There is a recent trend in the cybersecurity field that could significantly change the landscape of threat detection analytics. Historically, technologies have been focused on threat kinetics, which identify the threat as it exposes itself within a network. For example, a threat may be identified by an IDS rule based upon connection metrics, signatures and file hashing. If the threat has already infected a site, it may be identified by sandboxing or executing the threat on a virgin host. Infected systems may also be detected by discovering beaconing traffic or command-and-control communications. Essentially, the threat is identified inside your network by analyzing the attributes that expose it.

There is a constant ebb and flow of techniques and countertechniques to detect and hide threat kinetics. Dark malware developers can detect an install on virtual hosts and change it to a benign install, thus hiding the malware kinetics from the sandbox. Next-generation sandboxing will attempt to use thousands of low-cost bare metal systems to thwart the detection of a virtual host. The dark developers will simply implement methods to test if this is a “production system” by analyzing configuration files, accounts, system caches, file caches and more.

The use of threat kinetics to identify malware will continue to be an arms race between black hat and white hat developers. As long as the landscape of new hardware, new software and poor application programming continues, the thrust and parry of this battle will continue. Threat kinetics is a necessary component of security but not an answer in itself.

Identity Kinetics: The Evolution of Threat Kinetics

Although analogies are usually the worst form of argument, one can be made between a common criminal and an attempt to infect a foreign host with malware. If a criminal is planning to break into a building, he or she may purchase some tools, hide behind a mask or wig and rent a car using a false identification, all in an attempt to disguise his or her true identity.

The same is true for any electronic threat. Attackers conceal themselves using IP spoofing, MAC spoofing, tunneling, proxy indirection, ambiguous domains, embedding brands within domains and domain/IP fluxing. We can refer to these techniques as identity kinetics. These are methods used by attackers to disguise themselves both to the intended target and to outside parties that may track and identify them. New technologies and methodologies are being developed to expose attackers as they are disguising themselves. This has a crucial added benefit since the detection could occur outside your network prior to the attack.

Upstream Identification

Suppose hackers are attempting to disguise the originating IP address of an attack. They might use IP tunneling or a product like Tor with multiple proxy hops to block the actual host of the attack. Imagine identifying a session that is obfuscating the address origination and then supplementing this with additional identity metrics such as geolocation to determine suspicious traffic with a high degree of confidence. The ability to identify potential threats “upstream” using identity kinetics significantly changes the landscape.

Exposing DNS Resolutions

Threat kinetics relies on metrics gathered inside a network, while identity kinetics depends on information gathered externally. Databases that can collect real-time information for use toward identity analytics are emerging. One form of these databases can provide information that exposes a significant portion of DNS resolutions. In fact, they claim that they see 45 percent of all DNS transactions taking place on the Internet, using a web of distributed probes and aggregating the information to a centralized host.

Exposing DNS resolutions and assembling the results allows external security metrics to be applied, which can assess the risk associated with those domains. Any newly observed domain should be associated with an elevated risk. If we observe a domain and link it to other attributes in aggregation such as IP fluctuation, geolocation and event-based scanning, we can determine the risk score of that domain prior to any active threat. In fact, we could actually watch a threat emerge as it happens.

Correlating Security Assessments

We have long talked about trusted systems, trusted authorities and who trusts whom. The complexity of the system and the fact that a trust value gets associated with an entity only assures that eventually a trusted system will become corrupt. Trust is relative to an entity and not absolute within an ecosystem. Take, for example, the correlation of trusted domains, copyright information and newly observed domains into a single security assessment.

Assume that we can proclaim we trust ourselves and nobody else. Then also assume that there are copyright assets associated to any entity, such as registered domains and copyright labels. IBM is a registered domain and has copyright labels such as Watson, Q1Labs, X-Force and others. Now imagine any copyright embedded in an untrusted domain, such as the fictional watson.sysworldfaqexperts.com. This domain should be flagged as highly suspect, especially if you assert DNS age and DNS flux attributes. Embedding a trusted copyright with an untrusted domain, accompanied by real-time DNS attribution, is another example of threat detection using identity kinetics.

Summary

The movement of threat kinetics methodology to identity kinetics is rapidly advancing, and there are many companies pursuing this avenue. It is not hard to imagine that soon the real-time analysis of the Internet will be extended to HTTP traffic-sharing flow information.

More from Threat Intelligence

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today