Managed Security Service Providers: Network Threat Detection

Managed Security Service Providers are depending on NetFlow and IPFIX as one of the top 3 enablers for improving network threat detection.  The distributed NetFlow collection nature of this technology allows security teams to gain threat insight into remote areas without actually visiting them.  Most firewalls today including those from Barracuda, Cisco ASA, Palo Alto Networks, SonicWALL and others provide NetFlow or IPFIX exports.  With these flows, several types of threat detection methods can routinely be executed to constantly monitor for possible intrusions. Here are some of the threats Managed Security Service Providers need to monitor for:

• Breach Attempts Violation: Looks for many small flows from one source to one destination. This can indicate things such as a brute force password attack. A typical scenario would be a dictionary attack on an SSH server.
• DDoS Violation: Identifies a Distributed Denial of Service attack such as those that can be launched by a BOTNET.
• DNS Violation: Alerts when a host initiates an excessive number of DNS queries. This can help to identify hosts that may be infected with a mailer worm or other issues that require an inordinate number DNS lookups.
• FIN Scan: The FIN scan’s “stealth” frames are unusual because they are sent to a device without first going through the normal TCP handshaking routine.
• ICMP Destination Unreachable: This is a message that comes back from the router to the requesting host stating that it doesn’t have a route to the destination network of the target host.
• Host Reputation Lookups: This practice goes out to an Internet site every hour and downloads an updated list of known hosts that end systems on the network should not be communicating with. Typically this is a list of compromised hosts that have a reputation for sending nefarious traffic (e.g. C&C).  This list is updated by several Internet Service Providers.  This is one of the best detection methods used against Advanced Persistent Threats.

The above is just a sample of what is possible with Flow Analytics for Network Threat Detection.  It can also be used to detect several other types of scans including SYN, NULL, XMAS, etc. and is very useful when watching for traffic behaviors specific to a host, application or some combination of the two. Beyond detection of malware, NetFlow and IPFIX are fantastic for investigative efforts when looking for an impending computer grenade.

Here is something that Managed Security Service Providers should consider:  Do you remember “Stop, Look and Listen”?  With threat detection using NetFlow it’s “Detection, Investigation and Mitigation” however, unlike the Child Road Safety Game, the Network Threat Detection Game is practiced more slowly.   When a potential threat is detected, what do you do?  Some might say “isolate the problem host(s) and reinstall the OS”.  In many cases this is a decent practice however, with more insidious threats such as Advanced Persistent Threats (APTs) a different approach should be taken.  After Detection of a potential APT, the next step is generally investigation because APTs like to spread out within a company and infect on average about 40 machines.  If the infected machine is immediately isolated, the perpetrator of the attack could get suspicious and lay dormant for a while thus, potentially stalling the identification of the other infected hosts.  With APTs it’s often wise to wait, watch and study because the team within the Managed Security Service Provider needs to determine who the infected machine communicates with internally.  Then they find out if these machines need to communicate and if so, on what ports.  By studying in the internal network communication behaviors of the infected host, they can often find the other machines hosting malware leveraged by the APT.  After what can take a few weeks, a thorough clean up (i.e. mitigation) can take place.

Outside of ongoing threat detection, investigation and mitigation, flow technology is useful for:

• Compliance: change management is possible with tools such as IPFIXify which converts machine messages (e.g. syslogs, event  logs) to IPFIX for easier and faster correlation
• Behavior Monitoring: some flow vendors are exporting URLs which can be used to verify traffic behaviors or check in on disgruntled employees

It’s no wonder that the use of NetFlow, IPFIX and to some extent sFlow are growing in popularity amongst Managed Security Service Providers.  The extra insight it provides especially in remote areas where packet probes are not viable alternative can make the difference in early Vs. too late network threat detection.