EchoTrail Insights Explained
This guide will help introduce you to EchoTrail Insight's data, what it helps describe, and how it can benefit you. Understanding this dataset can help accelerate your analysts, jump start hunt operations, and help you write high quality detections.
Overview of Insights Data
Our Insights database captures how programs typically behave. A program, often called a process, exhibits a variety of behaviors when it runs. These behaviors cover actions like:
- launching a child process
- making a network connection to another computer
- loading additional code in the form of a DLL or another shared library
- writing a file to disk
There are additional attributes that aren't necessarily behaviors, but they are included because they help describe the profile of a process execution. These attributes include:
- the path a process was launched from
- the parent process that launched it
- the grandparent process that launched its parent
- the hash of the process that was launched
We capture those profiles in order to calculate and store a statistical model of each process we observe running in the wild.
In the wild simply refers to the type of hosts the data was collected from, in this case machines running in real and active environments - and not simulated in a lab.
Understanding Normal Behavior
Our statistical model allows us to learn a lot about how most program typically behave. There are many programs that display fairly consistent behaviors over time, while there are some that display a wide variety of behaviors. What is useful to a security practitioner is knowing the difference between what they’ve observed and what is normal or typical for a given process.
Our Insights database is very helpful to browse through in order to gain a better understanding of how operating system processes normally behave. Those built-in OS processes should be among the most consistent in behavior and they are also among some of the most abused or mimicked by attackers. The reliability in expected behavior gives defenders the advantage in that any deviation from expected behavior should be quite noticeable. Leveraging this framework can provide many opportunities to improve your defensive security.
Common Use Cases for EchoTrail Insights
- Education - Gaining a better understanding of normal endpoint activity allows for better understanding of how attacker activity might present itself.
- Lookup / Enrichment - When resolving an alert involving an endpoint process, using EchoTrail Insights as a reference point can be very helpful to better understand whether the alert in question has merit or might be a false positive.
- Detection Development - Detection engineers need to understand both attacker TTPs (tactics, techniques and procedures) as well as normal endpoint activity. Many detections fail due to a high false positive rate and as many seasoned security folks know, a great detection with a high false positive rate is not actually a great detection. Using Insights to understand normal behavior, a detection engineer can gain confidence that his detection rule won’t create an abundance of false positives while still capturing the intended attacker activity.
- Threat Hunting Reference - Threat Hunters need the same starting point of knowledge as detection engineers, but they also need to have some theories about where to start looking. Taking knowledge about attacker TTPs as well as knowledge of normal endpoint behavior, Threat Hunters are tasked with sifting through endpoint activities to find malicious behaviors. The best way to find the needle in the haystack is to shrink the haystack. Hunters can do that by weeding out normal activity first to create a smaller haystack. As normal activity is removed, any potentially malicious or otherwise unwanted activity will start to rise to the surface. EchoTrail Insights is a great reference tool for Hunters to use to weed out the normal, which in the case of hunting is the noise. Less noise means more signal.