Information security professionals need to protect against many different kinds of risks. But the insider threat may be the most challenging. Because insider threats come from within the organization and are by definition trusted, they can be particularly difficult to detect and block.
An insider threat could be an employee, but it could also come from a partner, contractor, or other trusted third party that has access to non-publically available information or systems. Edward Snowden is the most high-profile example of a trusted insider, in this case a sub-contractor, exploiting his privileged access to steal millions of documents. He was an “intentional” insider threat, which is an insider who deliberately takes advantage of their access. Intentional insider threats could be disgruntled employees who want to hurt the organization, or they could be coerced, for example via blackmail, by outsiders looking to gain access.
But an insider threat could also come from an untrusted individual who gains access using false or stolen credentials so they appear to be a legitimate (i.e., trusted) user. These outsiders are usually able to get access thanks to “unintentional” insider threats – careless insiders who either are phished to unwittingly hand over their credentials or who launch malware on their trusted endpoint systems that enables outsiders to get in. This is what happened with the Office of Personnel Mangement (OPM) data breach; according to investigators, hackers likely stole credentials to get access to the network and then planted malware to create a backdoor to exfiltrate data.
In its 2015 Insider Threat Report, Vormetric found that a staggering 93% of U.S. respondents feel their organization is vulnerable to an insider attack. And when asked about who posed the biggest internal threat to corporate data, over half (55%) said privileged users. And Infosecurity Magazine reported that insiders were responsible for 43% of data breaches – and that the split between intentional and accidental leakage was 50/50. Clearly, this is a big problem that’s keeping infosec professionals up at night.
The implications of insider threats are significant. In its Managing Insider Threats report, PwC states that 39% of organizations say that insider crimes are more costly or damaging than incidents perpetrated by external adversaries. And the Vormetric survey shows that the average breach detection time isn’t measured in minutes, hours, or even days, but in months.
The first, and most obvious, reason that insider threats are so difficult to detect is that, by definition, the activity looks it’s coming from (and may, in fact, be coming from) legitimate users. But that’s not the only reason. Many security precautions focus on the perimeter and don’t have visibility into what’s going in within the network. There are a number of user-focused security tools, but these tend to concentrate on endpoints despite the fact that corporate servers and databases pose the highest risk to insider attack.
Not only are insider threats more challenging to detect than other information security attacks, they also have a different mitigation profile. While all network security and data breaches have implications for the organization as a whole, mitigation of insider threats requires the active participation of a number of functions in addition to IT and information security, including corporate security, human resources, legal, audit, etc.
A report issued by the Intelligence and National Security Alliance (INSA) Cyber Insider Threat Subcouncil – an organization that engages with the intelligence community, the DOD, CIOs, and representatives from private sector companies to examine best practices around insider threats – advises that, “a robust insider threat program integrates and analyzes technical and nontechnical indicators to provide a holistic view of an organization’s insider threat risk from individuals identified as potential threats.”
Following are some of the technical solutions organizations have available to them to detect and/or prevent insider threats.
Access control mechanisms – Access control is a broad term that encompasses a wide range of technologies and approaches to ensure that data and systems are only accessed by authorized users. This includes authorization (the process of determining what users can access, what they can do with it, and when access is allowed) and authentication (the process of making users prove they are who they claim to be). Access controls can restrict access to digital systems (for example, with passwords) or physical locations (such as with keycards). Access controls are an important security layer in every organization, but they don’t protect against unauthorized users with stolen credentials.
Encryption – Encryption doesn’t prevent data from being stolen, but it can prevent attackers from using that data, which decreases its value to would-be perpetrators. There are different types of data encryption and it’s important to understand the difference. You can encrypt data-at-rest, but be sure that the encryption keys are not stored on the same server as the data, and you can also encrypt data-in-motion.
Data loss prevention (DLP) systems – DLP systems are designed to detect potential data exfiltration, but they are limited in their effectiveness. While they are good at identifying sensitive structured data – such as social security or credit card numbers – leaving the organization, they can’t recognize many other types of data exfiltration, such as confidential intellectual property or other insider information that could have serious business, regulatory, ethical or legal repercussions.
User training – Because humans are the weakest link in the insider threat attack vector, training is an important tool, especially to help prevent unintentional insider threats. By educating users to recognize phishing attempts, malware, and other techniques hackers use to make insiders their unwitting accomplices, you can lessen the risk. Of course, people being people, you can never completely eliminate the threat of careless or unaware insider threats.
Monitoring of data-in-motion – Data can’t be used by attackers unless it leaves the network. If all other protections fail, monitoring data-in-motion can help identify a data leak in progress so you can stop it quickly, before significant damage is done. There are many approaches for monitoring data-in-motion, but the most comprehensive – and effective – is network flow monitoring. Network flow data – NetFlow, Jflow, sFlow, Cflow and IPFIX – contains valuable information about traffic traversing the network, such as IP addresses, port and protocol, exporting device, timestamps, VLAN and TCP flags, etc. Solutions that analyze this data can learn and understand the changing patterns of behavior inside your network so when any system, mobile device, or server starts behaving outside the normally expected patterns – such as hosts receiving data outside of normal thresholds or sending files at unusual times – you can quickly shut them down.
