Source URL: https://blog.talosintelligence.com/scarcity-signals-are-rare-activities-red-flags/
Source: Cisco Talos Blog
Title: Scarcity signals: Are rare activities red flags?
Feedly Summary: Talos analyzed six months of PowerShell network telemetry and found that rare domains are over three times more likely to be malicious compared to frequently contacted ones.
AI Summary and Description: Yes
**Summary:**
The presented research by Cisco Talos analyzes PowerShell network connection telemetry over six months, revealing a potential correlation between the rarity of domain connection frequency and the likelihood of malignancy. It underscores the importance of subdomain monitoring in threat detection, especially for services that are typically legitimate, but can host malicious content. This insight is particularly relevant for professionals in security and compliance seeking to enhance their threat detection methodologies.
**Detailed Description:**
The research conducted by Cisco Talos emphasizes the risks associated with the rarity of domains contacted by PowerShell, showcasing vital findings that could impact security strategies globally. Here are the key takeaways from the analysis:
– **Data Overview:**
– Analyzed 3.2 million log events and 742 unique base domains.
– Focused on connections made by various versions of PowerShell over a defined period from June 1, 2024, to December 31, 2024.
– **Key Findings:**
– Rare domains (defined as ≤5 contacts) were observed to be 3.18 times more likely to be malicious compared to frequently contacted domains, although this result was not statistically significant.
– Potential risk was highlighted with the non-rare domain ‘githubusercontent.com,’ specifically its subdomain ‘raw.githubusercontent.com,’ which flagged malicious activity through suspected commands like downloading scripts such as PowerSploit or executing Invoke-Mimikatz.
– **Research Methodology:**
– Data processing involved extracting base domains and identifying domain rarity through contact frequency.
– Manual review and threat intelligence checks (using ReversingLabs) were employed to verify malicious domain status, helping to mitigate false positives.
– **Statistical Highlights:**
– Found only 1.64% of rare domains were malicious compared to 0.52% for non-rare domains.
– Discovered that typical top domains like ‘automox.com’ and ‘amazonaws.com’ had significant contact volumes, which could hide malicious activities through subdomains.
– **Threat Detection Enhancements:**
– Emphasized the need for security teams to prioritize rare domains in their investigations despite the statistical uncertainties.
– Highlighted the importance of analyzing subdomains of frequently visited domains for potential malicious content.
– Suggests a combination of automated intelligence and manual review processes for nuanced threat identification, especially for domains with high traffic.
– **Recommendations for Future Research:**
– Suggested improvements such as temporal analysis to find patterns in domain contacts that might correlate with malicious activity during specific times.
– Called for behavioral analysis of PowerShell process arguments to create more refined detection protocols.
– Proposed the development of a risk scoring system that encompasses multiple factors to help prioritize risk assessments for both rare and non-rare domains.
This research brings valuable insights into the nuances of threat detection in PowerShell usage, advocating for more refined practices focusing on domain rarity and subdomain scrutiny to better safeguard cloud and infrastructure environments against potential breaches.