Using audit to find persistent prowlers

Just like real world criminals, cyber thieves also have different strategies. Just like real thieves, they want to avoid detection, so that they can make off with their loot and cover their tracks. One way is to quickly get in, grab all you can and get out. With this approach, you will see spikes in various logs and monitors (such as sysstat tools that can detect such spikes.

But another way is to do things more slowly, hiding within the large amount of log information and network activity, but to quietly explore and steal over an extended period of time. Our software is designed to find such persistent behavior. The individual actions of the crook may not be enough to raise any flags, but the persistent behavior over time will add up to something that is distinctively different from safe activity.

Here we consider audit logs obtained with the audit service for linux. There are equivalent methods available for windows, indeed for most operating systems. To learn about audit, please see an excellent talk by Gary Smith.

Here we will consider one aspect of audit, to find prowlers that are moving around in your disk system, looking for files that may be valuable. These could be email files, documents, or even text files that may contain useful information (since most people have to write down their passwords somewhere.) Audit can detect events where the prowler is moving around the disks. This can be done with a "watch"instruction.

When audit is watching a disk, we can monitor the "footprint" or number of locations that are accessed during a certain time. The following picture shows this as a graph.

The different graphs here show the increasing footprint of different processes. Some rise quickly, some more slowly. The information above is obtained from the audit log that can be searched using some audit tools (such as ausearch.) There is also a color indicating the number of items accessed at each time.

Even though the graphs that rise quickly capture our attention, the important ones to note may be the ones that grow slowly. For example, graphs 33 or 34 (or a few others like that.) But which of these is the real problem?

To get that information we have to look at persistent behavior over several periods. This type of information is hard to see in a graph, since the time periods involved are quite large. But strategy patterns can identify repeated instances of certain movements.

Such persistent movements can be distinguished from non-persistent transient trends. If there is one thing you can say about hackers, it is that they are persistent. This strategy will be evident if we examine several audit records over different time periods, and look for processes that persist over long periods, while doing a little bit of harm each time.