Unfortunately, there’s no way to completely prevent network security breaches, including from insider threats. So in addition to employing a range of prevention and detection tools and approaches such as those discussed above, you also need to ensure that you have comprehensive forensic capabilities so that if you do suffer an attack, you can quickly evaluate the extent of the compromise. You need to be able to answer the following questions:
Full-fidelity network flow analysis tools – in addition to helping you detect a data breach in progress – can also be invaluable in your post-breach investigations. They can provide a complete forensic history of the data-in-motion, showing you when data traveled and where it traveled to and from. Because flow data is compact but provides a great amount of detail, it’s a powerful tool for quickly answering the key questions about what happened during an insider attack.
The hard truth is that organizations can’t afford to trust their “trusted” insiders. The insider threat risk is too big and the stakes are simply too high. Every organization has sensitive and confidential data it needs to protect, which means that every organization needs to have a security infrastructure in place to protect against insider threats, detect when a breach has occurred, and investigate to determine what happened, when, and for how long.
FlowTraq monitors network flow traffic in real time and immediately detects unusual behavior and deviations from “normal” patterns that indicate insider threats and other unwanted behavior on the network so you can act fast. FlowTraq detects and alerts on insider threats, so you can begin mitigation immediately. In addition to helping you defend against insider threats and data exfiltration, FlowTraq can detect a wide range of other undesirable behavior in the network, including DDoS and brute-force attacks, scanning, and more.
Distributed denial-of-service attacks are a big problem for organizations of all sizes. But not all DDoS attacks are the same. Understanding the different types of DDoS attacks is important for performing effective mitigation. This article focuses on Smurf – and related Fraggle – attacks, which are one technique hackers have in their arsenal to target companies.
With a Smurf attack, perpetrators broadcast large numbers of spoofed Internet control message protocol (ICMP) packets to a computer network using an IP broadcast address. A Fraggle attack uses spoofed user datagram protocol (UDP) traffic rather than ICMP traffic.
1. A successful Smurf or Fraggle attack can cripple your servers for hours, or even days.
The risks of any DDoS attack are well understood, but they can be devastating to a business. If a Smurf or Fraggle DDoS attack does succeed, it can take your company servers down for a significant period of time – hours or even days. This interruption to business can result in lost revenue, frustrating customers and harming your business’ reputation.
2. A Smurf or Fraggle attack could be a cover-up for something much worse.
There are many reasons perpetrators target systems. In some cases, denial of service may be the end goal. But this kind of attack can also be used to cover up other, more nefarious activities, such as theft of toxic data. If you get hit by a Smurf or Fraggle attack, you want to detect and stop it immediately, but you also want to look for evidence of any other unwanted behavior on the network.
3. Users could download a Smurf or Fraggle Trojan.
Users could inadvertently download a Smurf or Fraggle Trojan from an unverified website or an infected email link. Preventing your systems from communicating with systems on a blacklist can help eliminate one point of entry for attackers.
4. There are two types of Smurf and Fraggle victims.
In addition to the network targeted by the traffic surge, attackers find helper or intermediary networks to exploit to generate the ICMP or UDP traffic. So, not only do you want to avoid being targeted by the DDoS attack, you also want to avoid having your network used as an amplifier. Configure your routers to disallow IP-directed broadcast transmissions.
5. Tracking down a perpetrator requires a detailed forensic investigation.
If you do get hit by a Smurf or Fraggle attack, once you’ve mitigated the immediate problem, you need to decide whether you’re going to involve law enforcement, which will require that you preserve all digital evidence.
6. FlowTraq can help.
There are a number of things that you can to identify and stop a Smurf or Fraggle attack. You can block directed broadcast traffic coming onto the network, and you can configure hosts and routers to not respond to ICMP or UDP echo requests.
But you want to make sure that all your security bases are covered. FlowTraq excels at identifying reconnaissance, which can help prevent an attack from happening. But even if you do get hit by a Smurf or Fraggle attack, FlowTraq can detect it within seconds, before there’s irreparable harm to availability – and your organization’s business and reputation. And FlowTraq provides you with critical detail so that you can perform a complete forensic analysis, whether you plan to involve law enforcement or just want to determine exactly what happened and when.
Protect yourself against Smurf, Fraggle, and other DDoS attacks – along with a range of other security threats – with FlowTraq.
Before you can understand how SYN flood attacks work, you need to understand how a normal TCP connection three-way handshake works. A server has to establish a passive (half-open) connection to a port for a client to be able to connect to it, and does so via a three-way handshake.
Step 1: SYN. The client sends a SYN packet to the server to create an active open.
Step 2: SYN-ACK. The server acknowledges with a SYN-ACK.
Step 3: ACK. The client responds with an ACK.
A full connection between the client and server is now established. Under normal conditions, if the server rejects the connection, it sends an RST packet to terminate the connection, making it available for new requests.
