Election Security Spotlight – Signature-Based vs Anomaly-Based Detection

What it is:

Signature-based and anomaly-based detections are the two main methods of identifying and alerting on threats. While signature-based detection is used for threats we know, anomaly-based detection is used for changes in behavior. Signature-based detection relies on a preprogramed list of known indicators of compromise (IOCs). An IOC could include malicious network attack behavior, content of email subject lines, file hashes, known byte sequences, or malicious domains. Signatures may also include alerts on network traffic, including known malicious IP addresses that are attempting to access a system. In contrast to signature-based detection, anomaly-based detection is capable of alerting on unknown suspicious behavior. Anomaly-based detection involves first training the system with a normalized baseline and then comparing activity against that baseline. Once an event appears out of the ordinary an alert is triggered. Alerts can be triggered by anything that does not align with the normalized baseline, including a user logging in during non-business hours, a flood of new IP addresses attempting to connect to the network, or new devices being added to a network without permission.

Why does it matter:

Understanding the cybersecurity defenses available can help election offices prioritize their risk mitigations as part of a defense-in-depth (DiD) strategy. Security devices that utilize signature or anomaly-based detection can only review traffic that passes through them. For instance, network intrusion detection systems (IDS) offer monitoring of traffic that passes through the network interface, while endpoint detection and response (EDR) software monitors activity on the system it is installed on, and Web Application Firewalls (WAF) can only monitor traffic to and from the web server they protect. Variants of these security systems can use either or both of the detection methods.

Both detection methods have complementary strengths and weaknesses. Signature-based detection has high processing speed for known attacks and low false positive rates, which allows this detection method to quickly and accurately identify malicious events. However, signature-based security systems will not detect zero-day exploits. Anomaly-based detection can help identify these new exploits. However, anomaly-based detection can have high higher false positive rates. This can result in additional resources and time to rule out the high volume of alerts generated.

Nation state actors are more likely to attempt new attack methods which may be easier to defend against with anomaly-based detection, while hacktivists would be more likely to use known and defined attack methods that can be prevented with signature-based methods.

While both signature and anomaly-based detection are helpful for defending against cyber-attacks, they both require trained staff to configure and maintain them appropriately.

What you can do:

Election officials should consider signature and anomaly-based detection to enhance cyber-defenses as part of a DiD strategy with other security measures. If an election office is considering implementing signature-based, anomaly-based, or both security systems, they should understand the skillset, resources, and time required to manage these systems. If an election office is using any signature-based detection they should assign staff to routinely update and maintain the signature list from known attack vectors. If anomaly-based detection is being used on a system, verify that the system has been taught to recognize normal system activity prior to deploying the system, to avoid raising false positives. Most importantly, election offices will need to ensure that staff is able to effectively respond to the alerts generated by these devices.

The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact [email protected].