Trying to define what exactly constitutes suspicious behaviour can be something of an enigma, as this is a vast and complex subject. However, whether it comes from users, applications or lines of code, investigating suspicious behaviour on workstations is an integral part of efforts to guarantee digital security in companies. Here’s why.
With the advent of Bring Your Own Device (BYOD), shadow IT and now the widespread use of teleworking, IT security within companies is now being sorely tested. Cyber threats in the workplace are many and varied, and staff workstations are key aspects to be taken into account as part of your IT security procedures. In doing so, they must be painstakingly examined. Having access to files, registers, networks or application launches, the thousands or even millions of actions performed each day on our workstations are anything but standard as they each correspond to a particular context, activity or use. Observing, contextualising and analysing such actions enables an organisation to define what constitutes suspicious behaviour and what should be considered as legitimate actions performed on a workstation. And to react accordingly.
How do we define suspicious behaviour?
What is suspicious behaviour? Suspicious behaviour on a workstation can be defined as an action which runs without the user’s knowledge, for the purpose of performing a malicious act. Suspicious human behaviour would include for example an unusual log-in time such as the middle of the night, or the fact that a user suddenly connects to his workstation from abroad. For its part, suspicious technical behaviour can be defined as an anomaly within the workstation. On this point, we can list several major categories. Firstly, there’s the presence of unlisted software, or software installed without the IT department’s knowledge which can “only” be considered as tell-tale signs of shadow IT. Next, there’s the type of suspicious behaviour which is clearly malicious and which differs significantly from the normal use of an application or workstation, such as for example a ransomware program which finds its way onto a workstation and which then quickly sets about deleting backups and encrypting files. Another type of suspicious behaviour sometimes seen is the hijacking of the normal operation of a software program or application to fool the user. This kind of hijacking or misuse is more subtle than the clearly malicious behaviour. This is particularly the case with phishing. Finally, suspicious behaviour may also be defined as a series of fairly common actions which operate discreetly before they can be detected. This is especially the case with APTs (Advanced Persistent Threats).
Defining suspicious behaviour can tell us what we need to be detecting
Thierry Franzetti, Technical Leader Stormshield
The task of defining suspicious behaviour is not limited to simply being aware of these three major categories. In fact, it can be quite complex. A form of behaviour defined as suspicious by one department or occupation will not necessarily be considered suspicious by another department or occupation. “Today, it’s the IT Managers who have the task of defining suspicious behaviour. But the IT department can’t possibly know everything and some activities have uses and practices which differ widely from the norm and may be considered as verging on suspicious behaviour”, explains Sébastien Viou, Cyber-Evangelist Consultant at Stormshield. Over and above the IT department’s role, it’s therefore a good idea for each activity to define its own usages and to be an active stakeholder in ensuring its own security. “Cybersecurity should concern everyone” adds Sébastien Viou. Defining suspicious behaviour based on different activities and usage types is a valid but difficult objective, as you need to simultaneously control and monitor such usage while at the same time ensuring that it remains fluid.
Understanding suspicious behaviour, defining it and then detecting it is therefore no easy matter and requires a great deal of research and analysis. But if the task is such a demanding one, why define what constitutes suspicious behaviour? “Defining suspicious behaviour can tell us what we need to be detecting. For all stakeholders in the cyber field, this exercise also makes it possible to share knowledge using a common language, particularly via the MITRE ATT&CK framework”, explains Thierry Franzetti, Technical Leader at Stormshield. Among other things, this sharing of knowledge allows us to keep pace with the different techniques being used for malicious purposes. But a prerequisite for this analysis work is to have a thorough understanding of the attack techniques used and in particular the major vectors of infection for workstations.
The main vectors of infection for workstations
Whenever suspicious behaviour is detected on a workstation, an attack is generally underway or being prepared. Some vectors of infection target workstations, among which four merit particular attention.
Phishing
The main vector of infection used is phishing, with 75 to 80% of malware programs using it. Phishing is popular with many attackers as it is simple to perform, effective and makes it possible to reach as many people as possible.
As an example, in December 2019, researchers at Kaspersky discovered that cyber criminals had used the launch of one of the most eagerly awaited films of the year, Star Wars, to carry out a phishing campaign: around thirty fake Star Wars-themed websites were detected. Using these websites, the attackers were able to deceive many surfers by proposing a free version of the film, available for download from these malicious websites. Proceeding in this way, the attackers were able to harvest the personal data of the surfers they had lured in. These phishing attacks have also increased in scale over recent months during the pandemic, something which has been exploited by the attackers. Numerous phishing campaigns were launched focusing on health and prevention during the COVID-19 epidemic. The move towards teleworking from home, affecting a large percentage of the population, has only exacerbated this trend. According to the initial figures, attempts at phishing are believed to have increased by 400% during the first week of lockdown.
