Principle
The organisation detects, within networks and information systems, malicious activity affecting, or with the potential to affect, the delivery of essential services even when the activity evades standard signature based security prevent/detect solutions (or when standard solutions are not deployed).
Description
Some cyber attackers will go to great lengths to avoid detection via standard security monitoring tools such as anti-virus software, or signature-based intrusion detection systems, which give a direct indication of compromise.
Other, less direct, security event indicators may provide additional opportunities for detecting attacks that could result in disruption to essential services.
Examples of less direct indicators could include the following:
- Deviations from normal interaction with systems (e.g. user activity outside normal working hours).
- Unusual patterns of network traffic (e.g. unexpectedly high traffic volumes, or traffic of an unexpected type etc).
- ‘Tell-tale’ signs of attack, such as attempts to laterally move across networks, or running privilege escalation software.
- The retrieval of large numbers of essential service design documents
It is not possible to give a generic list of suitable indicators since their usefulness in detecting malicious activity will vary considerably, depending on how a typical attacker’s actions might reveal themselves in relation to the normal operation of an organisation’s networks and information systems. Opportunities for exploiting these less direct security event indicators to improve network and information system security should be proactively investigated, assessed and implemented when feasible e.g. technically possible, cost effective etc.
Successful attack detection by means of less direct security event indicators may depend on identifying combinations of network events that match likely attacker behaviour, and will therefore require an analysis and assessment capability to determine the security significance of detected events.
Wherever possible, network and information systems supporting the delivery of essential services should be designed with proactive security event discovery in mind.
Guidance
Proactive security event discovery is more difficult than standard security monitoring because it looks beyond the known or prescriptive threat signatures and indicators described in C1. Security Monitoring.
The aim is to build on what is known of past attacks to hypothesise what new or previously unseen intrusions might look like in essential services environments. As such, this heuristic sort of monitoring should not be prioritised unless standard monitoring (see Principle C1) is already effective, or is not possible or practicable for some reason. It requires more experienced knowledge of network and system behaviour and of the general characteristics that a malicious intrusion might exhibit. This sort of proactive monitoring or threat discovery would normally involve:
- Designing your own alerts or trip-wires, using experience or reasoning of what an intrusion might do, rather than specifically around what past attacks have done
- A good understanding of normal system behaviour (e.g. what software is authorised and how it would normally behave, how user accounts normally access network resources or how network components connect to each other and transfer data)
- A good understanding of the ways that different types of anomaly might signify a malicious intrusion, based on a comprehensive and advanced understanding of threat intelligence
The science of anomaly detection, which goes beyond using pre-defined or prescriptive pattern matching, is a challenging but growing area. Capabilities like machine learning are increasingly demonstrated as having applicability and potential in the field of intrusion detection, but are often expensive, difficult to implement and can produce high false-alarm rates.
< Back to Principle C1 Forward to Principle D1 >
Source: NCSC
