More than ever before, the applications installed on our hand held and laptop devices are sending data off to the cloud.  This means the volume of traffic leaving the company is growing at a faster rate.  The impetus behind this is the application developers who are rushing to collect big data from their users which can be mined for behavior patterns. The end user characteristics uncovered are then used to sell and market additional services.  All of this gathering is causing an increase in traffic which can stress the infrastructure in many ways including the people supporting it.  At times it can even make it more difficult to use Network Traffic Analytics to find the spots that ideally would normally receive immediate attention.  Proactive measures become difficult when the log and flow consumption systems are receiving a fire hose of data.

Malware Traffic Resembles Normal Traffic Patterns

To add to the complexity involved with finding blind spots is the behavior mimicking that malware developers write into their contagions. In order to evade best detection methods, exploits often behave in ways that have communication patterns which are nearly identical to business and social media applications.  Vendors like McAfee use DNS tunneling to extract data out of companies.  Microsoft uses proprietary encryption to upload data to the cloud from Windows 10 computers. The miscreants behind infections study and learn about these tactics from trusted vendors.  They then ensure that their exploit exhibits similar traits when removing information from our devices.  This can include sending the data to an AWS or Akamai hosted domain.  For these reasons, no security appliance can protect an organization from all infection variants.  It simply isn’t possible.

Kevin Beaumont noted in SC Magazine that, a prolific cyber-security commentator on Twitter pointed out that a vendors website changed from saying: The NHS is totally protected with Sophos” to “Sophos understands the security needs of the NHS”

Network Traffic Analytics

Since the onslaught of infections will keep coming and statistically many won’t be stopped, security teams have to monitor for behaviors that provide potential indicators of compromise.  At the same time, they also have to prepare for the aftermath of an inevitable data theft.

Network Traffic Analytics

Because, communication behaviors are constantly evolving and being copied by insurgents, network traffic analytics needs to be configured to monitor for odd patterns that are outside of preapproved characteristics. IPFIX and NetFlow collection systems provide the best way to ingest big data while simultaneously pattern matching on connections that are not normal.  Rogue connections to unapproved NTP, FTP, SSH, SMTP and DNS servers are often a great way to uncover machines exhibiting the telltale signs of a problem.  Odd ping communications or long lived flows to unrecognizable sites can be additional indicators.

By accumulating events and establishing an overall score per end system, suspicious hosts rise to the top that generally merit further investigation. Only flow data can provide the enterprise wide visibility needed to track 100% of the communications on the network.  When malware is discovered after the theft.  Both NetFlow and IPFIX provide the postmortem forensic details needed to paint a full picture of what happened.

Flows Provide 100% Accountability

If the destination host in flow data is found to be hosted by AWS or Akamai, IPFIX exports from vendors like Cisco and Gigamon can include the Fully Qualified Domain Name (FQDN) of the targeted host. Ultimately, this additional context provides the network forensics needed to help streamline efforts and determine how the malware got in, where the data went, how often they uploaded and from where.  It is all available through the all-seeing eyes of the flow collection system.

Only by probing the data from all corners of the network can we both uncover strange connection patterns and prepare for the next inevitable infection. NetFlow and IPFIX are the single best resource for making sure that the company is prepared for the next forensic investigation. Checkout the Forensic Investigation Kit.

Mike Patterson author pic

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Leave a Reply