Endpoint Behaviour Monitoring

TL;DR

This guide shows you how to set up behaviour monitoring in your Endpoint Protection Platform (EPP) to detect suspicious activity, even if it’s from legitimate software acting maliciously. We’ll cover defining rules, setting sensitivity levels, and reviewing alerts.

1. Understand Behaviour Monitoring

Traditional antivirus relies on known signatures of bad files. Behaviour monitoring looks at what programs are doing – their actions – instead of just who they are. This is crucial for catching zero-day threats and advanced attacks.

• What it watches: Processes creating files, network connections, registry changes, running commands, etc.
• Why it’s important: Detects ransomware encrypting files even if the encryption program hasn’t been seen before.

2. Access Behaviour Monitoring Settings

The exact location varies depending on your EPP (e.g., CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint). Generally, look for sections like:

• “Threat Prevention”
• “Behavioural Protection”
• “Advanced Threat Detection”
• “Custom Rules” or “Mitigation Rules”

You’ll likely need administrator privileges to make changes.

3. Define Behaviour Monitoring Rules

This is the core of the setup. You create rules that trigger alerts when specific actions happen. Start with common attack patterns:

1. Rule 1: Suspicious Process Creation
• Trigger: A Microsoft Word document (winword.exe) starts a command prompt process (cmd.exe or powershell.exe). This is often seen in macro-based attacks.
• Sensitivity: Medium – High. False positives are possible, but the risk of missing an attack is higher if you set it too low.
2. Rule 2: Ransomware File Activity
• Trigger: A process rapidly encrypts a large number of files (e.g., more than 100 files per minute) with common encryption extensions (.encrypted, .ransom).
• Sensitivity: High – Very High. Ransomware is critical; prioritize accurate detection even if it means some false positives.
3. Rule 3: Network Connection to Known Bad IPs/Domains
• Trigger: A process attempts a connection to an IP address or domain on a known threat intelligence list (use your EPP’s built-in feeds, or integrate with external sources).
• Sensitivity: High. These connections are almost always malicious.

Most EPPs allow you to specify:

• Processes: Which programs the rule applies to (e.g., all processes, specific executables).
• Actions: What actions trigger the alert (e.g., file creation, network connection, registry modification).
• Conditions: Specific criteria that must be met (e.g., number of files encrypted per minute, destination IP address).

4. Configure Sensitivity Levels

Sensitivity controls how aggressively the EPP looks for suspicious behaviour.

• Low: Fewer alerts, higher chance of missing threats. Good for testing and environments where false positives are unacceptable.
• Medium: Balance between detection and false positives. A good starting point.
• High: More alerts, lower chance of missing threats. Requires more investigation time.
• Very High: Most aggressive; expect frequent alerts. Use with caution.

Adjust sensitivity based on your environment and risk tolerance.

5. Review Alerts Regularly

Behaviour monitoring is only effective if you investigate the alerts it generates.

1. Access the Alert Dashboard: Find this in your EPP’s interface (usually under “Threats”, “Incidents”, or “Alerts”).
2. Prioritize Alerts: Focus on high-severity alerts first.
3. Investigate: Examine the details of each alert to determine if it’s a genuine threat.
   • Process Tree: See which process started the suspicious activity.
   • File Hashes: Check if the file is known malware using VirusTotal or other online scanners.
   • Network Connections: Identify the destination IP address and domain.
4. Take Action: If it’s a threat, isolate the affected endpoint, remove the malicious software, and restore any compromised data.

6. Fine-Tune Rules

Over time, you’ll learn which rules generate false positives. Adjust them to reduce noise without compromising detection.

• Whitelist: Exclude legitimate processes or files from triggering alerts (use with caution).
• Adjust Conditions: Modify the criteria that trigger the alert (e.g., increase the number of files encrypted before an alert is raised).