SYN floods are protocol attacks that exploit a weakness in the three-way handshake. Most operating systems have a relatively low limit on the number of half-open connections available at any given time – and if that limit is exceeded, the server stops responding to new connection requests until the half open times out. The attacker never sends the final ACK, so the server waits, binding resources, and an RST is never sent to terminate the connection. While the connection will time out at some point, the attacker continues to send SYN requests, consuming the server’s resources and preventing legitimate clients from connecting.
In recent years, attackers have evolved their SYN flood methods. A combo SYN flood uses two types of SYN packets. Regular SYN packets are used to consume server resources. At the same time, large SYN packets (above 250 bytes) saturate the network, adding a volumetric aspect to a SYN flood attack.
The three-way handshake provides information that hackers can exploit. When they receive the SYN-ACK, they know exactly which ports are half-open. SYN scanning is the process of sending SYN requests to look for these half-open ports for reconnaissance purposes, giving options for which attacks to try next.
Despite the fact that SYN flood attacks have been around for two decades – and even combo SYN floods have been around for several years – they are still a huge problem. Kaspersky’s Botnet DDoS Attacks in Q3 2015 report found that SYN floods were the most popular DDoS attack method in Q3 of 2015, accounting for more than half of all DDoS attacks. And SYN floods can be massive. According to Akamai’s State of the Internet / Security Q3 2015 report, the largest “mega attack” it mitigated was a SYN flood that peaked at 222 Mpps – that’s 222 million packets per second!
Because SYN packets are so common on any network, it can be difficult to distinguish malicious requests from legitimate traffic. Here are some common approaches for detecting SYN flood attacks.
Time-outs: You could decrease the length of time a system waits for a SYN-ACK before timing out the connection. This could, however, potentially prevent some legitimate traffic from connecting. And this counter-measure is easily overcome by simply increasing barrage of SYN packets to the server.
Filtering: You can use built-in features in firewalls and other devices to block or minimize malicious SYN requests. For example, a firewall can help protect against a simple attack that uses a small number of unusual IP addresses with a rule to drop incoming traffic from those sources. This approach won’t, however, be effective against a sophisticated attacker with the ability to use a large group of compromised hosts or spoofed sources.
Proxies: If a certain threshold is exceeded, connection establishment procedures are offloaded to another system that screens connection attempts until they are completed and then proxies them back to the server (or until they time out).
SYN cookies: A SYN cookie is a stateless proxy mechanism that is enabled when the threshold is exceeded. At that point, it replies to incoming SYN packets with a SYN-ACK that contains an encrypted cookie and drops the original SYN packet. If it receives an appropriate response, it will enable the connection to be established on the server. If, however, there is no response to the packet containing the cookie, it’s noted as an active SYN flood attack and stopped. There is however, a limitation in the amount of data that can be encoded, so some of the data (such as timestamps) is discarded. There could also be issues if the final ACK packet is lost, then the initiator will think the connection has been successfully established but the server is never notified.
IPS: Standard intrusion prevention systems (IPS) can detect SYN flood attacks and trigger automated mitigation processes. But this can be an expensive option and require sensors to be deployed throughout the network.
Network flow analysis: Network flow data – NetFlow, Jflow, sFlow, Cflow and IPFIX – contains valuable information about traffic traversing the network, such as IP addresses, port and protocol, exporting device, timestamps, VLAN and TCP flags, etc. Solutions that analyze this data can quickly detect a high volume of incoming SYN requests, including combo SYN floods, and immediately trigger mitigation.
FlowTraq monitors network flow traffic in real time and immediately detects deviations that indicate network reconnaissance, DDoS attacks, and other unwanted behavior on the network so you can act fast. FlowTraq detects a large range of DDoS attacks, including SYN flood and combo SYN flood attacks, within seconds and can automatically trigger mitigations to leading DDoS scrubbers (including A10 TPS, Verisign and others) or black hole routes. In addition to helping you defend against DDoS attacks, FlowTraq can detect a wide range of other undesirable behavior in the network, including scanning, data exfiltration, insider threats, and more.
Try FlowTraq for yourself free for 14 days or schedule a demo today.
Using FlowTraq’s configurable tools, keep blacklisted sites from accessing your computer network.
Your computer network blacklist is there for a reason, designed to prevent connections from sites known for nefarious activity. Yet, without the tools to constantly monitor attempts to connect to a blacklisted site, your defenses are not as strong as they should be.
For years, blacklists have been a vital tool for protecting computer networks at various points of entry: hosts, email servers, domain name system (DNS) servers, web proxies, directory servers, firewalls and authentication gateways for various applications. In doing so, blacklists provide a potent defense against hackers looking to infiltrate by whatever means is most vulnerable.
With FlowTraq’s network detection tools, you can be confident that not only will communications with blacklists be detected immediately, but also that alerts are issued to allow staff to address any issues in real time.
At the heart of FlowTraq is a blacklist detector. This configurable detector examines every incoming network session. Each and every session is checked against the list of IP addresses on the blacklist. The detector also identifies classless. inter-domain routing blocks, which are essentially blocks of IP addresses bundled together.
Once an address is or a block on the blacklist is detected, an alert is automatically created.
