Time-based Correlation of Malicious Events and their Connections presented at FloCon2019 2019

by Steven Nicholls,

Summary : In the cyber security arena, many events of interest occur in conjunction with network connection events. For example, a connection to a suspected malware command and control node might proceed a hidden process disabling security logging on a compromised computer. Associating such malicious events with their related connections is a critical task in network forensics. Often times a suspicious connection can tip off investigators to previously overlooked events and vice versa. However, in many cases, associating events with corresponding connections is difficult due to network layering, dynamic addressing, or gaps in sensor coverage. Inevitably, the investigator will invoke timestamps to help correlate events with possible connections. In this presentation, we discuss automating this approach with a Time Based Correlation big data analytic that uses a statistical approach to gauge independence in events and possibly related connections. We include the results of a validating discrete event simulation that identifies under which conditions this approach provides the best performance and fewest false positives. We discuss scaling this analytic to the DoD enterprise level and its use in helping detect various anomalies.Attendees will learn:Attendees will learn how to automate the use of statistics to help link events and connections in a timeline during an incident or forensic investigation. This includes under which conditions time can be definitive in linking events and when it must be combined with other methods.