Machine behaviors that threaten enterprise security

What to do when machine learning on the inside turns against the perimeter

Machine learning has moved enterprise security forward, allowing for visibility inside the network in order to better understand user behavior. However, malicious actors are using what is done with machine learning on the inside in order to attack the perimeter.

Specifically, these types of attacks include DNS tunneling, attaching to Tor networks, and sending rogue authentication requests to directory services. Tom Gorup, security operations leader for Rook Security, said that in addition to these threats, "In general what we are seeing across the board is phishing, from wire fraud to distribution of malware. Generally we’re seeing scans they're attempting to exploit."

Even though DNS tunneling is not as prominent as it used to be, attackers trust that most people aren’t monitoring their DNS, which "Enables a hacker to bypass proxy servers and firewalls that protect internal data from attack," said Gorup.

Attaching to Tor networks is also becoming more and more painful for blue teams as it is more expensive to defend the environment. Gorup said, "If you don’t see that initial packet, everything else just looks like SSL traffic. Some malware do use Tor, and when they do it, it’s definitely difficult. Depends on how much effort the attacker wants to put into it."

Another threat that requires consistent monitoring is sending authentication requests. "Authentication to directory services enables hackers to learn more about servers on the network, including naming, users, and passwords," said Gorup. 

Barry Shteiman, threat research director from Exabeam, said, "When looking at machines, they need to look at the machine's behavior without the requirement of someone actively doing something on it."

From a security standpoint, it's difficult to detect because when a person interacts with machine, that’s a human user doing something to that machine. "Even if a machine does something right or wrong, there’s always a human service that initiates that activity," Shteiman said.

Most often, in a machine that has been breached, it's difficult to discern exactly what happened. "DNS tunneling is a classic threat," said Shteiman. "Someone installs some piece of software on a machine that starts exfiltrating data through a protocol that is used between the server and an IP address."

What hackers came to understand is that DNS is robust. "It includes meta information. Because there are free text fields or hardly a limitation on the length of a domain name, there is room there to input free text. Hackers started to manipulate DNS to exfiltrate data by taking a file and breaking it into chunks, then reconnecting to a file outside of the network," said Shteiman.

Since DNS is a required protocol, these are legitimate things to see happen from a security or network monitoring standpoint. Nothing looks weird. "The machine has the DNS tack that it’s using. The service is on the machine itself. It requires no human interaction. It's common to see these things on closed networks," Shteiman said.

The problem is that the hacker will try to manipulate a machine that has access to certain data, "Using the machine to exfiltrate data, and security practitioners can’t whitelist or blacklist or create a reel that doesn’t allow DNS access. It’s a unique file broken into millions of chunks," said Shteiman.

The problem with machine threats, said Citrix's CSO Stan Black, is that there is no clearly defined and consistently accepted understanding of them. The attacks that are underway have the ability to adapt and find new binaries very quickly.

"Machine threats from my point of view is when the machine learning that we do on the inside is being turned to the outside against our perimeter," Black said. "Machine threats are when a malicious actor attempts to use machine technology against us."

Bad actors are so good at going after companies around the world that they now are able to take public information and do a vast majority of their attacks through automation. "There are 50 to 60 billion new attacks per quarter with multiple campaign elements. That used to require a person to look at the data, but now, it’s full automation," said Black.

Automation has allowed hackers to gather even more intelligence than they had previously been able to obtain. Black said, "If you look at traffic on the internet, very few people are familiar with what is supposed to be happening. These guys are using connections, carriers, carrier calls, health checks, and parody analysis to gather additional intelligence."

Security practitioners are monitoring traffic, but Black said, "Previously we would see someone running active scanning on us. Now, they are able to utilize malicious code to gather more than they used to. This is going to be huge in the IoT space."

A return to basics, said Black, might be the best measure of defense. "Development is moving quickly, but we need to go back to basics. Applications are supposed to do certain types of transactions at each port. We need to clearly define what good traffic is and what it should look like. If it deviates from the published standard, that might be bad."

Relying on modeling and machine learning, said Shteiman, is another way to protect the gaps that aren't covered by blocking access to known Tor IPs. "I work on Tor, but I can model how I work on my computer. Access is only allowed when there is a keyboard interaction, or during working hours so that if I'm not on my computer, Tor can't be used."

As is most often the case, mitigating these threats requires education and training. Gorup said, "Regular code review and training developers will lower risk and vulnerabilities."

Black agreed noting that, "Coding is going to be a major step forward. The internet and the carriers of the world have allowed dirty data to come to our door. As consumers of that data we need to demand that they clean up our pipes."

Everybody is getting tired of the constant breaches and attacks. Creating more clarity on what carriers and companies' responsibilities are will work towards cleaning up those pipes.

"We need to understand what is going into our facilities and what is going out," said Black. "They're also going to see encrypted traffic that is not encrypted by companies and countries, but if they don’t have the keys, they're going to block the payload."

Simplifying and consolidating with fewer layers will also be a necessary part of the clean up process, said Black. "I’m more confident now than I have been in a really long time for several reasons. The number of technologies you need to layer on are being rapidly consolidated. Simplification is going to be critical."

Join the CSO newsletter!

Error: Please check your email address.

More about CitrixCSOExabeam

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

More videos

Blog Posts