Cyberspace is like the Wild West — it’s a vast frontier and there’s a lot of lawlessness out there. Your organization has staked a claim on its corner, building a valuable infrastructure for your business, and you’ve got to protect it from outlaws who can do harm. But not all outlaws are the same. In the Old West there were gunslingers and cattle thieves and train robbers — so who are the outlaws that could be jeopardizing the security of your network and business data and assets? Here are three very different types of outlaws you want to keep off your enterprise network.
Script kiddies are “drive-by shooters” — they’ll attack any network indiscriminately. They tend to focus on the hacking techniques and exploits themselves rather than on the targets. They can wreak havoc by gaining access to network systems and assets, and even defacing them. But even if they happen to gain access to highly sensitive systems or data, they may not even know what “loot” they stumbled on and typically won’t take advantage of that access. While script kiddies pose a real threat and can cause a significant amount of damage in the form of lost productivity and damaged reputation, they are just a nuisance compared to the other types of outlaws.
The APT, on the other hand, targets specific organizations for very specific — and
nefarious — purposes using sophisticated techniques. Unlike the script kiddie, this outlaw is actively seeking to penetrate your most sensitive systems and data with the intent of doing harm. The APT is going to be stealthy, being very careful about not getting detected, taking the time to observe your environment and then making calculated strategic moves to break in.
Not all threats come from the outside. Someone who is already inside the network — who you
trust — could be exfiltrating data because they are disgruntled, are being paid, or are even being blackmailed. Malicious insiders have legitimate access to enterprise systems and data, so they can be difficult to detect from a network perspective.
There are many reasons why hackers want to infiltrate your network, but they all tend to fall into one of the following four categories:
￼Script kiddies are often in it forego and monetary gain. The APT is likely driven by ideology and monetary gain. And the malicious insider could be acting on ideology or coercion.
There are lots of tools that network security professionals use to keep the network and its applications and data secure: firewalls, endpoint protection, intrusion detection/prevention systems, data loss prevention systems, etc. And these are all important components of a sound enterprise network security strategy. But outlaws are smart, they know how these solutions work — and they are constantly looking for ways around them. But in the process of trying to skirt network security systems, they create trails that can be spotted — if you know what to look for and have the right tools in place.
Once you’ve spotted evidence that an outlaw of any kind may be infiltrating — or attempting to breach — the network, you need to get him out fast. To do that, you need detailed information about their activities. With full-fidelity flow analysis on complete flow data that’s retained over time, you have that detail with specifics about all the connections the outlaw made. This enables you to search for similar connections and strategically determine how to shut him down completely. Here are some tips to help you do just that.
Host scans (where multiple hosts are contacted in rapid succession) and port scans (where one host attempts a large number of ports in succession), as well as combinations of the two, are very common outlaw tactics. Simple scan detectors can be built using a threshold detector; but for best protection, use an intelligence tool that discerns normal behavior from scanning in order to reduce false positives. To do this, set up a scan detector to monitor traffic over time to create a statistical baseline. The best scan detectors can take day of the week into account (meaning it is more sensitive to days of the week where traffic is usually lower, such as the weekend) and can exclude very short sessions, such as DNS traffic or incomplete connections. A scan detector is useful both as a defensive measure and for compliance: it detects both threats against the monitored network, while also helping ensure that one’s network is not a source of trouble for others.
Raise alerts when never-before-seen communications take place, such as a new host contacted, or an ordinary partner contacted on a new port. Use a tool with a fingerprint generator function, which operates as a network change detector, to watch for changes in the behavior of individual servers. This is particularly useful for detecting malware and data exfiltration.
Create statistical profiles of individual IP addresses in your network in order to identify individual sessions that are abnormal. Over time you will see a set of connections that are typical in terms of client and server IPs and likely applications (determined by service port).
Select one or more blacklists and use a blacklist detector to scan incoming network sessions individually. Match them against a list of individual IP addresses and CIDR blocks. Each connection to a blacklisted IP or CIDR block should generate an alert.
Make sure that your blacklist detectors stay up to date with the latest threat information.
Experimentation with a volume detector is frequently rewarded with new insights into network behavior. Such a detector is useful, for example, in determining whether a host has suddenly started receiving communications over a larger set of applications (essentially the inverse of a port scan) — a useful way of detecting distributed scans or deployment of new applications on critical servers.A volume detector is a powerful general statistical analysis tool that examines long-term traffic history to create baselines for specified network entities — which could be hosts, applications, autonomous systems, or even whole countries — in order to be able to quickly identify unusual volumes in terms of bytes, number of sessions, or unique counts.
FlowTraq helps you find the network outlaws and run them out of town. Try it for yourself – request a free 14-day trial.