The Role of Network Telemetry in Threat Detection
Access to both internal and external networked resources is fundamental to the operation of modern malware, and thus it is employed at nearly every phase of the attack lifecycle, from reconnaissance and initial Infection, to subsequent command and control (C2), lateral movement, data collection, and exfiltration.
Telemetry is the in situ collection of measurements or other data at remote points — the word is derived from the Greek roots tele, "remote", and metron, "measure". Thus, it’s not surprising that the collection and analysis of network telemetry plays a critical role in enabling the early detection of network infections and rapid response to halt them before they spread beyond the initial point of infection.
Purely signature-based analysis of malware is a legacy approach that requires at least one user (the ‘sacrificial lamb’) to get infected in order for the antivirus (AV) product to obtain a sample of the malware to create a signature — which it then takes more time to deploy via updates. A more powerful and watertight method of threat detection to model the ‘normal’ network usage behavior of the organization, its end users, and the endpoints they use for legitimate access, so that unusual behavior induced by malware may be detected — even in cases when the particular attack mode is novel and does not yet have a known signature, or is purposely employing malleable C2 to minimize the possibility that a distinct, persistent signature may be identified and used as the basis for subsequent detection and thread eradication.
The Role of AI/ML in Threat Detection
Artificial Intelligence (AI) and machine learning (ML) plays an important role in threat detection based on its ability to model the ‘normal’ behavior of the organization and its users, and then either detect anomalies that do not match the behavior of any user within the organization, and/or make predictions as to whether a particular networking behavior has lower or higher probability of being associated with a particular user.
This combination of overall model-based anomaly detection and user-specific prediction can help reduce both false positives and false negatives.
For example, there may be cases where a particular pattern is relatively unusual for the organization overall (for example, a highly specialized role that uses apps and services unique to that role), but is strongly associated with a particular user or small group of users. In such cases, high predictive probability for a particular user or group may cause us to reduce our risk score and avoid a false positive, even if the behavior is relatively anomalous. Conversely, there may be a pattern of behavior that is relatively normal for many users in the organization (for example, downloading media assets with a large file-size from a certain server, in the use-case of an organization’s graphic designers) but is never, or only rarely exhibited, by a particular user or small group of users (such as those in HR or Accounting). In such cases, low or even zero predictive probability may cause us to increase our risk score.
In addition to learning the ‘normal’ behavior of the organization, AI/ML may also be employed to model the networking behavior of malware and its associated C2, which is then used in combination with organization modeling to further optimize risk assessments. For example, patterns that are simultaneously determined to be anomalous and/or low probability with respect to an organization and/or user but normal for malware and C2 would be scored with the highest risk (for example, bulk email phishing from a user’s company email using the corporate DL lists, or large-scale/ targeted data exfiltration).
The BlackBerry Approach to Network Threat Modeling
The BlackBerry approach to network threat modeling is based on an ensemble of anomalous access detection, predictive behavior modeling, statistical analysis, and malware/C2 detection.
This approach is based on our desire to rapidly detect and respond to three categories of malicious actors:
The Malicious Insider
For malicious insiders, anomalous access detection and predictive behavior modeling on their own may be less effective because the malicious insider will often conform with their own past behavior, and may share many characteristics with otherwise normal access (for both the malicious insider and the organization overall). In addition, identity challenges employed in response to anomalous access detection, while highly effective in preventing access by malicious outsiders, are less effective when dealing with malicious insiders.
To address this, the BlackBerry math model has been designed to capture metadata that may be used to assess not only whether a given access is anomalous, but also whether there is a longer-term pattern of exfiltration over multiple accesses events.
This handles cases where each access may not be especially unusual for the organization or the particular malicious insider, but there is nevertheless a detectable pattern established over time that is anomalous and detectable, particularly when the malicious insider is compared to other non-malicious insiders. For example, a disgruntled salesperson planning to leave the organization may engage in systematic extraction of CRM data over an extended period of time — the volume of data associated with each access event is not unusual, but the aggregate volume and/or ongoing pattern of access is, when compared to the salesperson’s peer group.
