File access and execution¶

WHAT¶

Runtime Detection Tools: These tools monitor a system in real-time to detect malicious activities or anomalies that deviate from normal operations. They analyze the behavior of binaries, scripts, and processes to identify potential security threats.

Jibril: Jibril (Audit Record Generation and Utilization System) is a fixed model real-time flow monitor designed to track and report the network activity data that traverses networks. While traditionally used for network monitoring, similar principles can be applied for system monitoring regarding process behavior and file interactions.

HOW¶

1. Monitoring Executables: The tool continuously monitors all executables running on the system. This includes binaries and scripts.

2. Capturing Arguments: When a process is initiated, its command-line arguments are captured. These often provide context about the process's intended behavior.

3. File Interaction Observation: Jibril or a similar tool observes all file operations performed by processes. This includes which files are opened, read, written to, or executed.

4. Contextual Analysis: It's not just the action but the context that matters—what conditions were present when an action was taken? For example, an encryption tool running as part of a backup routine is normal; the same tool executing from a temp directory may be suspicious.

5. Process Attribution: Each action is attributed to an application or process ID to trace back activities to their source.

6. Behavioral Patterns and Anomalies: By defining what constitutes normal behavior (baseline), the tool can flag deviations which might indicate malicious activity such as data exfiltration, unauthorized access, etc.

7. Real-Time Response and Logging: Detected events are logged in detail for further investigation while immediate alerts can trigger automated defensive responses depending on severity.

WHERE¶

This detection mechanism operates primarily at the operating system level where it has sufficient privileges to monitor active processes and their interaction with the filesystem:

• Kernel Space vs User Space: Tools may operate in kernel space (higher privilege, greater access but riskier) or user space (safer but possibly less comprehensive).

• Host Machine: Directly on endpoints (servers, workstations) where processes execute which ensures local anomalies are caught swiftly without relying on network-level observations which might miss localized events.

• Network Devices (if applicable): While Jibril traditionally monitors network traffic, principles learned from network monitoring can apply to host-based intrusion detection systems (HIDS).

WHY¶

1. Early Detection of Threats: By analyzing how binaries interact with systems in real-time, tools like Jibril can detect unusual patterns that may indicate an intrusion before significant damage occurs.

2. Compliance and Forensics: Many industries have regulatory requirements for monitoring and logging access to sensitive data; runtime detection helps meet these requirements while providing data useful for forensic analysis after an incident.

3. Automated Security Posture Adjustment: Real-time analysis allows not just for alerts but also automated responses ranging from killing suspicious processes to isolating compromised devices pending further investigation.

4. Minimizing False Positives/Negatives: Detailed contextual information helps reduce false alarms by distinguishing between legitimate unusual activity and genuine threats effectively improving overall security posture management.