Webinar: Top Tips for Effective Cyber Threat Hunting Watch Now
FlowTraq > Resources > Whitepapers and Tip Sheets > The Three Types of Outlaws on Your Network – How to Spot ‘Em and How to Get ‘Em Out

The Three Types of Outlaws on Your Network – How to Spot ‘Em and How to Get ‘Em Out

Gurdev Sethi
By | August 26, 2015

Cyberspace is like the Wild West — it’s a vast frontier and there’s a lot of lawlessness out there. Your organization has staked a claim on its corner, building a valuable infrastructure for your business, and you’ve got to protect it from outlaws who can do harm. But not all outlaws are the same. In the Old West there were gunslingers and cattle thieves and train robbers — so who are the outlaws that could be jeopardizing the security of your network and business data and assets? Here are three very different types of outlaws you want to keep off your enterprise network.

1. The Script Kiddie

Script kiddies are “drive-by shooters” — they’ll attack any network indiscriminately. They tend to focus on the hacking techniques and exploits themselves rather than on the targets. They can wreak havoc by gaining access to network systems and assets, and even defacing them. But even if they happen to gain access to highly sensitive systems or data, they may not even know what “loot” they stumbled on and typically won’t take advantage of that access. While script kiddies pose a real threat and can cause a significant amount of damage in the form of lost productivity and damaged reputation, they are just a nuisance compared to the other types of outlaws.

2. The Advanced Persistent Threat (APT)

The APT, on the other hand, targets specific organizations for very specific — and
nefarious — purposes using sophisticated techniques. Unlike the script kiddie, this outlaw is actively seeking to penetrate your most sensitive systems and data with the intent of doing harm. The APT is going to be stealthy, being very careful about not getting detected, taking the time to observe your environment and then making calculated strategic moves to break in.

3. The Malicious Insider

Not all threats come from the outside. Someone who is already inside the network — who you
trust — could be exfiltrating data because they are disgruntled, are being paid, or are even being blackmailed. Malicious insiders have legitimate access to enterprise systems and data, so they can be difficult to detect from a network perspective.

What Motivates Outlaws?

There are many reasons why hackers want to infiltrate your network, but they all tend to fall into one of the following four categories:

  • Monetary gain: there’s profit to be made
  • Ideology: wants to make a point about the organization
  • Coercion: is being compelled by someone else
  • Ego: wants to prove power and influence

Script kiddies are often in it forego and monetary gain. The APT is likely driven by ideology and monetary gain. And the malicious insider could be acting on ideology or coercion.

How to Spot Them

There are lots of tools that network security professionals use to keep the network and its applications and data secure: firewalls, endpoint protection, intrusion detection/prevention systems, data loss prevention systems, etc. And these are all important components of a sound enterprise network security strategy. But outlaws are smart, they know how these solutions work — and they are constantly looking for ways around them. But in the process of trying to skirt network security systems, they create trails that can be spotted — if you know what to look for and have the right tools in place.

    • Scanning — Port scanning is a common reconnaissance technique used to identify systems
      on your network that may be vulnerable and allow the outlaw to move through the network laterally. You need to be able to identify scanning behavior and distinguish potential outlaws from legitimate scanning within the network, for example by NMAP tools as part of a network asset management program.
    • New service — If an outlaw does manage to breach a system on your network, he’ll likely look to set up a back door so he can get back in at any time. This can be done by spinning up a new service or application on that compromised system. When they get back in, that connection is a “new server” — and could be on an unusual port — and can be detected.
    • Blacklisted connections — Many attackers’ systems are known by authorities and are on blacklists. You want to be able to alert on any connections that are made from your network, to those systems.
    • Data exfiltration — Outlaws looking to steal data, whether they are external or internal, need to move that data out of the network. Identifying when hosts are receiving data outside of normal thresholds — such as sending files at unusual times or in unusual volumes — can help catch data thieves.

How To Get Them Out

Once you’ve spotted evidence that an outlaw of any kind may be infiltrating — or attempting to breach — the network, you need to get him out fast. To do that, you need detailed information about their activities. With full-fidelity flow analysis on complete flow data that’s retained over time, you have that detail with specifics about all the connections the outlaw made. This enables you to search for similar connections and strategically determine how to shut him down completely. Here are some tips to help you do just that.

Deploy Scan Detection

Host scans (where multiple hosts are contacted in rapid succession) and port scans (where one host attempts a large number of ports in succession), as well as combinations of the two, are very common outlaw tactics. Simple scan detectors can be built using a threshold detector; but for best protection, use an intelligence tool that discerns normal behavior from scanning in order to reduce false positives. To do this, set up a scan detector to monitor traffic over time to create a statistical baseline. The best scan detectors can take day of the week into account (meaning it is more sensitive to days of the week where traffic is usually lower, such as the weekend) and can exclude very short sessions, such as DNS traffic or incomplete connections. A scan detector is useful both as a defensive measure and for compliance: it detects both threats against the monitored network, while also helping ensure that one’s network is not a source of trouble for others.

Set Alerts When New Services are Established

Raise alerts when never-before-seen communications take place, such as a new host contacted, or an ordinary partner contacted on a new port. Use a tool with a fingerprint generator function, which operates as a network change detector, to watch for changes in the behavior of individual servers. This is particularly useful for detecting malware and data exfiltration.
Create statistical profiles of individual IP addresses in your network in order to identify individual sessions that are abnormal. Over time you will see a set of connections that are typical in terms of client and server IPs and likely applications (determined by service port).

Generate Blacklist Alerts

Select one or more blacklists and use a blacklist detector to scan incoming network sessions individually. Match them against a list of individual IP addresses and CIDR blocks. Each connection to a blacklisted IP or CIDR block should generate an alert.
Make sure that your blacklist detectors stay up to date with the latest threat information.

Data Exfiltration Based on Volume

Experimentation with a volume detector is frequently rewarded with new insights into network behavior. Such a detector is useful, for example, in determining whether a host has suddenly started receiving communications over a larger set of applications (essentially the inverse of a port scan) — a useful way of detecting distributed scans or deployment of new applications on critical servers.A volume detector is a powerful general statistical analysis tool that examines long-term traffic history to create baselines for specified network entities — which could be hosts, applications, autonomous systems, or even whole countries — in order to be able to quickly identify unusual volumes in terms of bytes, number of sessions, or unique counts.

Download this white paper as a PDF

FlowTraq helps you find the network outlaws and run them out of town. Try it for yourself – request a free 14-day trial.

    Claim Your Free Trial

    Subscribe to our blog!

     Subscribe to monthly insider tips!*