Managing the blacklist
Companies frequently use multiple sources for the development and updating of blacklist entries. With FlowTraq, end-users have full control of the blacklist composition.
The detector can link to a URL listing of blacklisted IP addresses. The URL is, by default, updated automatically every 24 hours, although the detector can be configured to update in six or one-hour increments. Alternately, the blacklist can be uploaded to the detector via a static text file.
FlowTraq provides a curated blacklist as part of its services. In addition, the blacklist detector can be configured to use lists from one of many free or paid IP reputation third parties.
When an alert is initiated, it contains a time stamp, both parties involved in the communication and which party initiated the contact.
Protecting command and control
Preventing intrusions from blacklisted sites is one critical way to protect from command and control takeovers. FlowTraq offers a comprehensive Network Behavior Intelligence Toolkit. This suite consists of multiple configurable detectors designed to keep hackers out and data safe.
The detectors look for any unusual, malicious or otherwise aberrant network activity. The tools study network activity using machine algorithms that learn normal behaviors, allowing for faster pinpointing of anomalous actions,
With so many access points to a computer network, it’s important to protect unwanted command and control intrusions.
The system helps detects botnets trying to enter the network via viruses, spyware or spam. Even if these bots remain dormant for long time periods, as soon as they are activated, any network activity is detected immediately. Despite a low activity volume, the FlowTraq toolkit is designed to identify these threats quickly, vastly reducing the risk of lost data and sensitive information.
FlowTraq’s comprehensive tools protect against a range of threats to a network system. With FlowTraq your system is secure against distributed denial of service (DDoS) and brute force attacks, worms, data breaches and data exfiltration. In addition, FlowTraq offers robust, forensic abilities that allow users to reconstruct past attacks,
To learn how FlowTraq uses blacklists to protect your network, request a free trial today.
NetFlow is data generated by network devices – routers, switches, firewalls, etc. – that contains information about the data that’s moving through the network. The term NetFlow is often used generally to refer to this type of information, but “NetFlow” is actually proprietary to Cisco. Other vendors have their own versions, such as J-Flow from Juniper, and sFlow. There are also different versions of NetFlow. The most commonly used are v5 and v9 (which includes some additional information not available in v5). IPFIX, which is also known as NetFlow v10, was created by the IETF as a common standard. This article discusses NetFlow in general and is relevant to most types of network flow data.
NetFlow is metadata – it’s data about the data traversing the network. Even though NetFlow doesn’t contain information about the contents of the data, it does provide extremely valuable insight about what’s going on in your network, including (but not limited to):
|NetFlow data||What it tells you|
|Source IP address||Who is sending the traffic|
|Destination IP address||Who is receiving the traffic|
|Ports||The application utilizing the traffic|
|Class of service||Priority of the traffic|
|Device interface||How the traffic moves through your network|
|Tallied packets and bytes||The amount of traffic|
|TCP flags||Connection states|
|Packet timestamps||The exact time the traffic traversed the network|
In short, NetFlow helps you understand who, what, where, when, and how network traffic is moving through the network. But in order to take advantage of this insight, you need to do two things:
NetFlow was originally developed to help network admins get a better handle on what their network traffic looks like. Because NetFlow is extremely valuable for monitoring what’s going on in the network and alerting when something undesirable happens, network operations teams often use NetFlow to identify performance issues. But NetFlow is also a valuable weapon in any information security professional’s arsenal.
Network security is a nearly impossible job nowadays, with the constant evolution of threats that come from a wide range of sources. There are almost as many point solutions available as there are types of potential vulnerabilities. The problem is that even if you have the budget and manpower to deploy every kind of security point solution available, you still wouldn’t be completely protected. That’s because those tools help protect you against known threats. There is no and never will be a silver bullet, but leveraging NetFlow for information security can help you protect against unknown threats. This means you don’t have to be on the lookout for a specific threat (which requires that you understand its attributes in all potential permutations). Instead you can characterize normal operational network traffic patterns – and then quickly detect out-of-character patterns that could represent a security breach, even for unknown vectors and techniques. This could include incomplete TCP handshakes, multiple failed login attempts, unexpected connections, unusual volumes of data leaving the organization, traffic from known bad hosts/blacklisted systems, and much more.
Real-time monitoring helps you identify security problems quickly, before a significant amount of damage is done. But, that’s just the first step. NetFlow also provides infosec professionals with valuable forensic analysis capabilities.
A NetFlow collector consolidates flow data from across multiple devices and interfaces, which means that you don’t need to check individual logs. This not only vastly speeds your ability to find critical information about an incident, it also provides a consolidated and comprehensive view of network traffic. You get a complete timeline that shows you what happened before, during, and after an attack. And you can easily drill down to understand the most granular details, or drill up to see trends.
This fast but comprehensive visibility enables infosec professionals to react very quickly when there’s a security breach. But savvy organizations also use NetFlow’s analysis capabilities for proactive cyber hunting, which essentially seeks to identify more unknown threats – and make them known – before they hit and cause damage.
