Look at Behavior to Find the Needle in the Network

Whether you know it or not, there are intruders in your network and they’re most likely leaving footprints everywhere. Some of these footprints may be larger than others, and some criminals are better at hiding their tracks while others can be very noisy. It’s the ones that are quiet that should scare you, because they can lay dormant for weeks or months and then slowly start working their way, under the radar, through your network until they find what they’re looking for: your sensitive/confidential data. However, whether big or small, quiet or noisy, they all leave footprints and you need to find them before they do any damage.

In this post I want to discuss monitoring and mining your network to find these footprints.

First and foremost firewall logs and netflow data can be a gold mine if you’re logging it all. This data will show you who spoke to what, when and on which port. On its own this data is pretty useless, but when run through behavioral analysis software you can often find patterns of connections that are occurring on your network. Firewalls may well pass this traffic because in many cases there’s nothing wrong with it. Its only when behavioral analysis of the data that shows, for example, a system trying to log into multiple servers in the middle of the night with the same user credentials, that this data becomes relevant. It’s the context and the data analyzed from a behavioral perspective that enables us to truly find patterns in the data.

Data collection needs to take place at different points across the infrastructure. Obviously, you need to collect data in real time from the network layer, normally via a span port, system in line or from application logs. In addition to traffic flowing in or out of your network you should also make sure to monitor data going east-west within the enterprise. This traffic can help you find the blindspots in your network that aren’t always monitored.

The second monitoring point should be on the endpoint itself. Ultimately all networks lead to endpoints, so if you can determine, from a behavioral aspect, what’s occurring on the endpoints it’s going to lead you to a better understanding of how and why this data got onto your network in the first place. You need to use software that can detect that there’s something malicious or suspicious occurring on the endpoint, and then do a deep dive forensic behavioral analysis into the network communications.

There are many solutions that provide this type of monitoring and alerting on behavior. They need to be deployed in the appropriate locations on the network and instrumented properly in order to garner the traffic to monitor. One solution that does this well is Riverbed. This vendor can take the Netflow and packet level information on the network and monitor it for anomalies in traffic. There are also NGFWs, such as CheckPoint and Palo Alto Networks that provide application level interrogation of the traffic, beyond HTTP/HTTPS. Lastly, another solution that works great for network mining is FireEye which monitors for malicious traffic and executables.

In my opinion, while you still need to use standard monitoring tools such as IDS/IPS, Firewalls, etc., you should also analyze data from a more behavioral perspective. Alerting based on behavioral patterns of data, regardless of the exploit and tools that attackers are using, will help limit false positives and truly find the needle in the needle stack.