August 25, 2014

Cyber Attack: Incident Response

Every day, your company is receiving tens of thousands of emails.  Most of it is legitimate, work related stuff, but hidden within these messages could be phishing attacks. These insidious messages are emails embedded with links that when clicked, trigger the installation of software intended to perform malice on your network.  The good news is that these emails are directed toward employees who usually recognize what is and isn’t a legitimate form of communication.  As a result, 95% of these emails are simply deleted.  However, attackers are persistent, clever and compensated to keep trying.  Time is on the hacker’s side and eventually, someone somewhere clicks on a link thinking the correspondence was valid and ……


Instantly, the end system becomes infected with a bot which reaches out on secure connections (e.g. port 443) to one or more command and control (C&C) servers out on the internet. What is the bot looking for?  Instructions on what to do next!  Many times the request is simply to sit and wait and to check in again at a future date.  Ultimately the bot could be told to launch a denial of service (DoS) attack that is part of a larger distributed attack against a particular internet host.  Other times, the bot will download a key logger to try and catch passwords or perhaps attempt to move laterally within the organization to try and infect other machines.  The goal might be to find certain files with names containing key words (e.g. pass, confidential, competitor, etc.).  Once the information is obtained, exfiltration is attempted and the file is slowly uploaded to an internet site. Your company’s confidential information has been stolen.  And, it gets worse.

Malware like this likes to setup camp and stay on your network indefinitely – forever if it can.  Mandiant stated that the average infection stays resident for 416 days on average. Why so long? Well, the fact that 96 percent of data breaches are uncovered by third parties (i.e. not internal security teams) is one reason.  This of course begs the question: Why can’t those expensive next generation firewalls that are high and to the right in the Gartner Magic Quadrant catch these contagions? It’s partly because infections like this make out going connections on typical ports (e.g. TCP 80, 443).  Many firewalls don’t even question these types of connections because they initiate inside the network and are considered ‘outbound’. For the most part, it has become impossible for firewall vendors to discern the difference between legitimate traffic and illegitimate reconnaissance efforts.

Internet threat protection has gone from a proactive “stop it before it infects” practice to a reactive effort focused on “try to identify the theft”. Because of this, the detecting network threats industry has evolved into more of a network behavior analysis effort meaning the focus is on trying to uncover the espionage.  When suspicious activity is uncovered, incident response kicks in.  What system does the security team turn to when they want to investigate a traffic pattern – quickly?

In the retail world, the security team turns to their surveillance cameras.  They go back in time to when the patron entered the store and carefully review their every move.  In the IT world, we have something very similar.  Every router and some switches export either NetFlow or IPFIX and these technologies allow us to playback every move made by a network connected device. If the firewall or IDS reports strange activity from an IP address on a specific port, the cyber-attack incident response system that collects flow data plays a big part in the investigation.

About The Contributor:
Mike PattersonCEO, Plixer

As one of the founders of the company, Michael has been involved in the development of Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics at Plixer. He enjoys writing and blogging about all things NetFlow, IPFIX and sFlow related.

See My Other Posts