The number of breaches impacting corporate networks has reached epidemic proportions. This year is currently on track to break all records for breaches. Already this year there have been 1,900 reported breaches in just the past three months, according to Risk Based Security.
One of the troubling aspects of today’s breaches is pointed out in a recent report (PDF) that found the most common vector used by hackers to exfiltrate data from a victim was via the company’s own network – aka network traffic.
This means that hackers are leveraging the (network) infrastructure itself to steal data. Not good.
If cybercriminals can leverage corporate infrastructure for a variety of attacks, then network and operations teams can also use that same infrastructure to effectively fight back. The network itself provides the key.
Threat hunters have to use all their resources at hand, and one of the most valuable is delving deep into the network to gather up all the network metadata that is produced from routers, switches, firewalls, and more. These will provide the first scent of a stealth attack. This pool of data can be analyzed in real-time with network traffic analytics to reflect information related to every conversation on the network and provide a summary of what is taking place at any given moment.
With this in-depth activity retrieved by network devices, organizations can detect anomalous behavior and spot problems like credential misuse, such as when hackers use credentials stolen in spear phishing campaigns and business email compromise (BEC) attacks. The network actually sees all and is the most powerful resource for forensic investigation. The faster the business can delve into this data, the quicker an attack can be stopped.
Attacks From The Outside In
Nearly 70 percent of attacks took place from outsiders, and 34 percent involved internal actors according to the “2019 Data Breach Investigations Report (DBIR).” This is important to understand because while the majority of attacks take place from outsiders, a large percentage still initiates from internal actors.
The best way to detect when internal actors are starting to veer off the path is by monitoring network behavior to determine when unwanted activities are taking place. Organizations should be looking for behaviors that don’t necessarily break any rules, but are otherwise suspicious. For example, if a user within the sales organization starts accessing data from payroll servers or inventory control systems, there could be a problem.
While a simple connection to other parts of the network may seem harmless, it could be a sign of malicious behavior. This doesn’t have to mean that the individual user is making these connections. If their credentials were compromised, a hacker might be attempting to connect to other machines outside the user’s typical connections to determine which devices they can establish a foothold in to steal data.
Here are four things the network sees that could indicate an attack:
- Network users attempting to access system they have never historically accessed before
- Suspiciously small amounts of traffic going to the same location regularly over a long period of time (this is how the Sony Entertainment breach happened)
- Irregular DNS queries in large quantities indicate a Domain Generation Algorithm may be in use by malware or ransomware
- Communication to business-critical servers by IoT devices connected on the corporate network
The Network as The Source of Knowledge
With the network leveraged as the most in-depth source of data, it has the perfect capacity to monitor and collect the data taking place across the network. When user behaviors change, the network sees it. The network can also detect when large amounts of data are being taken in large-scale data exfiltration attacks. But attackers don’t steal terabytes of data all at once; instead, they steal small pieces at a time, and these low-and-slow types of attacks often don’t show up on the radar for most intrusion prevention and detection systems. These systems aren’t looking for small amounts of data leaving the network, and as weeks and months go by, more and more data is slowly smuggled out.
Network traffic analytics lets organizations see these types of attacks from inception and alerts businesses to compromise. Additionally, it allows companies and threat hunters alike to leverage the network not only as the heart of the corporate environment, but also as a defensive mechanism as well.
About the Author
Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks