Update

Perception Update - Version 2.5.3

Huge steps forward have been taken in version 2.5.3 of Perception, including the long-awaited open Beta of the KnowledgeBase function, and several new hugely powerful behavioural identification techniques.

Perception update blog header.png

KnowledgeBase sits at the top menu bar alongside ForensicAI and is a function that allows the user to dive deep into a full record of every connection that’s happened on the network. This has been trialled extensively and has quickly become one of the analyst’s favourite features, as it allows them to quickly confirm a suspicion by searching for specific connections made using its great filtering capability.  KnowledgeBase is now open to all users, and will continue to be developed over the coming months.

New behavioural logics have also been developed to identify specific behaviours at play on the network. The Suspected New Host Online behaviour has the capability to detect hosts not seen before on the network. This behaviour can be indicative of a planned system installation or an unauthorised device being connected to the network. This enables security teams to quickly identify the introduction of potentially vulnerable devices to the network.  This information may then be correlated with subsequent suspicious behaviour in the event that the newly introduced device presents a threat to the network.

The New Service Activity Detected Behaviour identifies when a host starts a new service resulting in network activity on a previously closed port.  Under normal operation a given host will run a particular set of services.  In the event that a new service is started, this may typically result in network activity on a previously closed port.  This behaviour can be indicative of a new application being installed on a host or an existing application suddenly going live.  A new service/port coming online can be due to either a planned configuration change, and configuration error, or an unauthorised application or user modification.  This activity may be of interest to a security team who expected a defined set of services to be running on the machine present on the network.  The network activity as a result of the new service may be benign or may be indicative of malicious software now running on the host, unknown to the user.

Finally, the Loss of Service Activity Detected Behaviour detects when a host ceases to run a service. This behaviour can be indicative of a system or hardware failure or a planned outage. This can help security teams to identify potential issues in the network in particular where a failed service related to a security incident.

 

A full list of updates are below:

  • Introduction of KnowledgeBase (beta). This is a new tool available on Perception to enable users to perform in depth analysis on host statistics collected by the system. Data selection can be achieved through filtering and grouping where filtering options are by time, by sensor and by grammar-based metadata selection. The result of the selections can be plotted on a timeline diagram for reporting and review purposes.

  • Three new behavioural classifiers have been added to the system. These are: Suspected New Host Online, New Service Activity Detected and Loss of Service Activity Detected.

  • Improved loading time of behaviours and Forensic AI views.

 

This update will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own systems using the software upgrade processes.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

Perception Update - Version 2.5.2

Multiple improvements have been made to Perception in version 2.5.2, from increasing system performance to more advanced detection techniques.

Perception update blog header.png

The largest improvement is largely invisible, but makes the system configurable to allow processing limits to be applied to traffic received from the network, this increases stability of the system as a whole as it protects against bursts of network traffic.  There have been more under the hood changes as we have also upgraded the underlying operating system to the latest version.

More user facing changes include updates to some ForensicAI alerts to include scoring and suppression, further increasing confidence of a detection all while reducing any false alerts. This is part of ongoing work to bring all ForensicAI capability up to the same standard. 

 

A full list of updates are below:

  • Patch release to address issue with Nginx package install.
  • Added configuration options to allow processing limits to be applied to traffic received from the network.
  • Improved log file management.
  • Patch release to address installation issues observed during upgrade from previous operating system.
  • System fully upgraded to run on latest version of operating system.
  • Updates to lateral and egress HLCs to include scores and suppression.
  • Addition to ransomware extension list.

 

This update will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own systems using the software upgrade processes.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

Perception Update - Network Drive Activity Classifiers

A suite of behavioural classifiers have been developed for the Perception sensors to detect suspicious activity based on the information gathered by the Network Drive Activity Cache.  These classifiers monitor behaviours such as file access, modification, upload, download and report on potential policy breaches and/or unusual activity.

The ability to attribute user network based activity to specific windows file sharing operations. This allows for enhanced detection of Ransomware during the Ransomware payload execution.
Additionally, policy-based classifiers can assist in ensuring that you company processes are being followed, for example search patterns can be setup to look for certain filenames, users or extensions of interest that have been seen being used within your network.

So as we said last week, we’ve implemented a Network Drive Activity Cache and naturally, because we have a behavioural engine, we can now identify behaviours based on the information in that cache.  We’ve put together a number of behavioural classifiers already based on some real world threats we’ve seen in the wild, but expect more of these classifiers to be implemented over time as we discover more vulnerabilities and scenarios we want to alert on.

One of the things Perception customers love the most isn’t just its ability to pick up on malicious activity, but its ability to discover network vulnerabilities before they are exploited by a malicious actor.  Again, these classifiers can be used to discover poor network security practice by discovering users storing confidential information in unencrypted files, it’s the little things like that make Perception so useful.

