pixel_dreams - Fotolia

Tip

Use network traffic analysis to detect next-gen threats

Network traffic analysis, network detection and response -- whichever term you prefer, the technology is critical to detecting new breeds of low-and-slow threats.

It's time to add more acronyms to the already overflowing list of security abbreviations: NTA for network traffic analysis and NDR for network detection and response. These interchangeable terms represent the most advanced technology for detecting a new generation of attacks that differ dramatically in how they are executed.

In the good old days of network security, attacks were simple -- relatively speaking. In a SQL injection, for example, malicious code would be inserted into an otherwise legitimate SQL database command. Or a virus would be embedded in a message attachment. These attacks had signatures that, once discovered, could be matched against a signature file and then detected and blocked by security teams. While these types of attacks haven't gone away, newer, more insidious breeds of attack are already being detected in corporate networks.

Unfortunately, these newer breeds of attacks are subtle and difficult to detect -- low and slow is a term often used to describe them. Such an attack might generate little traffic, making it hard to detect, and might run over the course of days or weeks rather than seconds or minutes. These attacks can exfiltrate corporate data to a site the attackers control that is built on a legitimate cloud service, such as AWS or Azure. As such, traditional threat detection mechanisms that detect attacks by evaluating the reputation of the target system might miss the threat.

New attack scenarios call for new detection mechanisms

Beyond using legitimate sites that bypass the detection capabilities of traditional security systems, the newer breeds of threats are using sneaky attacks to steal sensitive corporate data.

Consider the following potential scenarios that make it clear these new levels of attack require new defenses:

  • IoT exfiltration: Several video cameras perform standard surveillance tasks. One of them, however, also contains malicious code. Over time, it collects data from the internal network and sends it to a web server hosted on AWS.
  • Data theft via man in the browser: Here, an unregistered Google Chrome browser extension gathers information on an endpoint's browsing history and cookies and communicates that information to a web server hosted on AWS.
  • Data exfiltration via the dnscat2 tool: Malicious code on a computer inside the corporate firewall uses the dnscat2 hacker tool to bypass the firewall by using the legitimate DNS port 53 for illicit communication between a malicious client and its partner server in the cloud.

Combating these threats requires a new approach. Enter network traffic analysis and network detection and response.

NTA/NDA metrics and testing

Network traffic analysis and network detection and response systems must work differently to spot attacks. For example, to detect an IoT video attack, an NTA or NDR system first captures and processes legitimate traffic from the video surveillance device. Over time, it compares normal traffic to future activity. Then, when a malicious device attempts its low-and-slow exfiltration, the NTA or NDR system detects abnormal traffic patterns and alerts the security team to the potentially malicious activity.

With traditional security systems, enterprises must be concerned with accuracy and false positives. For example, did the security mechanism detect actual attacks? Did it avoid tagging benign traffic incorrectly as an attack?

With NTA and NDR targeting longer attack time periods, there are new metrics to consider. Detection accuracy is still the most critical, but there are others that are important, too -- the first being signal-to-noise ratio (SNR). Security systems that generate bogus alert messages -- like false positives -- can cloud the existence of a real problem or waste the time of the security operations team. Thus, when evaluating responses to threats, note both valid and invalid messages, and calculate an SNR, noting the ratio of valid to invalid messages. Higher SNR -- i.e., more legit messages -- is better.

Another metric to consider is alert validation. Note what kinds of messages the NTA or NDR system reported. Did these messages help teams pinpoint the attack? The more specific and accurate the attack validation messages, the better.

It is important to note that network traffic analysis and network detection and response systems need to be tested in real networks with real traffic running alongside any test threat traffic. Unlike intrusion prevention systems (IPSes) and next-generation firewalls (NGFWs) that can be tested effectively in an isolated lab environment, NTA/NDR tests require real-world traffic to build a baseline against.

Where to begin? A good place to see the scope of these new breeds of threats is Mitre Corp.'s ATT&CK database. The attack methods discussed in this article and hundreds of others are documented there. Realize, too, that this security challenge is so profoundly different than, say, IPS and NGFW functions, that you might need to be looking for new companies to provide NTA/NDR protection.

Dig Deeper on Threat detection and response