Finding Attack Patterns at the Digital Crime Scene
Using scientific methods, Symantec researchers aim to profile the IT threat landscape.
In the physical world of criminal investigation, police investigators aim to build a profile of the criminal in an effort to help catch the guilty party. The same basic idea is now being applied in the cyber world.
Symantec Labs has been working on a number of different research efforts under the project names WOMBAT (Worldwide Observatory of Malicious Behaviors and Attack Threats) and VIS-SENSE to try and help profile and detect online criminal activity. Marc Dacier, senior director at Symantec told InternetNews.com that the WOMBAT project was a joint project funded by the European Union that led to some practical use at Symantec.
"The idea behind WOMBAT was to evaluate from a rigorous scientific point of view what is going on in the online threat landscape," Dacier said.
With WOMBAT, existing data as well as new data was collected and enriched to provide additional information. In many cases, the raw data is not enough to explain what is really going on so there is a need for more contextual information.
"If you make an analogy between a cyber crime and a real crime, like say a murder where there is a dead body, you will not just look at the dead body," Dacier said. An investigator at a murder crime scene will look at the overall crime scene to note the environment and other circumstantial data. With the WOMBAT data enrichment, the raw data gets that type of environmental data to help deliver a better understanding of the cyber crime scene.
Rounding out the effort, the project aimed to find a method that would link events together that are all related to the same root cause -- an attack that utilizes the same method or is perpetrated by the same organization.
"For example, if you're LAPD and you have thousands of crime scene files and you think there is a serial killer that is responsible for a number of crimes how could you figure that out?," Dacier said. "The way you find a serial killer is they use the same modus operandi (MO) again and again."
With cybercrime it's even more difficult to find that common method as new defense mechanisms emerge that attackers are trying to evade. Fundamentally, cybercrime is about making money efficiently which requires the use of tools. "If you apply tools again and again, they will leave fingerprints in the way they act," Dacier said.
Going a step further, the WOMBAT effort generated a lot of information that required another project to analyze and visualize the results. The VIS-SENSE project is all about making visual sense of the data that comes from the WOMBAT methods. On the surface the WOMBAT/VIS-SENSE effort might appear to be similar to what an security incident and event management (SIEM) platform might be able to provide, but that's not the case.
"We're not trying to do the correlation of events like an SIEM platform. That's aimed more at providing a real time analysis of security events and logs," Dacier said. "An SIEM ends at providing you with a warning system."
In contrast, the WOMBAT effort is taking a big picture view, looking at a number of things that are happening all around the world and trying to find out who is behind the activity.
While the WOMBAT effort was initially a multi-stakeholder research effort, the WOMBAT project has led to the SGnet next generation honeypot. SGnet is a lightweight honeypot that provides a rich set of information on attacks. Symantec is also using the WOMBAT triage system internally in their backend operations for the Symantec Cloud to understand spam trends.