This update is CCS and sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own sensors and CCSs using the software upgrade process.  Please be aware, this feature requires the Network Drive Activity Cache to be active.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

Perception Update - Network Drive Activity Cache

A new mechanism has been developed on Perception sensors to allow file sharing activity between client machines and windows network drives to be stored.

Enhanced visibility of network drive access provides the Perception classifiers with a huge amount of insight into a client machine’s behaviour.  This in turn allows classifiers to detect potential threat behaviours such as accessing and downloading large parts of a network share or repeated download/upload activities that can often be indicative of malicious behaviour.
This feature also facilitates the inclusion of additional associated meta-data in the events generated by the system such as the names and locations of the files accessed which can be vital in cases where data exfiltration has taken place.

The Network Drive Activity Cache gives Perception an extra level of information on top of all of the existing meta-data it has.  When files are transferred from or to Windows-based machines on a network, information about that transfer moves across the network.  Perception now includes this information in any behaviours that identify file movement across a network.  As a result, any behaviours that saw data movement can now also tell which files were accessed, and whether they were read or written.

Our analysts are already seeing great benefit from this feature, as it immediately identifies which files have been accessed in data movement events, so investigating suspicious events is far faster.  Rather than having to trawl through capture files looking for which data has been accessed, the file information is right there, front and centre.

This information provided by this feature enables a number of additional capabilities, the first set of which we’ll tell you about next week.  The system can also now build intelligence around who accesses which files, when, and how unusual this is for that person.  How we utilise the Network Drive Activity Cache will become more and more complex and beneficial as the system continues to improve, but it’s already showing great results.

This update is CCS and sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own sensors and CCSs using the software upgrade process.  Please be aware, this feature may change the performance requirement of the sensor, and can therefore be turned on or off as required.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

Perception Update - DNS Behaviour Classification

Perception now includes several classification methods to detect various types of behaviour that rely on DNS use.

We have added enhanced DNS behavioural detection capability to detect malware behaviours such as DNS tunnelling. These methods are typically used to circumvent traditional security defences allowing Command and Control channels to be setup on even very ‘locked down’ networks. 

The detection of low and slow DNS tunnelling is complex and we have developed a number of Perception Behavioural Classifiers to assist in the detection. In addition, Forensic AI High Level Classifiers have also been developed to allow for a long term correlation capability.  What this means is that the identification of this very advanced exfiltration technique is now identified by Perception and clearly explained to the analyst.  You can learn more about DNS misuse as a data exfiltration technique by reading through our blog post on the topic.

This update is CCS and sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own sensors and CCSs using the software upgrade process.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.co

Perception Update - Domain Classification

Perception allows analysts to assign network trust categories to assets improving threat behaviour attribution.

The ability for the analyst to assign domain types and trust levels to IP ranges has been added to the system.  This introduces the basis for assigning security layers to better attribute behaviours to risk factors.

Perception can set various parts of a network to ‘trusted’ or ‘untrusted’.  This feature enriches the information delivered in the behavioural events generated by the system enabling the analyst to better categorise potential threats.  This also enhances the ForensicAI engine’s ability to detect potential threats based on the source and destination domain types and trust levels.

For example, the system could perhaps see a data movement internally between two ‘trusted’ parts of the network as not threat-like, whereas a data movement from a ‘trusted’ internal server to an ‘untrusted’ public WiFi network is far more interesting.  ForensicAI also leverages this new data, being able to understand the relevance of multiple data movements, and correlating data moving between various trust levels of a network over time.

This update is CCS and sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own sensors and CCSs using the software upgrade process.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

Perception Update - Web Proxy

Perception removes the web proxy blindspot

This feature adds a layer prior to the classification engine which enables the actual session destination IP addresses to be resolved from the hostnames visible from the traffic monitored behind the web proxy.  The classification engine is then able to process session information as if the clients were communicating directly with the destination servers.

Monitoring networks where web proxies are deployed presented an issue where actual destination IP addresses were hidden from the system.  Traffic being monitored behind a web proxy is always presented with the same destination IP address, that of the web proxy itself, rather than the real destination IP address.  This results in poor performance for network monitoring systems due to the fact that a significant chunk of data appears to be targeted at a single destination, when in reality it’s going to multiple different places.

Monitoring behind a web proxy may be the only available option for a given customer as the proxy itself may be located in the internet (eg cloud based proxies) and therefore access to the output of the proxy may not be available. This previously presented a potential blind-spot to the Perception classification engine.

This update solves this problem by delivering accurate IP information to Perception regardless of proxy use.  As a result, Perception provides the same level of coverage and accuracy when used behind proxies as it does when deployed in a typical network.

This update is sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own sensors using the software upgrade process.  Please note that Perception may need some extra configuration to function with proxy networks.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

ForensicAI

The biggest ever leap forward in Perception technology.

