Webinar: Top Tips for Effective Cyber Threat Hunting Watch Now
FlowTraq > Blog > What it Means to Fight Smart

What it Means to Fight Smart

Dr. Vincent Berk
By | February 26, 2016


We joined Gigamon on Wednesday for their NYSE closing bell ceremony, which marked the start of their #WeFightSmart initiative. The reasons this is a smart fight are technical in nature. Let me explain why we should all pay attention.
The number of connected devices, as well as the volume of data we consume, continues to grow every year. This means the number of bits, packets, and connections on networks is continuing its exponential rise. The more bits there are to secure, the easier it is for dedicated cyber criminals to hide. Here’s why:
1. A smart adversary understands stealth. Broad sweeps of IP address space and scanning for vulnerabilities across subnet boundaries are a sure way to get noticed – and then locked out. But careful use of compromised systems allows the attacker to gain a bigger presence in your network without being easily noticed.
2. Once inside, a smart attacker will need very little bandwidth to penetrate further and gain an understanding of your network’s most valuable assets, while simultaneously discovering your defensive blind spots. Taking only what is valuable reduces the chances of being noticed.
3. Now that the perpetrator knows your network and your defenses, and is cloaked as a legitimate user, careful exfiltration of sensitive assets becomes almost trivial.
The point is that there is a lot of legitimate traffic to hide in!
When I landed my first job securing networks, I picked through individual packets to find the communications that were suspicious, tracking movements by hackers as they went about their work. Subnets were small, uplinks were diminutive, and traffic volumes next to nothing. This has changed dramatically.
Fighting smart means figuring out what data is worth analyzing, because the bottom-up approach is no longer feasible. Instead we must shift our focus to providing the smart defender with the right level of detail at every step, so they can follow their instincts and focus in on attacker movement. And this forms the essence of cyber hunting, which is the art of defending your network by actively hunting down those who pose the biggest threat.
The two pillars of effective defense through cyber hunting are focus, and visibility:
FOCUS – We recognize that the human brain is still the best anomaly detector ever built. But the data must be in the right form. Large swaths of packet traces are useless; instead we must focus. To see the forest, not just the trees, we must automate what can easily be automated. The value of full-fidelity, 1-on-1 NetFlow/sFlow/IPFIX has long been a key asset to the cyber defender. Adding packet-level metadata allows for a substantial improvement of analyst effectiveness. The longer we can enable the analyst to work at the flow level before they must resort to packet-level detail, the faster they will be able to work.
VISIBILITY – It is useless to try to defend a network that you cannot see into. If your telemetry stops at the border, you might as well stop trying. Building an infrastructure that allows the analyst to collect data at every network intersection enables detection and investigation of lateral attacker movement, reconnaissance, and data leakage.
Putting the right tools in place for visibility and focus saves the analyst much time. And time is the most valuable asset a cyber defender has. More threats investigated means more bad actors stopped in their tracks.
Cyber security is no longer about waiting for the light to go red. Instead it is about actively seeking and disabling threats. Gigamon has built the very foundation of this, but a foundation that is both necessary and invaluable. Leveraging their data collection infrastructure, we can focus the analyst to fight smart, and give them the levels of visibility they need to zero in on the threat, without being overwhelmed.