USB peripherals
USB peripherals are another vector used to infect workstations. Including mice, flash drives and keyboards, etc., these peripherals are considered as more targeted vectors of infection. This operating method involves leaving a USB flash drive with a malicious payload lying around on the ground near a target company. The natural curiosity of some staff will ensure that the key is quickly picked up and plugged into a workstation.
In a study into attacks using USB flash drives, the SSTIC highlighted the large attack surface provided by these peripherals and particularly flash drives (data breaches, elevated privileges, etc.) and the operating methods which may be used by the attackers. For example, a workstation may become infected when the user opens one of the files stored on the flash drive or simply when the drive is plugged into a workstation.
Remote Desktop Protocols
Another possible vector of infection is the ability to compromise RDPs (Remote Desktop Protocol). These protocols make it possible to access workstations or machines remotely (remote desktops, etc.). This type of vector of infection is used by ransomware programs for example. This is the case with the SamSam ransomware discovered in 2015, which specifically targets Windows servers. In 2018, the FBI investigated the way SamSam operates and revealed that the RDP is used as a vector of infection to attack Windows servers.
Where RDP protocols are concerned, once again the pandemic has helped amplify the phenomenon and particularly brute force type attacks. With the lockdown and the widespread use of teleworking, staff often find it necessary to access their work environment remotely from their home computers without necessarily being up to speed with the security rules for teleworking. The number of instances of RDP protocols being compromised has therefore increased sharply.
These vectors of infection all present risks of malicious cyber activity for organisations, to which should be added the issue of guaranteeing cybersecurity when teleworking. More than ever before, companies need support from key players in the cyber field to limit any risks of security breaches which may exist and to control and better understand so-called suspicious behaviour, in order to be better able to combat cyber criminality within the company.
Endpoint solutions to the rescue
The security solutions making it possible to detect and monitor suspicious behaviour have evolved over time. Previously, the go-to solution used to protect yourself from cyber-attacks was an antivirus program. This approach was soon found to be insufficient, as antivirus programs don’t detect behaviour but only known malicious code. “Some attack techniques seek to hide from antivirus programs, so you need to come up with solutions to supplement this type of detection and which can also envisage non-standard usage”, explains Thierry Franzetti. More advanced security solutions then came along, firstly with the use of Endpoint Protection Platforms (EPP), which make it possible to detect clearly malicious suspicious behaviour, and which offer workstation protection functions. Subsequently, Endpoint Detection & Response (EDR) solutions also appeared. These EDR solutions meet this demand for the detection of suspicious behaviour as they operate based on the proactive detection of as yet unknown threats, by “listening” to everything which happens on a workstation and picking up faint signals, such as the sudden launch of numerous operations on the same workstation for example. EPP and EDR solutions each provide useful levels of protection, which supplement one another according to the company’s usage methods. Artificial intelligence (AI) is a solution which often goes hand-in-hand with EDR. “In particular, AI provides greater calculation capacities, enabling it to identify instances of unexpected behaviour and to assign a score to them, in order to then be able to categorise them and react to them”, explains Sébastien Viou. AI seems to be increasingly used within the different blocks comprising cyber security solutions and researchers appear to agree on its value. As an example, British intelligence recently carried out a study into the value of AI to combat cyber threats, and the identification of suspicious behaviour emerged as one of the areas in which the use of AI may be of considerable value.
In addition to Endpoint solutions, other solutions can be considered, like sandboxing, which makes it possible to open files or to run unknown or suspect content in an enclosed test environment, without taking the risk of compromising the workstation.
However, although a number of security solutions exist to meet the challenges of corporate cybersecurity and more particularly those related to suspicious behaviour, these solutions must be implemented taking full account of the contexts in which they apply. The software publishers’ task is to correctly define the suspicious behaviour being targeted, beforehand. “A security solution is just a tool. What’s important is the way it’s configured and maintained”, adds Sébastien Viou. The software publishers therefore must be able to pre-configure their solutions by including all measures and rules (configurable rules adapted to each business context) to enable them to provide the right detection level. But also provide an easy-to-configure environment for administrators. To be effective, the solutions must therefore incorporate combinations of protective measures (peripheral management, elevated privileges, etc.) and the associated behaviour patterns. Additionally, Endpoint solutions are not infallible and false positives exist. “Although we can define the basic factors for protection, the variety of suspicious and non-suspicious behaviour on a workstation is so great that there will always be exceptions”, explains Thierry Franzetti. To limit false positives, the ideal is to be able to create a whitelist (or allowlist), to avoid blocking legitimate uses. To be fully effective, it’s a good idea to be able to tailor this approach to each activity and to adapt the protection to different behaviour types.
Displaying a window in a web browser, opening a Word or PDF file or downloading files are all day-to-day tasks within the company which will undoubtedly be the subject of in-depth consideration where IT security matters are concerned for some time to come. And suspicious behaviour, a major subject in the corporate cybersecurity field, will continue to be a headache.