive. With varying complexity, each alert can take minutes or hours, leading to difficult choices. The daily volume of alerts will inevitably exceed the finite SOC capacity, leaving some items uninvestigated. This is compounded by the fact that there are simply not enough qualified cybersecurity experts in the marketplace to address this. According to CyberSeek, there are over half a million private sector job openings seeking cybersecurity skill sets, with more than 150,000 of those requiring specialized skills. It’s well-known that generating large volumes of security alerts, events and information leads to alert fatigue, where operators become desensitized to those alerts and begin to miss, ignore or delay the response to them. In this era of sophisticated nation-state and eCrime threat actors, and millions of new malicious files daily, the sheer volume of noise in this industry is a challenge that affects every security professional. Various security products or frameworks have tried — and failed — to solve this for nearly a decade, and as you’ll read, many products had to artificially reduce the noise by suppressing events.

 

The combination of today’s threat landscape with cloud migrations, supply chain diversification, the work-from-anywhere shift and many other factors accelerated by the COVID-19 pandemic, organizations now face a ballooning attack surface for beleaguered defenders to protect. To compound the challenge, advanced persistent threats (APT) often fly under the radar, attempting to mimic benign activity by using fileless attacks, trusted binaries and other sophisticated techniques in an attempt to avoid detection. An effective SOC must be able to quickly identify critical threat actor activity from garden-variety malware and legitimate activity to identify intrusions and stop breaches. Each uninvestigated alert may in fact be an APT hiding among the noise, and unalerted data often contains the context necessary to find the real attacks. According to a recent study by IBM, the average cost of a data breach can exceed $3.86 million USD, so even a few mistakes can be extremely costly.

Lab-based Results Are Never the Same as Real-world

For products that try to solve alert fatigue, the objective is often achieved by grouping similar alerts in a time window on correlating factors such as:

 

  • Hostname or IP address
  • File hash or other indicator of compromise (IOC)
  • Similar command lines
  • Detection identifiers
Once grouped, criticality is presented with context-free severity assignment attached to the detection, or it may be adjusted using factors like frequency of detection or event. A lack of context may work in a lab, but in the real world, severity without context will lead to important alerts being ignored and valuable time spent investigating benign activity instead of real attacks.

 

 

Some products include additional controls to tune or reduce the level of alerting — an admission that the detection accuracy is not suitable for real-world scenarios.

 

By including alert tuning or suppression, security products are able to improve the perception of their detection technology — especially useful in third-party testing where the lab conditions do not mimic the knock-on effect of an analyst investigating seemingly random alerts without context, and missing more important alerts because they have been “tuned” out. When they are used to solve the signal-to-noise problem, correlation and tuning can do more harm than good. They do not yield new detection information, and often they may obscure critical data necessary for a SOC analyst to quickly find a threat hiding under the radar.

 

 

To understand why grouping and tuning don’t work, consider some common techniques that are often used by threat actors in advanced persistent threats to fly under the radar. Legitimate activity can often look similar to malicious activity — for example, one of the most common methods of process injection T1055.002 leverages Windows APIs such as CreateRemoteThread. This same API is used for the vast majority of legitimate DLL injection, including most security products. A threat actor can use this to install a beacon into a legitimate network-facing process to hide its network activity. Another example is time-stomping T1070.006. This technique presents in a host of attacker’s tradecraft, but is also a feature of most archiving applications such as 7-zip. How do you differentiate? What if the attacker is using 7-zip? Considering activities like this reminds us that it is important for a security solution to minimize benign activity and present real attacks. An installer or patch for a software that performs these techniques viewed from the detection perspective could result in multiple alerts or none, depending on tuning. That tuning approach may obscure a real attack using similar procedures that is masquerading as legitimate activity. Likewise, simply grouping similar alerts cannot differentiate between the legitimate behavior vs. a real attack, and a SOC analyst will have to spend valuable cycles investigating.

CrowdScore is more than grouping detections or preventions, and it doesn’t require tuning or filtering for success.

CrowdScore is constantly processing data in CrowdStrike’s security cloud looking for malicious activity by examining all of these behaviors, whether or not they have been alerted to the user. It is not simply grouping atomic alerts; rather, it is searching for and weighing the evidence of activity that comprises attacker behavior, whether or not it was previously alerted to the user. Built on information theory, CrowdScore uses machine intelligence to find signals in unalerted data and detects attackers hiding under the radar. It leverages relevant behavior telemetry, customer-developed alerts, and strong and weak indicators of potentially malicious activity to accurately identify the probability of this data being a real attack. This allows CrowdScore to detect and elevate unknown attacks in real time to the SOC that may have otherwise gone unnoticed.

 

When an attack is detected, an incident is created. The contextual information from the CrowdScore-detected attack is presented in the incident workbench, which has sophisticated visualization tools and workflows enabling a SOC analyst to:
  • View the entire attack timeline, including a high-level view of all processes and hosts that were involved.
  • Drill down into each process to see important events and MITRE ATT&CK® activity.
  • Utilize the CrowdStrike Falcon® response tools such as device isolation or Real Time Response to quickly investigate and remediate the incident remotely.
In this way, CrowdScore will intelligently detect and present malicious activity that might otherwise only be visible to a SOC analyst performing threat hunting in an active investigation.

Additional Resources