Anomaly Detection Models

Lacework uses the following anomaly detection methods to address three common adversarial techniques: active scanning, domain generation algorithm, and SSH brute force.

Active Scanning

The active scanning model identifies when a host within your environment initiates a substantial number of outbound port scans or IP scans. Red teams and malicious actors (bad guys) can use active scanning for reconnaissance and identifying vulnerabilities in a target network or system. Identifying active scanning behavior allows you to detect potential security threats before they escalate into more advanced attacks.

Domain Generation Algorithm (DGA)

The DGA model recognizes the patterns or characteristics in domain names generated by domain generation algorithms. DGA domains are often used by malware as command and control communication channels, so it is important to identify the behavior where the host has made excessive DNS requests to DGA domains. Such behavior might indicate a malware infection or compromised host.

SSH Brute Force

The SSH brute force model identifies when a host, either residing within your environment or equipped with an agent, begins to issue an unusually high number of unsuccessful login attempts. Having this model aids in the early identification of a security incident involving a compromised host. This understanding is critical for preserving the security and reliability of systems and networks by allowing for proactive actions against unauthorized access and the risk of data breaches.