In either case, your ability to construct a timeline of what happened requires that you retain NetFlow data for the time period in question. Since flow data is compact, it’s an effective way to provide the detail you need while at the same time enabling you to keep the data going back in time for long enough to have full context.
As mentioned above, simply enabling NetFlow doesn’t deliver all of these monitoring and analysis benefits. You need a NetFlow collector that uses the data and provides you with an interface to perform required tasks. There are many NetFlow collectors available that range from limited-functionality freeware to enterprise-grade solutions. As you evaluate the options for your organization, keep the following questions in mind.
How many flow types and interfaces does the collector support? Some NetFlow collectors limit you in the number of interfaces supported. And if your organization has devices with different types of flow data (NetFlow, J-flow, IPFIX, sFlow, etc.) make sure the system you select supports them all so you get maximum visibility – and protection.
How easy is configuration and tuning? Look for a NetFlow collector with an easy-to-use interface that simplifies adjustments to tailor the system to your organization’s attributes and requirements.
Does it provide advanced alerting and reporting capabilities? Alerting is critical, but it’s only useful if you get the right alerts at the right time and in the way that supports your workflows.
Does it integrate with other solutions you’ve deployed? When your NetFlow collector integrates with mitigation and other security tools, you can streamline reaction times and improve security visibility and effectiveness across the board.
How long – and how completely – is flow data retained? Look for systems that offer a high-speed database architecture that enables full recall of all network flows. This will allow virtually unlimited traffic volumes to be analyzed.
Is multi-tenant support available? If you are an ISP, managed security provider, or other organization that requires you to support multiple separate customers or business units, make sure your NetFlow collector can handle multiple end users through a single instance.
Does the solution support clustering and load balancing? Scalability is always an important consideration, and you want to make sure that your NetFlow collector supports unlimited scalability with clustering and load balancing.
FlowTraq monitors network flow traffic in real time and immediately detects unusual behavior and deviations from “normal” patterns that indicate DDoS attacks, network scanning, insider threats and other unwanted behavior on the network so you can act fast. And after an attack, FlowTraq provides complete digital evidence to understand what happened, how long it was happening, and what other systems may have been affected.
The domain name system (DNS) is what translates memorable websites names, like flowtraq.com, into IP addresses. When someone types a website address into a browser, the ISP “looks up” that address to find the corresponding IP address and directs the user to that site. A DNS server can also query other DNS servers on behalf of the requesting client and then send an answer back to the client – this is known as recursion.
DNS amplification attacks combine amplification (using techniques to increase the size of packets being sent to the victim network) with reflection (using a third party as an intermediary in the attack).
DNS amplification attacks are similar to Smurf and Fraggle attacks in that they send a query from a spoofed IP via a protocol (such as ICMP or UDP) that doesn’t require a three-way handshake and that the response to the query is larger than the query itself.
DNS amplification attacks (also sometimes called DNS reflection attacks) take advantage of publically accessible open DNS servers to overwhelm a victim’s system with DNS response traffic. The attacker sends a large number of look-up requests via a botnet to a vulnerable DNS server using the spoofed IP address of the target victim. The victim’s network is then bombarded with unrequested DNS query responses, which consumes network resources and CPU time on the target machines.
DNS relies on the UDP protocol, which means there’s no verification that the source IP address is, in fact, the sender/requestor.
Attackers use a variety of amplification techniques to inflate the size of the UDP packets to make the attack big enough to bring down even the most robust infrastructures.
EDNS0 – Per the original DNS protocol, a 64-byte DNS query would return a UDP response no larger than 512 bytes, a potential increase of 8X. EDNS0 is a protocol extension that permits the transfer of packets larger than 512 bytes, up to 4096 bytes, increasing the potential potency of an attack by enabling perpetrators to achieve a 50X to 60X increase in traffic volume without requiring a proportional increase in bandwidth or requesting systems on their end.
ANY query – Additionally, perpetrators can use the ANY query which returns all known information about a DNS zone within a single request, thus maximizing the size of the responses sent to the victim.
Many organizations running DNS servers leave them open and willing to respond to any IP address that queries them, and DNS amplification attacks take advantage of DNS servers that support open recursive relay. There are plenty of tools available that help hackers identify DNS servers with open resolvers, and there are millions of them on the internet at any given time. It’s important to note that these servers aren’t compromised; they are functioning as intended, but attackers are exploiting this functionality for malicious purposes.
The DDoS amplification technique has been linked to DDoS-for-hire services, which means that perpetrators don’t need the requisite knowledge or resources to be able to attack a victim.
Despite the fact that this approach has been around for a long time, the number of DNS amplification attacks is increasing. It has been reported that there was a 200% increase in DNS amplification attacks between 2012 and early 2015.
DNS amplification attacks can be very large (measured in Gigabits per second or Gbps) and can be big enough to cripple even a large hosting organization.
According to Akamai’s Security Bulletin: DNSSEC Amplification DDoS, there are a number of industries that are particularly vulnerable to DNS amplification attacks. Gaming is the biggest, accounting for over half (52%) of attacks. Financial services, media, high tech/consulting, and SaaS enablement companies also feel the heat. In fact, one of the larger DNS amplification attacks that Akamai mitigated was a financial services organization that was pummeled at peak with 45 Gbps bandwidth and 5.2 million packets per second.
