Using Network Telemetry and Security Analytics to Detect Attacks
The Cisco 2016 Midyear Cybersecurity Report has been released, and just like the Cisco Annual Security Report and many other security reports the news isn’t encouraging. The very first sentence in the midyear report explains that as defenders, we simply aren’t getting the job done: “Attackers currently enjoy unconstrained time to operate.”
Attackers understand that the human layer is frequently the weakest link in the security chain, and many rely on stealing passwords to gain access to the network. Already this year, the number of phishing websites has increased 250 percent since the last quarter of 2015, according to the Anti-Phishing Working Group, a global coalition of law enforcement, private organizations, and researchers.
Attackers also know that for the most part, they don’t have to use expensive zero day vulnerabilities, as many organizations are not practicing strong cyber hygiene; known vulnerabilities “can remain active and undetected for days, months, or even longer.” Attackers know that they will likely have time to operate inside the target network without being detected. Once the attacker has access to a system, possibly via a phished valid username and password for an authorized user, they have the same access privileges as that user. All it takes is a user clicking on the wrong link, opening the wrong attachment, or disclosing their password to a well-crafted impersonator for their credentials to be stolen. Threat actors will go through great effort to learn about the target organization and its employees to create phishing and other social engineering methods that are incredibly difficult to identify from legitimate login screens, and once the credentials are lost, the attacker can impersonate the employee and access internal systems.
If one of your user accounts was compromised and an attacker accessed your network masquerading as a legitimate user, could you tell? How? Could you detect the attack quickly enough to prevent the exfiltration of data? Despite making strides, defenders still struggle to gain visibility into threat activity and reduce the time to detection (TTD) of both known and new threats. We need a better approach; existing strategies are not adapting to the changing tactics of the attackers.
Security analytics can help
These threat tactics are utilized specifically to take advantage of defenders’ weaknesses and bypass many authentication and signature-based detection methods. Fortunately for defenders, an attack isn’t over when access to an internal system is obtained. The attacker still needs to find the target data, retrieve it, and complete the exfiltration, which gives the defender a window of opportunity to detect and mitigate the attack before data is stolen. Defenders must adopt strategies and implement solutions that provide improved visibility and reduce the TTD.
One effective way to detect attackers operating inside your network is through behavioral analysis. Threat activity often stands out from the ordinary, even if an attacker with legitimate credentials is responsible for it. For instance, when a staff member in finance usually accesses only a few megabytes of network data a day but suddenly a system with that staff member’s username begins collecting gigabytes of files from the engineering environment, it could be a sign of hoarding data in preparation for exfiltration. Similarly, when an employee turns in their two-week notice and is suddenly responsible for a large spike in traffic to the office printer, they could be printing sensitive documents to take with them – we’ve seen these scenarios happen before.
Identifying these kinds of anomalous activities can help reduce the time to detection so that attacks can be contained before data is lost, but how can we achieve this? The first step toward behavioral analysis is network visibility. By collecting NetFlow and other forms of traffic metadata, security operators can gain valuable insight into every transaction that takes place on the network.
Like all big data, this information is relatively useless without the means to easily interact with it and the analytics to quickly separate important events from the noise of day-to-day network activity. Detecting anomalies in behavior requires developing a baseline of normal system activity, which is simply impossible to achieve manually in a large enterprise network. Security operators also need the ability to automatically detect certain behaviors, such as policy violations or common threat activities, to reduce the TTD and identify an attack, mitigate it, and prevent the data from being lost.
Use your Network as a Sensor to reduce the time to detection
Cisco’s Network as a Sensor solution gives security operators the means to detect suspicious behaviors that could signify an attack. It does so by collecting NetFlow directly from infrastructure devices such as routers, switches, and firewalls – turning the network into a powerful security sensor. Additionally, visibility can be achieved in the virtualized environments of the data center or the cloud by using the NetFlow capabilities of virtualized switches or by deploying agents onto IaaS instances.
This data is then processed and analyzed by Stealthwatch, which provides advanced threat detection and analytics. It baselines normal network traffic to identify anomalous activity for further investigation in addition to detecting a wide variety of threat activity such as network scanning or lateral movement. This data is also stored in an audit trail that retains records of all network transactions for months or even years at a time. The Identity Services Engine (ISE) provides additional contextual information to help you understand who, what, where, when, and how users and devices are using the network.
If attackers utilize compromised credentials gained via phishing or other attacks, the Network as a Sensor solution can identify when users access an abnormally large amount of data, transfer data off the corporate network, or behave in a way that is significantly different from their past activity or that of their peers. Additionally, the network audit trail functionality can help investigators retroactively determine exactly what the attackers accessed and who they communicated with over the network.
To combat advanced threats, we must detect them quicker
Today’s networks are larger and more complex than ever before, and threat actors are skilled at penetrating defenses and blending in with the normal network activity. In many cases, attackers are masquerading as legitimate employees, effectively bypassing authentication controls.
To combat these adversaries, we need network visibility and security analytics. By understanding what normal network behavior looks like and identifying deviations and suspicious activity, we can detect these threats before sensitive data is exfiltrated. Cisco’s Network as a Sensor solution provides the comprehensive visibility and advanced analytics necessary to protect your organization from sophisticated threat actors.
To learn more about how Network as a Sensor can help secure your organization, click here.