3 Ways to Utilize Process Behavior Data
Feb 23, 2022
First - what is it?
If you are unfamiliar with process behavior data, check out our Insights data. By sifting through our database, you can quickly begin to understand what process behavior data looks like.
EchoTrail collects and analyzes behavioral data for hundreds of thousands of Windows processes. Our sensors monitor process executions and collect and analyze data such as parent process, hash, command line arguments, path, files written, DLLs loaded, network connections made, etc. Much of this data is made freely available via our website and our API.
This data can be very useful for IT Security Analysts and Detection Engineers. Here are a few ways to utilize process behavior data.
1) Integrate it with your Security Orchestration Automation and Response (SOAR) platform
SOAR platforms are an excellent place to pull data in from multiple sources to enrich and automate actions on your security alerts. For security alerts that include a Windows process name you can easily enrich that alert to save an analyst time doing research. Most endpoint-based security alerts will contain a process name, path, hash, etc. By pulling in EchoTrail data and correlating that data with your alert data, you can not only enrich the alert before it is triaged by an analyst, but you can also score that alert by upgrading or downgrading its criticality based on how well it conforms to commonly seen behavior that we've observed and captured in our Insights data.
EchoTrail is not opinionated about what behavior is good or bad, it simply captures what is. If the vast majority of Windows computers in the vast majority of environments execute processes in a similar fashion, then a departure from that norm might be concerning and worth elevating to an analyst for a closer look.
2) Threat Detection Research
There are a huge number of threat detection opportunities that can be borne out of scouring through EchoTrail data. As previously mentioned, EchoTrail is not typically trying to label a process as good or bad, but simply capturing how it behaves. That said, you can look through our dataset and see how processes normally behave. While there is sometimes quite a bit of variation for some processes, there are others, especially built in Windows processes, that behave in a very strict way over and over again. Creating detections that look for departures from this norm can be very rewarding. Attackers that are living off the land and using built in OS commands for moving laterally will often trigger detections that are looking for anomalous process behavior.
Another way to use our process behavior data is use your threat detection infrastructure to pull EchoTrail data in as process executions are observed. That data can then be compared to the observed execution and scored. There are several fields that can be compared to calculate an overall score, such as filename, hash, path, parent, children, etc. Executables that behave fairly normally can be safely ignored while those that depart from that norm in considerable ways, i.e. filename and hash not matching, should be flagged for review by a human.
3) Intel Reporting
For those that need to produce intel reports on recent attacker activity and exploits, EchoTrail can provide a nice resource to better understand the processes involved. Oftentimes when analysts are reporting out on a particular adversary campaign, many materials need to be gathered in order to effectively communicate what happened. When Windows processes are involved in the attack pattern, EchoTrail Insights can be a very useful tool to help readers understand how a given process fits into the bigger picture. Is it a common process, or something that’s rarely seen? How does it normally behave? What is the purpose of the program? Answering common questions such as these ahead of time helps the reader to better understand the bigger picture of an attack and how the victim’s resources were used against them.
These are just a few of the ways that process behavior data can be useful to a security team. It's easy to get started by creating a free account and signing up for our free API tier. Check out the API docs to see how to get started. The queries are straightforward and the bar to getting started is low. Reach out with any questions and we're happy to help!