Network Security – Identifying Network Traffic Flows
By: David Newell, Chief Executive Officer, Loptr Security
Kristopher Meier, President, Station 28, LLC
Edward O'Keefe, Director of Application Development, ABC-Amega, Inc.
As credit and collection professionals you eat, sleep and breathe data. While data security may not be your primary responsibility, it’s important to recognize that it is something you need to be conscious of. Risks exist every day; but the key is to recognize your company’s vulnerabilities before an attack ensues.
If you are not directly responsible for network security in your organization, the following article may be worth sharing with the person in your company who is.
"Anti-virus software alone is not enough."
Symantec, a leading developer of anti-virus software, offered this warning back in January 2013 following an attack on The New York Times. Two years after the Times hack, the breach at Sony Pictures was the dominant cyber security news story of 2014.
In the Times case, anti-virus missed 44 of the 45 separate malicious programs used in the hack. It turns out that anti-virus is not good at stopping threats it does not recognize. The Times worried about a possible attack, and hired a firm to watch its network. They quickly learned that hackers were already inside.
In the Sony case, details are still emerging. But the Department of Homeland Security's U.S. Computer Emergency Response Team (US-CERT) issued an unusually long and detailed alert about targeted destructive malware shortly after Sony's hack. US-CERT described a network "worm" with five components: a listening implant, a lightweight backdoor, a proxy tool, a destructive hard drive tool, and a destructive target cleaning tool. US-CERT also noted that the malware attack targeted a major entertainment company.
It is easy to see why organizations focus on keeping attackers out. Firewalls, patching, encryption, and anti-virus are all about keeping the bad guys out. However, of the many lessons of the Times and Sony breaches and others like them, a significant one is that prevention efforts are not enough. It is a mistake to assume that no hacker will ever succeed. The ability to detect that an attack has succeeded is critical.
A challenge of detection is recognizing an attack. Sony only learned it had problems when employees arrived at work to find computer screens boasting of the hack by the Guardians of Peace. Firewalls, intrusion detection systems, and anti-virus are very good at stopping attacks that they can recognize. US-CERT's alert included a list of indicators of compromise (IOCs) that can now aid detection, and many security systems will use those IOCs. In response, attackers will create new and undetected tools.
One chance, to detect "unknown" attacks, is to look for symptoms that an attack has succeeded. A critical focal point for this is the outbound flow of information. When attackers gain a foothold in an organization's network, they use command and control (C2) systems to coordinate and expand their attack. US-CERT's alert lists C2 systems from Thailand, Poland, Italy, Bolivia, Singapore, Cypress, and the United States.
Unfortunately, too many organizations focus only on inbound network monitoring. Preventive systems stop the attacks they recognize and do not flag unrecognized attacks, so the monitoring report looks good. The organization, which does not monitor outbound traffic, will not know it has been compromised until someone else, like the Guardians of Peace, lets them know.
For an organization that already has network monitoring infrastructure in place, stepping up outbound monitoring is not a heavy lift. That infrastructure should include broad logging of computers and network devices throughout the organization, centralized log collection, and a log analysis system that can index, correlate, query, report and alert. Three key factors, to consider, are traffic destination, traffic type, and traffic volume.
Many organizations only do business in one or a few countries. Knowing when an internal system connects to a "non-business" country's network is a simple step toward detecting a possible attack. The Spamhaus Project tracks and shares lists of malicious Internet systems and organizations should keep a close watch for connections to blacklisted sites. Traffic for large, global organizations may connect to networks in every country in the world, so global organizations might only focus alerts on connections to blacklisted systems.
Organizations should also monitor the types of traffic that flow through their networks. Often firewalls are set to allow many more outbound ports and protocols than inbound. Business may not require thousands of open ports, but technology staffs do not know which are needed; the easy response is to let everything go out. The C2 systems listed in US-CERT's alert used ports 8000 and 8080; an internal server or workstation is making that connection could have raised a flag.
Even network traffic volume can help detect attacks. Sony's hackers claim to have siphoned 100 terabytes of data over the course of a year. Identifying bogus traffic requires organizations to understand what is normal for their networks; unfortunately, many do not make the connection between network utilization and security. Unusually large volumes of data moving out of a network should also raise an alarm.
Attackers use encryption, too, and the fourth factor of network monitoring is inspection. Inspecting the content of network traffic, including encrypted connections, provides much greater visibility. However, intercepting and analyzing the contents of network traffic requires added systems and resources. Focusing first on traffic destination, traffic type, and traffic volume makes sense.
If security is your responsibility, you might ask your team these questions:
• How many devices are connected to our network?
• What countries are our network users connecting to right now?
• How many attempted connections did we make to blacklisted servers today?
• How many of yesterday's outbound network connections were to unexpected ports or protocols?
• How much data has moved out of our network last week?
If your team cannot provide answers, you have work to do. If your team provides answers, pay attention to how long it takes to get those answers; you want answers quickly. If the answers are prompt, you only have to worry about what they say.
Stay tuned for an article on Password Security coming in a future issue of Credit-to-Cash Advisor.
US-CERT Alert TA14-353A, Targeted Destructive Malware; December 19, 2014 (updated December 25, 2014); https://www.us-cert.gov/ncas/alerts/TA14-353A
The Spamhaus Project; http://www.spamhaus.org