Multi-Dimensional Threat Detection
Detecting advanced attacks requires visibility into the entire enterprise network – focused not only at the edge but also on all internal communication between hosts, servers, and cloud applications. Intermixed with lots of legitimate traffic, network attacks can go undetected for weeks or even months when the adversary is savvy. The malicious traffic can hide within known protocols and be spread across days, weeks, or even months to conceal the true nature of the attack.
Weak signals around malware activity or suspicious activity could serve as one detection dimension but detections need to work together for multi-dimension threat detection. When week signals happen in conjunction with another weak signals like cloud account role assumptions or privilege escalations for the host or associated users, a high-severity alert could be triggered for the SOC to investigate.
Sample compromised credential usage use case:
In cloud environments, attackers often aim to steal credentials such as access tokens to gain unauthorized access. In this scenario, an attacker has stolen a user's access token from a public code repository. To avoid detection, the attacker may attempt to limit their actions to blend in with the normal activities in the cloud environment. However, since they need to use the stolen token from their own systems, this creates an opportunity for detection.
A multi-dimensional detection approach can be employed to identify such anomalies. This approach involves monitoring both the cloud control plane and the user's endpoint for correlated activities. The cloud control plane refers to the management layer of the cloud, where administrative tasks such as creating and managing resources are performed. The user's endpoint is the device or system the user is using to interact with the cloud services.
In this scenario, if there is activity in the cloud control plane, such as interactions with the AWS console using the stolen token, but there is no corresponding network activity on the user's endpoint, it raises a red flag. This discrepancy indicates that the user who is supposedly interacting with the cloud services is not generating any network traffic from their endpoint, suggesting that the access token is being used from a different system.
Another use case: