Skip to content ↓ | Skip to navigation ↓

In a world where we must assume our enterprises have already been breached, monitoring the perimeter is too little, too late. Continuous monitoring, a la CDM, tells you where you are vulnerable and what to fix, but not where you are already bleeding.

In my post on why change detection is so important, I talked about the growing importance of change detection as a means to stop an intruder in their tracks. Yet the number of changes taking place at any moment on a large enterprise network is… simply ridiculous.

How can you tell what doesn’t belong? How do we find the needle in a thousand haystacks? In this post, I’ll talk about how change monitoring solutions help you instantly filter and sift through changes to zero in on those that should concern you.

There are a number of change detection solutions in the marketplace, which collect data in various ways and perform filtering functions of one kind or another but for the sake of accuracy, I’m going to focus on the one I know best: Tripwire Enterprise (TE).

First, a little about how TE works. Tripwire Enterprise is a real-time file system monitoring product that collects information on file systems like servers and workstations (as well as other devices), based on an initial set of “file system rules.” Information collected includes file attributes, such as hash values (MD5, SHA1, SHA256, SHA512), permissions and the contents of files.

In addition to file information, TE also collects directory information; registry information; directory service settings (users, computers, security controls); audit event information and anything that can be harvested by the execution of a command, such as “Listening Ports,” “Established Ports,” “Running Processes/Services,” “Share Information,” “Cert Information,” “Local Users Accounts,” “Local Group Accounts,” and much more.

On harvesting this information, the TE agent creates a baseline of your systems’ current configuration state and records it in the TE console. The TE agent then quietly and continuously updates that database as changes are made, or on a scheduled basis. TE users can then review reports, conduct ad hoc queries, or be alerted in real-time when the harvested attributes change. Alerts include who made the change, the system the change occurred on, the content of the change and when the change occurred, making it very easy to, for example, track changes by Username.

This is all great in theory but the volume of change can make it utterly overwhelming in practice. A robust set of techniques and best practices must be put into place to filter out the millions of completely normal changes being made by authorized individuals trying to complete mission requirements. Following is a sampling of those techniques.

“Business As Usual”

Automated techniques determine which configurations on which assets change constantly in your environment, as a matter of course. While those changes should still be recorded for forensic purposes, in case one of them later proves to be insidious, these are not the changes that will tip us off to the presence of an intruder.

Sure, someone planning to break into your house may walk past the front door first, to see if anyone is home but you can’t investigate everyone who walks past. Filter those changes out; come back to them only if needed for an investigation.

Patch-related changes

So many changes are made when Microsoft assets (or Linux, or RedHat, or other OS assets) get patched, that this can readily overwhelm any effort to review network changes. To address this, some change detection solutions actually tell customers to turn change detection off during patch windows, or to ignore changes that take place during a patch window. Of course, a smart intruder will then decide that the patch window is the very best time to start moving about your network.

So again, automation techniques are available that auto-promote ONLY those changes that can be directly associated to the appropriate patch manifest. Unauthorized changes made during that time will still trigger the appropriate warnings. Keeping the burglar analogy, the thief tries to slip into your home along with the big wedding party – but they are not on the RSVP list.

Authorized changes

Organizations with a strong culture of change management are already at a tremendous advantage in detecting breaches – as well as in faster resolution of all kinds of IT challenges. Bidirectional integration of change monitoring with a workflow solution like ServiceNow, Remedy, HP ServiceDesk, etc., allows organizations to ensure that changes that have been authorized were correctly implemented; and those changes that were not authorized, or were not correctly made, are detected and investigated.

CyberCrime rules

In addition to filtering out normal change (BAU, patching, and other authorized change), it’s also possible to sift for and highlight suspicious changes.

Several years ago, a group of Tripwire engineers won the BlackHat/DEFCON competition – both the offense and defense. As part of that effort, Tripwire captured the thousands of changes that were associated with the various hacking attempts taking place in the competition. Tripwire engineers used that information to identify categories of change that tend to show up during breach activity. Tripwire now produces and maintains dashboards that help customers see instantly whether and where such changes are taking place in their environments, and enable drill-down for instant investigation.

For example, one of the hackers added a Windows Scheduled Task to execute on a host in off-hours but changes to Scheduled Tasks are highlighted in the CyberCrime Dashboard and the effort was blocked. More recently, Tripwire helped a Department of Defense component win a DoD Defense Flag exercise in the same way. (For more information on Cybercrime controls in Tripwire Enterprise, download the datasheet found here).

Indicators of compromise

Some changes are beyond suspicious – they are known to be malicious. US-CERT and other organizations distribute lists or maintain TAXII servers to share STIX-formatted indicators of compromise. In their simplest manifestation, these may just be lists of hashes associated with known malware executables.

In a more sophisticated environment, this may involve TE detecting the appearance of an executable and passing it to an external partner for assessment before quarantining or otherwise acting on the file. For more on detecting IOCs, click here.

With the help of automated techniques that: a) automatically identify and promote neutral and approved changes to the baseline and that b) highlight suspicious or malicious change for action, change becomes a powerful pathway to understanding your network.

Add to those an intuitive interface to report on and investigate those changes that are not obviously acceptable or overtly hostile, and a change detection solution can be one of the most important means of detecting and shutting down malicious actors inside your network — even when they have already gained access to critical systems.

 Title image courtesy of ShutterStock