This website uses cookies. By continuing to browse this website, you accept our use of cookies and our Cookie Policy. Close

Our Blog

Labs Research: Using Anomalies in Crash Reports to Detect Unknown Threats

Share

Tuesday, Feb 18, 2014

Websense Research Report Details New Targeted Campaigns and Unreported POS Systems Attack

Today, we released a research white paper detailing the use of Windows Error Reporting (WER) to detect advanced targeted campaigns in the wild, including: a campaign against a government agency; a major cellular network provider; and a previously unreported campaign targeting point-of-sale (POS) systems at retailers with a new variety of malware. The white paper, entitled “Using Anomalies in Crash Reports to Detect Unknown Threats,” can be downloaded here: www.websense.com/crashAPTreport

Alexander Watson, Director of Security Research, Websense, will present advanced findings related to this research at the 2014 RSA Conference in San Francisco. Join us for our session, "Use Anomalies to Detect Advanced Attacks Before Bad Guys Use It Against You" on Tuesday, February 25, 2014, at 4 p.m. PT.

In a previous blog post, we discussed how Microsoft Windows Error Reporting (WER), a.k.a. Dr. Watson, sends detailed telemetry to Microsoft  each time an application crashes or fails to update, or a hardware change occurs on the network. By correlating the data, we demonstrated how an attacker who was capable of intercepting this data could create a precise blueprint of the target’s hardware and software network. Attackers can use this intelligence to create tailored attacks with a high probability of success.

But those reports also got us thinking about ways we could use that wealth of data to enable security. Our first step in that direction involved releasing source code on GitHub that allows organizations to use Dr. Watson telemetry reports to identify incidents that could lead to data loss.

One of the biggest challenges in security today is the persistence of targeted attacks. How many highly publicized attacks were detected quickly? The fact is that most stay on a system for a long time before detection. We wanted to take our research a step further to see if we could create a new method of identifying previously unknown threats – attacks that have made it past organizations’ defenses – in a manner never before accomplished. 

We hope this research encourages the industry to continue looking beyond analytic and signature-based defenses that are based on expert knowledge of known attacks, and begin integrating advanced anomaly and threat intelligence capabilities. This integration brings the ability to reveal new and targeted threats that pose an incredibly high risk to organizations.

About the Author