It’s hard to protect against this kind of attack as it comes from valid-looking servers with valid-looking traffic. For reflectors, there’s no way of knowing that the request is spoofed, and for victims, the traffic they are receiving is “legitimate” – it’s the original requests that initiated that traffic that were malicious.
Organizations that operate DNS servers have a responsibility to be good corporate citizens and prevent the use of those servers as intermediaries in an attack.
Victims of DNS amplification attacks will be overwhelmed by traffic from legitimate DNS servers. You need to be able to identify when a large number of DNS responses that you didn’t ask for are coming into the network. Keeping track of requests and responses can be difficult, but network flow analysis tools can help here as well to quickly – within seconds – detect a high volume of incoming DNS responses and immediately trigger mitigation.
FlowTraq monitors network flow traffic in real time and immediately detects deviations that indicate DDoS attacks, network reconnaissance, and other unwanted behavior on the network so you can act fast. FlowTraq detects a large range of DDoS attacks, including DNS amplification attacks, within seconds and can automatically trigger mitigations to leading DDoS scrubbers (including A10 TPS, Verisign and others) or black hole routes. In addition to helping you defend against DDoS attacks, FlowTraq can detect a wide range of other undesirable behavior in the network, including scanning, data exfiltration, insider threats, and more.
The network infrastructure you already have in place – firewalls, routers, switches, etc. – produces data about the traffic moving through your network. This network flow data is often used for network performance analysis, but it’s also a valuable resource for network security teams. In fact, if you aren’t leveraging the power of network flow data, your network defenses aren’t as strong as they could be.
In short, network flow data gives you real-time visibility into what’s happening inside the network and complements your perimeter devices and point solutions. Think of perimeter devices as your first line of defense – they’re going to prevent a large percentage of bad things from getting onto the network. But they will never be able to catch 100% of the bad things; it only takes one bad thing to wreak serious havoc and once it gets inside, those perimeter devices can’t help. Likewise, point solutions that address a very specific problem increase security, but they don’t provide broad-based protection.
So what does the internal network visibility you get from network flow analysis solutions mean for infosec professionals? Here are six ways network security teams should be using network flow analysis for maximum security.
Today, no company – no matter how big or how small, or how many security controls are in place – is immune from attack. And today’s information security professionals are savvy, but so are attackers and their techniques are growing increasingly sophisticated. It’s hard enough to keep up with known attacks, but you also need to protect against unknown threats – such as zero-day attacks and advanced persistent threats (APTs). Because of the very nature of these attacks, your other security systems might not be able to spot them. Another example of an unknown threat is exfiltration of toxic data. Data loss prevention (DLP) systems are point solutions that can identify when structured sensitive data – such as social security or credit card numbers – are leaving the enterprise. But not all sensitive data is structured, so you need a way to identify when any data is being improperly exfiltrated.
Unfortunately, not all the bad guys are “out there.” Some of them are among us [link to “The Inside Scoop on Insider Threats” article] – they could be trusted insiders with malicious intent or they could be outside guys masquerading as trusted insiders. Either way, they can be particularly difficult to spot. Because network flow analysis focuses on the who, what, where, and when of network traffic, it can identify suspicious activity, even when the users themselves look legitimate.
It’s important to be able to detect network threats and security breaches fast. But you also need to be able to respond quickly so that the time between detection and resolution is as short as possible. Network flow data is extremely valuable in helping identify what happened, when it happened, how long it happened for, and what other systems may have been affected. You want to ensure that your network flow analysis tool captures full-fidelity network flow data and offers a high-speed database architecture that enables you to retain flows long enough to stage a meaningful investigation.
Every organization has policies that are meant to ensure that employees and systems behave in an acceptable – and safe – manner. But just having a policy in place doesn’t mean it’s adhered to. Network flow analysis can detect and alert on policy violations – for example, when risky and/or unsanctioned applications or services are in use – whether they are deliberate or inadvertent. Malicious hackers will frequently leave backdoors to compromised systems that are very visible in flow data.
Network flow analysis tools can help organizations support regulatory compliance. In addition to providing security controls, they can help you quickly trace which systems and networks – internal or external – communicated with your critical data containers, and alert on large data movement or communication with known bad actors.
Network operations teams use network flow data to monitor network performance, to identify problems before they affect user experience or system functionality, and to help in capacity planning. When NetOps and SecOps teams both leverage this data, it improves collaboration, which can help resolve problems faster with less finger-pointing.
FlowTraq monitors and analyzes network flow traffic in real time to immediately detect unusual behavior and deviations from “normal” patterns that indicate a wide range of security problems, including DDoS and brute force attacks, scanning, insider threats, data exfiltration, and more. And after an attack, FlowTraq provides complete digital evidence to understand exactly what happened.
The latest release of FlowTraq offers a ton of new and upgraded features – including fast visualization of long-term trends, lightning-fast DDoS detection, and scalability that allows users to detect threats on a site-by-site basis, or give end customers a view into their own traffic data.
