May 29, 2013

Network Threats: You’re already infected

It’s time to stop worrying about the network threats that will infiltrate your company and assume that one or more already has. Organizations need to stop thinking that the firewall, IDS and antivirus solution will protect them from all forms of malware.  They won’t.  We have to go about network threat detection differently. Trends in BYOD growth are forcing us to.

We need to focus more effort on detecting internal threats. One of my favorite analogies is to compare network security to a typical security system at a major department store.  Department stores assume that shop lifters are entering the store every day. In fact shop lifters walk right through the front door and with very little disguise if any.  Why would a department store let them in?  Because they look like ordinary customers.  Imagine network traffic which intends to perform malice that looks like ordinary everyday traffic.  Most would agree that this is certainly very possible.

Just as department stores can’t tell customers apart from shop lifters, many firewalls and other traditional security strategies can’t tell the difference between malware and necessary network traffic.  Their cyber threat detection methods are old and largely outdated.

The full time security team at the department store assumes that the shop lifters are always there, milling amongst the crowds, trying not to be noticed, trying to stay incognito.  Hopefully, when these criminals pocket something they didn’t pay for, they will be caught but, a significant percentage make it out of the store with merchandise they didn’t buy.  Perhaps the customer exhibited suspicious behaviors but, careful surveillance didn’t detect any wrong doing.

Just as some shoplifters are successful at stealing from department stores, many forms of electronic threats are making it out of your company with information you’d rather not see get past your next generation firewall. How do we stop it?

The flaw with the bad guys is that they tend to be repeat offenders.  If they were successful one or more times, they usually keep coming back and eventually they get caught.  Department stores catch shoplifters because criminals often display patterns of suspicious behaviors or because they try to make one too many large thefts. And, many stores have security cameras which allow them to go back in history to confirm their suspicions.  Security professionals like cameras.

The above can serve as a bit of an analogy when considering today’s Advanced Persistent Threats.  The malware walks right past the firewall (I.e. front door) disguising itself as an email or a web site that gets visited.  Once infected, a machine that has already authenticated onto the network allows the malware to make SSL connections out to command and control servers and again, the traffic skips right past even the best firewall.

Similar to the department store, smart companies submit to the assumption that they are already infected and have prepared for this event.  These 21st century security conscious companies monitor and trigger events for suspicious behaviors and take advantage of a form of electronic camera system called NetFlow.

NetFlow and IPFIX exporting routers, switches and servers provide a form of electronic video surveillance.  These flow technologies provide historical visibility into 100% of all traffic passing through their systems. The NetFlow collector not only stores the data for future reference but, enterprise NetFlow reporting solutions constantly monitor flows for odd traffic patterns and compare Internet IP addresses to host reputation databases.  Significant suspicious behaviors raise awareness and can trigger notifications which prompt security admins to check the history of the host and they do it using NetFlow or IPFIX.

Threat detection with flow technologies can’t rely on stateful inspection because in most cases neither NetFlow or IPFIX exports enough of a packet to leverage this type of cyber threat detection and sFlow doesn’t sample the datagrams needed. Network threat detection with flow technologies involves network behavior analysis whereby, traffic patterns are monitored for suspicious behaviors. Flow ratios, packet volumes per flow, number of destination hosts, TCP flags, etc. are all considered as the flows are collected.  If thresholds are breached, notifications are triggered.

Although a NetFlow threat detection system shouldn’t replace existing threat detection appliances, it can without a doubt add another layer of protection.  Behavior monitoring is a very effective method for uncovering malware floating around the network.  Regardless of which appliance uncovers the threat, the NetFlow Analyzer is almost always the go to solution for learning more about the infected host, its traffic patterns and the other hosts who may have exhibited similar behaviors.

Unfortunately, we are entering an age of living with constant infections of one kind or another. How are you watching for threats, prevention is over. Flow technologies are the number one resource when details on a cybercrime need to be investigated.  Find out what a leader in NetFlow can offer when it comes to collection and reporting.

About The Contributor:
Mike PattersonCEO, Plixer

As one of the founders of the company, Michael has been involved in the development of Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics at Plixer. He enjoys writing and blogging about all things NetFlow, IPFIX and sFlow related.

See My Other Posts