When only single data flows are looked at it is very difficult to determine whether a device is infected and behaving in a malicious way. A single access to a suspicious URL, suspicious IP address or with that strange application is not sufficient to warrant an automatic isolation and blocking of the affected device, the chance of disrupting your business due to a false-positive is much to high. So a better way to determine the complete behavior of a user or device is needed. cognitix developed behavior-based correlation to solve this dilemma. To determine network behavior one has to look at all network flows of a device over time. Only when seeing behavior and changes in behavior can a device be determined ‘malicious’ in a reliable way.
For a meaningful behavior-based correlation, the cognitix policy and correlation engine first enriches each flow with meaningful information extracted from the data like basic layer 2-4 attributes but also layer 7 protocol and application, URL category, URL reputation, IDS/IPS matches and IoC/IoA matches. Then the flows and their corresponding events are correlated to determine malicious behavior and detect threats.
How does it work?
The behavior-based correlation is done by tracking attributes of network flows over time within the policy engine. A policy to define behavior and the resulting action-to-be-taken consists of a number of rules similar to the rules used in firewalls. cognitix has extended the language of these rules to allow tracking of flow attributes in special tables, called event tracking tables (ETT). Any pair of attributes of the flows can be tracked, for example the layer 4 destination ports per source IP address can be tracked or the layer 7 application per destination IP address. In further rules with additional conditions these tracked values of past flows can be looked up again in various ways and matched to attributes of the current flow to take further actions. So with a combination of several rules with the extended language and the event tracking tables it is possible to describe complex behavior to determine if a device or user is acting malicious or not. Each rule in itself only defines a (suspicious but not conclusive) part of the behavior and the combination like a multi-stage filtering then allows a reliable description and detection of behavior. With further rules and in combination with cognitix dynamic network objects the action to prevent or contain and isolate the threat can be defined and will then be executed within the policy engine in real-time as soon as the behavior is detected. As the whole process is within the inline single-pass engine, the very network packet that gives the final mark for the malicious behavior is already acted upon and will not reach its destination.
It is important to note that the correlation for a policy does not need to start with a suspicious IoC or IDS match, all network flows can be tracked to include behavior before the suspicious event into the description of the malicious actions of an infection. So not only behavior but also behavior changes can be detected and acted upon.
When combining the behavior based correlation with the matches of IoC and IDS a far better reliability to detect attacks and infections can be reached. With immediate action and far reduced false-positives, the network security is improved significantly compared to existing solutions relying on syslog messages, alarming and manual intervention.
Some examples of improved security with behavior based correlation
The behavior based correlation allows for scenarios and policies like the following:
Track the normal behavior of a device by tracking its communication partners and used applications and forbid all new communication after an indicator of compromise matched for this device. If during that time of limited communication another IoC is matched, the device is isolated completely. This allows a gray-listing of device behavior in case a single IoC matches but takes action once the infection is proven with a second IoC.
When a user or device accesses a webpage/URL of questionable reputation, track and count the number of internal communications established afterwards to see whether an infection happened and is trying to spread lateral within the network. When the number of new connections within the network initiated by that client rises fast within a short amount of time, isolate the client with dynamic network segmentation to stop the spread and contain the infection.
Find private devices or private usage of devices by tracking the number of used social media applications to place these devices into a dynamic network segment for private use and allow these devices access to the outside Internet but deny access to company resources to prevent leakage of company IP.