And then there’s our new policies and alerts functionality – the ultimate in detection capabilities with no performance impact concerns. What’s new?
For a real-world look at what’s new in policies and alerts, check out the use case below – and see how easy it was for our user to set up custom alerts to flag increases in the number of new connections on a specific traffic group or an exporter.
A policy for an alert on new connections can use a learned baseline, where FlowTraq is continually learning the hourly average – and can be set to graphically display by hour or day of the week.
This makes setting a threshold as a percent of the baseline more effective, as it follows your daily traffic patterns to the hour.
An example of this is setting a threshold of 120% of baseline for new connections, where if the number of new connections were to increase 20% over your learned average, an alert is triggered.
The policy page: for this example, we added “new connections, workstations,” which has 2.7 connections per second in the box
Multiple thresholds can be set, each with its own severity level and action. In this case:
The policy page provides an overview of all policies that can be set – and when they are added, users can see in the overview if the policy has been met and if the alert was triggered within the past hour. A red exclamation mark in the specific policy box indicates that a user’s threshold has been exceeded, while a green check box means that no alerts have been triggered in the past hour.
Policy detail: multiple thresholds
This provides powerful and easy customization to leverage NetFlow data to integrate into your operational workflow.
The alert within FlowTraq
Security engineers loathe sales reps and their pitches. They prefer to “talk technical” and put a lot more faith in the “voice-of-the-fellow-NSOC-users,” than the “voice-of-the-frenzied-sales-rep-trying-to-make-end-of-quarter-sales-numbers.”
Funny thing is I was once a techie, doing software development and technical support at a defense contractor delivering 3D Graphics subsystems for flight simulators and other interesting applications. But I crossed over to the “dark side” a long time ago when I became a commissioned sales representative for that company. I’ve often said it was the pile of shrimp cocktails, beer and wine in the customer demo suite, not the money, that lured me.
Unfortunately for engineers like yourself, you’ve been subjected to an unpleasant and stereotypical sales experience, often compared to car sales. That stinks for me, the “ex-techie, now sales guy,” as I prefer to try to understand the problems a product can solve and the benefits it can offer, so I can convey those messages in a way that is believable for potential customers.
Quite simply, the best way to truly understand the value of a product is to listen carefully to existing users. Fortunately, this is something we often do at FlowTraq.
Recently we released a significant new upgrade, version Q32015. We can tell you a lot about the new features, but wouldn’t you rather hear what our users think?
Don’t take my word for it, here’s what we’ve heard from actual (paying) customers. They come from a mix of Fortune 500 organizations, government agencies, large universities , managed services and financial transaction companies.
“FlowTraq is an analysis tool weighed heavily towards network troubleshooting, security detection and mitigation. It provides reports and long term network traffic trends. The new QuickView feature quickly shows long term traffic trends.”
“FlowTraq makes it easy for us to create our own plug-in add-ons. Our plug-in writer can write a script for a unique action for any alerting function, such as automatically stopping a suspected data exfiltration. Custom plug-ins are easily added to our security policies page in FlowTraq.”
“FlowTraq’s inherent DDoS detection capabilities are surprisingly more advanced than I expected.”
“For security people who may have thought they need to spend millions of dollars on other solutions, FlowTraq is relatively inexpensive for grabbing flows. It is clusterable.”
“I brag to my network security friends how good FlowTraq is for flow analysis and peeling away layers of the security onion. In a sea of needles, it helps me identify which needles to look at.”
“I like FlowTraq better than the previous NetFlow analysis solution because I can define arbitrary queries on traffic data.”
“I need the analysis software to perform fast when we are under attack. Budget constraints sometimes limit us to deploying underpowered servers to handle high volume network traffic flows. FlowTraq is the fastest and most cost-effective NetFlow analysis tool we’ve used.”
“In the past, if I set 12 detectors that would put a load on the system. Now, with the new FlowTraq, it doesn’t add CPU load, and the extra workload put on the FlowTraq cluster is practically zero.”
“Say we notice that our southeastern data center traffic is slow and we want to know what’s going on. We use FlowTraq to look at traffic by flow export devices first. That’s a starting point, then we can take action from there.”
“The new QuickView feature in FlowTraq allows users to now have rapid traffic querying capabilities that previously were slow or impractical.”
“There are occasions when we are unsure if a server has been doing something naughty. So we use FlowTraq for forensics, to figure out, for example, if data packets coming out from a box are heading to an undesirable outside destination.”
Interested in experiencing the benefits of FlowTraq for yourself? Click here to request a 14-day free trial for your qualified organization.
Security breaches and hacks don’t happen in a vacuum. But it’s important to remember that behind every attack, there’s a human adversary. Whether it’s an insider, a script kiddie, a hacktivist, a foreign government, or a cyber criminal — there is intent. Computer security tools need to properly equip information security professionals to defend their networks.
