U.S. cybersecurity attacks by sectorCyberspies
I read this article the other day: Electricity Grid in U.S. Penetrated By Spies. At first, I was annoyed that these Cyberspies were able to sneak into our utility companies and leave software tools behind that could be used to reek havoc with our electrical grid. But then I was more surprised that our utility companies are crazy enough to put our electric grids onto the Internet.

Our Government will Protect us?
What should we do? Our government was unable to forecast the financial crises we are in. How could a bunch of politicians possibly see a potential electronic takeover of our utilities? Kind of Scary.

Network Behavior Analysis won’t save you
I started thinking about ways we can use Cisco NetFlow or sFlow to catch these perpetrators. In doing so, I listed a bunch of things we might watch for:

  • Excessive traffic from a host? Won’t work, these hackers don’t cause lots of traffic.
  • Communication on strange ports? Won’t work, the bad guys use ports used by most applications (e.g. TCP port 80, etc.).
  • Network scans? These guys operate at a much more stealthy level then scanning for open ports.
  • NULL scan, XMAS, SYN, RST/ACK, ICMP unreachable? No way, we’re not going to catch them looking for these behaviors. Don’t get me wrong, I think monitoring for these communications is helpful, but don’t rely on these patterns to catch all nefarious traffic.

What about NBA (Network Behavior Analysis)? Using Cisco NetFlow, NBA can baseline end-system behaviors and alert when a host talks outside its normal traffic pattern. This probably won’t help. Most NBA systems don’t baseline every unique host in the world a computer communicated with, especially when it comes to using the Internet. Contact with a host in another country, in most cases, won’t raise any flags; and if it does, the customer is probably tired of the false positives caused by the crazy amount of alarms innocent Internet browsing can produce.

Internet Threats Algorithm in Flow Analytics
In some cases, our Internet Threats Algorithm can help. Most of our Scrutinizer customers are running the FA (Flow Analytics) module. Several times per day, each Scrutinizer installation connects to one of our web sites and downloads the latest list of known Internet compromised hosts that are participating in questionable behaviors. The specific piece of FA that does this is called the “Internet Threats Monitor”. It monitors ALL connections in and out of the Internet for any internal computer communicating with an Internet host that is on the list. If communication occurs, an alert is triggered and the host’s Unique Index is raised. It has proven to be very effective, but not perfect. How does it work?

Flow Analytics Overview

Below is a partial list of the algorithms FA uses for Network Behavior Analysis. The time trend displays how long the algorithm takes to run each time it executes. The count column trends how frequently the algorithm is triggered.

Flow Analytics Internet Threats gadget

Thresholds can be set per algorithm. For example, the default threshold for Internet Threats is 1. Some threats that could appear for this algorithm include:

  • RBN host: The host listed could be part of the Russian Business Network.
  • TOR host: The host listed could be participating as an Onion Router.
  • Compromised Internet host: The host listed could be participating in activities resembling the Storm Worm.
  • Botnet C & C server: The host could be participating as a Botnet or in a command and control operation.

Example Alarm

Internet security alarms with NetFlow

Preach Abstinence
It seems to me that the best security measure these electrical companies could take might be ‘abstinence’ from the Internet. Why do they need to be on the web anyway?

Kelly Kading author pic

Kelly Kading

Kelly Kading is the Regional Manager for the Northeast US here at Plixer. Kelly strives to deliver the best customer experience possible. He enjoys building relationships with his customers and wants to find the solution to best meet their needs. When not in the office, Kelly tries to always be in the outdoors. His favorite hobbies are hiking, snowshoeing, traveling and generally just being outside!


Leave a Reply