8/6/2019 LogRhythm Detecting Advanced Threats UK

1/1

USE CASE

2011 LogRhythm Inc. | www.logrhythm.com AbsenceofanEventUseCase_A4_1107

Detecting Advanced Threats

The biggest challenge in protecting your organization from advanced threats isthe unique and complex nature of each assault. Attackers frequently incorporateadvanced custom malware designed to take advantage of speci c exploits -- inmany cases employing a series of highly-sophisticated zero day attacks. Theyfrequently combine malware with well-planned physical theft and clever socialengineering to harness a full spectrum of logical, physical and social attack vectors.

After detecting a compromise, its dif cult to immediately determine if thecompromise was due to an Advanced Threat based on a single event or a simple

behavior sequence. An attacker launching an advanced threat will typically employseveral phases. Each step needs to be detected individually and then correlated with the others to discover the truenature of the attack. Gauging the sophistication level of an attack and observing the activity immediately surroundingit provides a better understanding of whether or not an organization is being targeted by an advanced threat.

Customer Challenge

LogRhythm Solution

Additional Features

Recent, high-pro le attacks have beeninitiated by targeting speci c groupswithin the organization. They disguisephishing emails as legitimate corporatecommunications, delivering payloadssuch as malicious PDFs that whenopened perform function such asinstalling a root kit.

After successfully gaining access to anetwork, an attacker will avoid detection,often cloaking his behavior by usingauthorized credentials to emulate alegitimate user. For example, manyattackers (human or malware) will log in toa genuine user account and will use it toslowly probe the network for shared folderscontaining con dential data.

Once attackers have successfully gainedaccess to an organizations high-valueintellectual property, they can removedata either electronically of physically.They can either download informationdirectly from the server to a removablestorage device or they can send it outover the wire.

LogRhythm can look for relevant logsbeing generated within de ned timeintervals. Recognizing patterns of pre-execution and post-execution behavior of certain types of malware can identify zero-

day exploits that standard AV might miss.

LogRhythm can look for a number of unique values over a speci ed periodof time, such as a port probe originatingfrom one account that is systematicallyscanning the network. Speci c rules can

be turned on to continuously look for slowport probes.

LogRhythm analyzes log and eventdata from targeted resources andperipheral assets and correlates it withfully integrated le integrity, networkconnection, process and removable

media monitoring logs. This providesimmediate, detailed information on whois accessing and/or attempting to stealcon dential data and how it is being done.

Once an attack has been identi edLogRhythm can initiate automatedremediation with the option to requireup to three steps of authorizationprior to taking action. This can includeadding an origin IP to a rewall ACL or quarantining an internal host that hasbeen compromised and is propagatingan attack.

LogRhythms active remediation canbe con gured to disable any account inresponse to suspicious behavior, such asinitiating port scanning on the network or unauthorized access attempts to serverscontaining con dential data.

LogRhythms Data Loss Defender canalso be con gured to actively prevent theremoval of data via USB thumb drive.It actively protects your endpoints fromdata theft by automatically ejecting adrive before a connection is established,preventing critical information from beingcopied to a removable storage device.

Breaking and Entering Cracking the Safe The Getaway

The following represents three possible components of an advanced threat, how theycan be detected, and how to take action with LogRhythm.