Today’s networks are complex and handle ever-increasing volumes and sources of data, which creates a lot of noise and makes it very difficult to identify real threats. When you factor in the continuous innovation and increasing sophistication of attackers, yesterday’s security tools just don’t cut it — not even close. Even today’s state-of-the-art security technologies need to evolve to address changes and shifting requirements when it comes to data volumes, awareness, and insight.
According to a recent report by Cisco, “By 2016, global IP traffic will reach 1.1 zettabytes per year, or 88.4 exabytes (nearly one billion gigabytes) per month, and by 2019, global IP traffic will reach 2.0 zettabytes per year, or 168 exabytes per month.”(1)
Any security tool — any network tool, in fact — must be able to handle today’s data volumes. And tools that were developed in “the good old days” weren’t architected from the ground up to handle today-sized networks. This isn’t due to a mis-step on their part — the big data technologies simply weren’t yet available. Unlike modern-day systems with multiple processors that allow you to scale based on increasing bandwidth needs, many older systems just can’t keep up — even if you buy more and more of them — and you have to make tradeoffs, such as sampling data. But you shouldn’t have to choose between speed and scalability.
The good news is that data isn’t just a challenge to be addressed; it has the potential to be an asset to be leveraged. With today’s volumes, it’s impossible to correlate and analyze all of the available data in any meaningful way using traditional reports. Machine learning, which can take vast quantities of data and use it to provide actionable insight, is being used today in industries like e-commerce, financial services, and technology to build business value. When applied to network security, this approach gives data the power to transform the way network security is managed.
Security tools are designed to deliver awareness about the security of the network. But there are varying types of awareness, and it’s important to understand the difference. Some security tools provide monitoring, which is the process of watching for specific conditions and fixing them when they occur. Monitoring is useful, but only if you know exactly what you should be looking for. Visibility, on the other hand, is about understanding what is happening on your network — having multiple vantage points from which you can observe what is happening now and learn from what has happened in the past. Visibility helps prepare you for dealing with the unknown.
Visibility is required to quickly identify “events,” which are anomalies in the data such as a failed login attempt or an IDS alert. But an individual event is only a signal, and it needs to be collected together with other related events that represent an incident, such as a series of failed login attempts from one source that could represent an attempted breach.
The nature of today’s threats demand real-time visibility into what’s happening on the network. and because time is of the essence when there’s a breach, you need to be able to identify incidents and drill down as far into the details as necessary so you can quickly assess the nature and scope of the problem and immediately begin to formulate a mitigation strategy.
Sometimes you need to go back in time to determine what happened, so forensic visibility is also important. Because you don’t know in advance how far back you may need to go, or what exact information you need to go back to, you need full historical data recall that goes back far enough to stage a meaningful incident response and forensic investigation.
Today, the process of turning individual events into an incident is often manual. As data volumes continue to grow, the number of events will also increase, and the manual effort of identifying incidents that require attention becomes unmanageable. The next phase of evolution is going to shift to a model where tools don’t just identify anomalies and patterns or behaviors of interest, but go a step further to draw conclusions about what they mean and what next steps are required.
This isn’t about adding more data feeds, but about doing more with the data we already have.
It’s not about creating a better dashboard, but about gaining a better understanding of what’s happening on the network. It’s not about providing more reports, but about making the security professional’s job easier. To do this, the security tool will tell you what’s going on that you need to be aware of, why it’s important, and what steps to take next.
For example, the system could send you a daily email that provides analysis — such as network traffic to China was up 48% yesterday, or there are 500 new clients connected to your network which is down 30% from last week — so you have insights that help you prioritize how to focus your time. And the system would not only alert you on issues, but also provide details about what it means, links to resources to help you understand the situation, and suggested actions that need to happen next.
This level of conclusion-based insights will transform security operations and deliver benefits to a number of different groups.
Many large enterprises have teams of high-caliber — and expensive — security experts that today spend a lot of time gathering and weeding through “data.” When supported by a tool that delivers actionable insight, these skilled professionals can focus instead on applying their expertise to solving problems and executing on higher-value activities.
Many mid-sized organizations don’t have the budget to hire dedicated security pros, but still face the same security risks. Tools that deliver conclusion-based insights provide these organizations with an additional level of “expertise” to help them improve their security posture and empower their IT generalists.
Service providers are responsible for the security of the data and systems of hundreds — and even thousands — of end customers. A conclusion-based approach facilitates their ability to secure and manage all of their users and still provide individual customer-level visibility and customized configurations.
This evolution of network security capabilities isn’t a matter of if, but when. Vendors have a responsibility to advance their solutions to enable organizations to continuously defend their current-state networks against current-state threats. And those organizations have a responsibility to their own customers, employees, shareholders, and other parties to invest in tools that will protect them today and over time. Some of the capabilities described above are available today — organizations that aren’t using them are ripe for being compromised (and it’s happening much too frequently) — while others are still in the “vision” stage. It’s important to ensure that you invest in security providers that have a roadmap designed to turn that vision into your security reality.
(1) Cisco, The Zettabyte Era — Trends and Analysis, May 2015
Download this white paper as a PDF
FlowTraq provides visibility to help network security professionals do their jobs better and faster. Try it for yourself – request a free 14-day trial.