The Malicious Outsider
For malicious outsiders, e.g., those who either obtain access to an unlocked device by theft or subterfuge, or obtain access to a legitimate insider’s credentials, anomalous access detection and predictive behavior modeling is highly effective because it is much less likely that a malicious outsider’s behavior will continuously conform to the compromised user’s modeled behavior — even if it sometimes conforms with behaviors of the users across the organization as a whole, such as logging in during ‘typical’ work hours.
Issuing an identity challenge in response to anomalous and/or low-probability access behaviors can immediately halt such attacks, especially if the challenge is biometric (e.g., based on ‘pushing’ a challenge to the linked mobile device that requires the user to perform touch or face recognition-based authentication).
In addition, the same ‘over time’ analysis applied to malicious insider case will be performed to guard against exceptional cases where biometric-based challenges have also been compromised.
As with malicious outsider case, anomalous or low-probability endpoint access by malware can trigger challenges that alert the legitimate user to suspicious activity and gives the end-user an opportunity to halt access and alert their security operations team (SOC). In addition, malware and its associated C2 exhibit networking patterns that are atypical of legitimate, user-driven behavior, and may be separately modeled and detected to provide further protection — even in cases where the legitimate user does not reject suspicious access attempts.
The BlackBerry anomaly detection model is explicitly designed to capture additional metadata, e.g., based on DNS queries and responses, TLS certificates, and HTTP usage, that is then used as the basis for explicit malware/C2 detection.
As described above, the BlackBerry risk assessment is based on an ensemble approach that is then reflected in risk scoring, where:
1) An overall risk score is calculated.
2) The risk factors contributing to the score are identified.
3) Additional context is provided with the score so SOC personnel can better respond.
The last point is particularly important, because many AI/ML models can provide a score or probability in response to a particular input, but are not able to meaningfully and transparently provide further context on exactly ‘what’ in the input drove the outcome and ‘why’ it was scored as it was.
This characteristic is often referred to as ‘explainability’. The BlackBerry network anomaly detection model and related metadata capture is explicitly designed to provide as much meaningful ‘context’ as possible so that scoring outputs are as ‘explainable’ as possible.
Adaptive Risk Policy
Risk policies are adaptively applied based on a combination of the risk score, the particular risk factors involved, and — if applicable — the outcome of any issued identity challenge. This is important because not all policy adaptations are appropriate to all risk factors, and an identity challenge may not be appropriate for all risk factors.
For example, if we detect an ‘over time’ pattern of sensitive data exfiltration that may be indicative of a malicious insider, issuing an identity challenge would not make sense. Instead, the SOC may prefer to block all access, or to just ‘alert’ on the detection with further action pending investigation outcome.
eXtending Detection and Response With XDR
BlackBerry’s initial implementation is focused on scoring and enabling adaptive response to networking risk factors, as outlined above. As we evolve our solutions through products like BlackBerry® Gateway and BlackBerry® Optics 3.0, we will be extending our eXtended Detection and Response (XDR) capabilities based on correlating network risk factors, with other risk factors to further optimize detection and response.
For example, BlackBerry will soon be delivering AI/ML-based Data Loss Protection (DLP) to enable adaptive policies to be applied to document access and sharing. By correlating network and document risk events, we can enable more nuanced response. For example, we may detect a correlated pattern of exfiltration where overall volumes of data are not especially large, but the sensitivity of accessed documents is unusually high and with a higher risk score than we’d otherwise assign. Conversely, we may see volumes of exfiltrated data that are relatively higher than usual for a particular user, but without any correlation to sensitive data access.
In each case, we can elevate or reduce our risk assessment and more intelligently, and appropriately adapt the action(s) taken accordingly.
Looking to quickly operationalize the latest BlackBerry® technology such as BlackBerry XDR solutions? BlackBerry has world-class professional services teams who know our products inside and out. Contact our ThreatZERO® experts for personalized white glove service to optimize and implement BlackBerry security solutions.