Software Engineering Institute

Covering a network with sensors is the first step towards security, but the massive flood of unprocessed, raw data points is frequently as paralyzing as having no visibility at all. To find actionable signal in the noise, one has to first define signal and noise. Threat detection must be motivated from a problem-first mentality, rather than a data-first mentality. Using this approach, "Big Data" problems tend to become small, relevant data problems, facilitating accurate and scalable detection solutions. We demonstrate the aforementioned problem-first approach with a case study of a password spray attack against an Active Directory (AD) system. We examine the nature of the attack: how it works, why it works and how its parameter settings interact with attacker style. In the resulting threat model, the "signal" is a sequence of failed authentication attempts from a particular device and the "noise" is the rest of the LDAP traffic.

To understand detectability of a dynamic password spray attack in a variable environment, the central idea is to gather samples of attack and merge them with records of the baseline enterprise network traffic. This may be accomplished by mapping timestamps and IP addresses of simulated and real flow data. For successful detection, signal must be discriminable from noise, so we demonstrate how to use time-series and probability density plots, combined with faceting and animation techniques, to visually examine the separation of signal from noise, across the sample of devices. Next, we show how constraints that come from details of the threat model suggest how to reduce the signal into a filtered, low-dimensional summary that preserves discriminability and allows detection to scale to a large network of devices. Finally, we show how the signal summary can be used to construct heuristic and statistical detection methods, and evaluate their efficacy, using accuracy and time-to-detection metrics.