Vigilance

The original network intruders were often misfit geeks operating from boredom or a need for thrills. As businesses went online, a new kind of intruder arose – a thief, poking around for credit card numbers or a chance to add another spam slave to the botnet.

This new breed of intruder brings a sophistication that takes the threat to the level of cyber attack. Well-funded and highly skilled criminal organizations can stake out a network for months – sometimes years, keeping constant watch and trying every trick they know until they find a way to slip past security. Many of these organizations aren't just looking for a single hit – they want to stay on the network for the long term and generate revenue by stealing financial data, medical data, and trade secrets.

This new style of attack is often classified under the general category of Advanced Persistent Threat (APT). In addition to sophisticated criminal organizations, some APT attackers are actually spy agencies for foreign governments. To counteract this kind of next-generation attack, networks need next-generation defense tools. In particular, if the attack is "always on," the defense has to be "always on." It isn't enough to monitor the perimeter and launch a forensic study when you happen on evidence that something is awry.

A new breed of services has emerged to meet the challenge of APT. The goal of these services is to watch and analyze all your network traffic all the time to look for suspicious traffic patterns and other evidence of nefarious activity. Sophisticated analysis programs look for subtle behaviors that a human investigator would never spot, and automatic alerts identify what happened to which computer and what it might mean.

In this article, I offer a quick introduction to a pair of these APT-ready intrusion detection services: FlowScape and WildFire. I'll introduce you to some of the reports you'll receive through these services and show you how you can put the information to work catching intruders and eliminating threats.

Application Enablement

Your network is full of applications you cannot identify. File sharing, social networking, personal email, and streaming media are just a few of the applications that can evade your firewall by hopping ports, using SSL, or employing non-standard ports. Secure application enablement begins with knowing which applications are being used and by whom. This knowledge allows you to create effective firewall control policies.

Secure application enablement requires a systematic approach that begins with the applications that traversing your network and the types of threats, they carry.

The new APT-ready intrusion services identify and track application use by assigning the following identifiers:

• App-ID determines exactly which application is in use.
• User-ID ties application usage to the identity of an employee.
• Content-ID controls web surfing, limits the unauthorized transfer of data, and protects you against threats.

When you have a better idea of what is traversing your network, you can better protect yourself.

WildFire

WildFire from Palo Alto Networks [1] offers a new approach to cybersecurity. The service brings advanced threat detection and prevention to every Palo Alto security platform deployed throughout the network, automatically sharing protections with all WildFire subscribers.

A Palo Alto (PA) device is necessary to use the WildFire service, but you can use any of the PA devices, which span a range of performance and price points. I use the PA-5060 firewall as an intrusion detection device to enable applications, users, and content in high-speed data centers and multitenant environments. Predictable throughput levels of up to 20Gbps are achieved using dedicated, function-specific processing for networking, security, content inspection, and management.

WildFire simplifies an organization's response to the most dangerous threats by automatically detecting unknown malware and preventing threats before organizations are compromised. WildFire quickly identifies and stops these advanced attacks without requiring manual human intervention. You get an email message in your Inbox when any suspicious packet goes by, and the intrusion detection system is alerted. The message, provided by Palo Alto Networks, is called a WildFire Analysis Report.

An example report is shown in Figure 1. The report says that a suspicious packet called Baseball Bat Blank Templates P Downloader__3687_i1476450232_il1 was caught by WildFire, and WildFire has determined that it is malware. Next, WildFire provides some details of the capture (Figures 2 and 3).

Figure 1: A sample WildFire Analysis Report.

Figure 2: In addition to the basic report, WildFire provides lots of details.

Figure 3: WildFire identifies viruses and other forms of malware.

The report provides the information I need to start looking for the intruder. To begin, I open a terminal window and enter:

c:\Users> nslookup 10.101.66.73

The command tells me the name of the computer associated with the suspicious packet (wtr75876; Figure 4). Now I have sufficient information to send a technician to the computer to investigate the computer and take appropriate actions.

Figure 4: Use nslookup to find the name of the computer associated with the suspicious package.

To gather even more information, I can download the report from WildFire and include it in the action items, along with the Virus Total information. The WildFire alert explains what is wrong with the workstation (Figure 5).

Figure 5: WildFire alerts detail any potentially suspicious behavior.

My team gets these alerts all the time when a user clicks a malicious site; then we have to clean the workstation, which results in lost productivity. WildFire alerts help us zero in on the problem and fix the workstation with minimal disruption.

FlowScape

Another great intrusion detection program is FlowScape [2]. The CyberFlow Analytics FlowScape platform enables APT detection through a sophisticated anomaly detection system. FlowScape is designed in a modular fashion, in alignment with cloud-computing principles, and it runs entirely in the context of virtual machines. The core of the FlowScape system involves a series of connected multimodel "analytics engines" that contain hundreds of mathematical predictors that machine-learn network communication transmissions and identify odd, anomalous behaviors across an entire network. FlowScape also offers a cool way to view an attack (Figure 6).

FlowScape gives you immediate detection of something bad happening on the network. Figure 6 shows that 10.37.28.132 is talking to 87.104.76.39 with BitTorrent on port 6881. We discover that an "actor" is using his laptop to VPN into the network. The event is immediately flagged as a red alert, and the appropriate people are notified for remediation.

Figure 6: FlowScape helps you visualize the source of an attack.

To see a list of known "bad actor" sites, I get a monthly block list that is continually updated with the suspicious domain names and IP addresses for situational awareness and computer network defense. I get this list from the LA-SAFE's Cyber Fusion Unit (LCFU) and put it on an outside Cisco firewall. Eliminating known bad actors significantly drops the number of alerts received.