As you all know Perception is a system that derives a level of understanding of the behaviour of all traffic on a network, capturing packets of that traffic on its way, and then allowing an analyst to look into patterns of that behaviour to determine what behaviour is malicious, dangerous, or indicative of a network vulnerability.  What this boils down to is letting the system automatically generate the most useful data set and then allowing the analyst to use that mass of data to find what’s interesting.  Whilst this method has proven to be more effective than standard solutions for finding existing threats and weaknesses on a network, it still relied on capable analysts with a deep level of understanding of network topography and threat landscapes.

Now, as part of a massive version 2.0 upgrade, we are adding a huge layer of capability onto the system, ForensicAI.

ForensicAI is an advanced system of artificial intelligence that automates large analysis tasks.  ForensicAI constantly looks through the built up mass of behavioural data from Perception’s behavioural analysis, identifying patterns and common themes that indicate potential live threats and network vulnerabilities without any intervention by the user.  When anything of interest is found, rich data is made available to the user in the form of an alert that explains what has happened, and why it is worth looking into. 

ForensicAI works by constantly polling the knowledge base looking for multiple behaviours or series of behaviours over time.  Because of the in-depth information generated by Perception’s behavioural analysis system, ForensicAI can generate alerts on activity that has occurred over the course of days, weeks, or months with extremely low false-alarm rates and very high detection rates.  The system is also flexible, our customers can request the development of specific ForensicAI intelligence to look for areas of concern, or increase the tendency for ForensicAI to alert on certain behavioural patterns.  This flexibility also allows the development team to constantly tweak the system to detect newer threats as they happen, and new logic is immediately able to look back into the knowledge base to see if anything’s occurred since Perception has been installed.

ForensicAI represents the first cyber security system that we know of that can automatically alert on low and slow behaviours over these sorts of timescales.  Perimeter and endpoint solutions typically only have the ‘now’ available to them, and false alarm rates would be too high to generate alerts over some of the behaviours involved in more advanced attacks.  SIEM tools can be used to gather data, but over time it becomes nearly impossible to find the needle in such a large haystack.  ForensicAI can pick out malicious activity that involves something happening months ago, followed by other behaviours a few weeks later, and then something else happening in the last few minutes.  As soon as the last piece in that puzzle falls into place, an alert is generated, which gives us that incredibly high detection rate.

With ForensicAI, Perception now has the capability to generate alerts from the large data sets, rather than just useful data to be used for further analysis.  This allows our serviced customers to benefit from analysts spending more time investigating incidents rather than discovering patterns, and our self-monitored customers can benefit from immediate identification of in-progress malicious activity.

As with all our other software updates, Perception v2.0 including ForensicAI is a free software update to all existing customers.

 

Perception Update - Improvement In Communication Mechanism

An update to the communication mechanism between the Perception Sensor and the Central Correlation Server (CCS).

This improvement allows more detailed meta-data to be stored in the data sent to the CCS from the sensors.  It increases communication reliability and transport bandwidth efficiency at higher data rates.  The improvement also speeds up the encode and decode times of the data on either end, improving communications speeds.  We have also implemented the ability for a sensor to send to multiple CCSs so customers can have redundancy for their CCS.

The core concept of Perception has always been gathering the best behavioural information from the network as possible.  Whilst vulnerabilities change and we discover new ways that businesses might find themselves exposed, it becomes vital that we add more ways of understanding behaviour on a network.  As a result of this gradual increase in information gathering, we start to put strain on the communication link between the sensor and the CCS.

This update could be seen as a group of fairly boring performance enhancements, however, these are vital changes that allow us to increase the capabilities of Perception even further in future.  Between an increase in reliability on extremely busy networks and the increase in decode/encode speed, this performance boost allows us to send much richer meta data, which means our analysts (and our AI-more on that soon) have better information to work from.

The importance of the redundancy capability also mustn't be underestimated.  Many customers work in mission critical environments and require 100% uptime for cyber security systems.  Adding the ability to control a main CCS and a failover is an absolute necessity for these businesses, and something we're delighted to be able to provide.

This update is CCS and sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own sensors and CCS using the software upgrade process.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

Perception Update - Improvements to Behavioural Classifier

The identification of the ‘Communicating with many hosts’ behaviour has been enhanced to detect newer variations of this activity, as well as producing more metadata when it is identified.

The Communicates with Many Hosts classifier is typically used to identify behaviours associated with network discovery, fingerprinting, brute force attack or potential unwanted system use such as online gaming or torrent traffic.  Some of these behaviours are good indicators of compromise and are useful in understanding what hosts on your network are doing.

After some good feedback from our analysts, we have enhanced the classifier to look back further in time to identify the low and slow attack methodologies as well as significantly enhance the associated metadata to allow for easier attribution of behaviours to hosts.

The longer look back means that the behaviour cannot be hidden by taking a break in activity for extended period of time, or randomising/normalising fingerprinting periods to avoid detection by anomaly detection methods.  As a result we can discover this type of activity when we simulate it on our test networks regardless of the techniques we use to hide the behaviour.

The extra metadata enables the analyst to quickly identify behaviour of interest and understand what a host is doing more effectively.

This update is sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own sensors using the software upgrade process.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.co