Detect Zero-Day Attacks

Zero-day attacks are attacks against software flaws that are unknown and do not have a published patch or fix. Sophisticated attacks that exploit zero-day vulnerabilities often begin with a spear phishing email containing malware. When the unsuspecting target opens the email, the malware compromises the endpoint and will attempt to commence command and control and then move laterally across the network to access sensitive data and exfiltrate it.

Workflow

Overview

The ES Risk Analysis dashboard is the starting point for the hunter to start identifying zero-day attacks.

Review Risk Modifiers

The panels Recent Risk Modifiers, Risk Modifiers Over Time and Risk Score by Object indicate changes in risk modifiers from the targets hosts over a period of time. By reviewing the Most Active Sources, the recurring malware infections, old malware infections and threat activity detections contributing to the overall risk score of this host is determined.

Reviewing past notable events associated with the high-risk host provides further insight of the risk to your environment. The Incident Review dashboard tracks the history of notable events associated with this high-risk host, which helps confirm that the host was infected with malware and remedial activity. Within this dashboard, the hunter can update the action history using the Investigator Journal or start a new investigation. Any abnormal communication from the endpoint to external destination indicates command and control activity.

Determine Malicious Authentication Attempts

The hunter can investigate whether the attacker has control of additional endpoints by identifying the set of users that were logged into the initial endpoint at the time the compromise started. The Access Center dashboard monitors authentication attempts to network devices, endpoints and applications, and detects malicious authentication attempts, such as lateral movements.

Identify Compromised Account Activities

Searching and cross referencing the Active Directory authentication logs specific to this endpoint from the initial compromise time to the current time, identifies the total users that have logged in to this host, as well as other hosts these users subsequently logged into after the initial compromise. From the list of compromised endpoints and searching database audit logs, the compromised existing user account and activities initiated is identified.

The hunter can determine if the attacker stored the downloaded database query results to the machine's disk as a series of password-protected binary files and masked those files with filenames that follow common patterns.

Determine Data Exfiltration and Methods

The Web Search dashboard uses web proxy logs to help determine whether data exfiltration has occurred. Any outbound HTTP activity that matches the filename patterns used by the attacker to disguise the database files indicates data exfiltration.

Discover the Compromised Endpoint

The Malware Search dashboard helps discover that the same endpoint with HTTP activity matches the pattern used by the attacker to disguise the database files. It is then clear that the attacker succeeded in stealing database files.