WildFire and FlowScape are powerful new tools for intrusion detection
Vigilance
Powerful services like WildFire and FlowScape can help you defend against a new generation of persistent network attacks.
The original network intruders were often misfit geeks operating from boredom or a need for thrills. As businesses went online, a new kind of intruder arose – a thief, poking around for credit card numbers or a chance to add another spam slave to the botnet.
This new breed of intruder brings a sophistication that takes the threat to the level of cyber attack. Well-funded and highly skilled criminal organizations can stake out a network for months – sometimes years, keeping constant watch and trying every trick they know until they find a way to slip past security. Many of these organizations aren't just looking for a single hit – they want to stay on the network for the long term and generate revenue by stealing financial data, medical data, and trade secrets.
This new style of attack is often classified under the general category of Advanced Persistent Threat (APT). In addition to sophisticated criminal organizations, some APT attackers are actually spy agencies for foreign governments. To counteract this kind of next-generation attack, networks need next-generation defense tools. In particular, if the attack is "always on," the defense has to be "always on." It isn't enough to monitor the perimeter and launch a forensic study when you happen on evidence that something is awry.
A new breed of services has emerged to meet the challenge of APT. The goal of these services is to watch and analyze all your network traffic all the time to look for suspicious traffic patterns and other evidence of nefarious activity. Sophisticated analysis programs look for subtle behaviors that a human investigator would never spot, and automatic alerts identify what happened to which computer and what it might mean.
In this article, I offer a quick introduction to a pair of these APT-ready intrusion detection services: FlowScape and WildFire. I'll introduce you to some of the reports you'll receive through these services and show you how you can put the information to work catching intruders and eliminating threats.
Application Enablement
Your network is full of applications you cannot identify. File sharing, social networking, personal email, and streaming media are just a few of the applications that can evade your firewall by hopping ports, using SSL, or employing non-standard ports. Secure application enablement begins with knowing which applications are being used and by whom. This knowledge allows you to create effective firewall control policies.
Secure application enablement requires a systematic approach that begins with the applications that traversing your network and the types of threats, they carry.
The new APT-ready intrusion services identify and track application use by assigning the following identifiers:
- App-ID determines exactly which application is in use.
- User-ID ties application usage to the identity of an employee.
- Content-ID controls web surfing, limits the unauthorized transfer of data, and protects you against threats.
When you have a better idea of what is traversing your network, you can better protect yourself.
WildFire
WildFire from Palo Alto Networks [1] offers a new approach to cybersecurity. The service brings advanced threat detection and prevention to every Palo Alto security platform deployed throughout the network, automatically sharing protections with all WildFire subscribers.
A Palo Alto (PA) device is necessary to use the WildFire service, but you can use any of the PA devices, which span a range of performance and price points. I use the PA-5060 firewall as an intrusion detection device to enable applications, users, and content in high-speed data centers and multitenant environments. Predictable throughput levels of up to 20Gbps are achieved using dedicated, function-specific processing for networking, security, content inspection, and management.
WildFire simplifies an organization's response to the most dangerous threats by automatically detecting unknown malware and preventing threats before organizations are compromised. WildFire quickly identifies and stops these advanced attacks without requiring manual human intervention. You get an email message in your Inbox when any suspicious packet goes by, and the intrusion detection system is alerted. The message, provided by Palo Alto Networks, is called a WildFire Analysis Report.
An example report is shown in Figure 1. The report says that a suspicious packet called Baseball Bat Blank Templates P Downloader__3687_i1476450232_il1 was caught by WildFire, and WildFire has determined that it is malware. Next, WildFire provides some details of the capture (Figures 2 and 3).
The report provides the information I need to start looking for the intruder. To begin, I open a terminal window and enter:
c:\Users> nslookup 10.101.66.73
The command tells me the name of the computer associated with the suspicious packet (wtr75876; Figure 4). Now I have sufficient information to send a technician to the computer to investigate the computer and take appropriate actions.
To gather even more information, I can download the report from WildFire and include it in the action items, along with the Virus Total information. The WildFire alert explains what is wrong with the workstation (Figure 5).
My team gets these alerts all the time when a user clicks a malicious site; then we have to clean the workstation, which results in lost productivity. WildFire alerts help us zero in on the problem and fix the workstation with minimal disruption.
FlowScape
Another great intrusion detection program is FlowScape [2]. The CyberFlow Analytics FlowScape platform enables APT detection through a sophisticated anomaly detection system. FlowScape is designed in a modular fashion, in alignment with cloud-computing principles, and it runs entirely in the context of virtual machines. The core of the FlowScape system involves a series of connected multimodel "analytics engines" that contain hundreds of mathematical predictors that machine-learn network communication transmissions and identify odd, anomalous behaviors across an entire network. FlowScape also offers a cool way to view an attack (Figure 6).
FlowScape gives you immediate detection of something bad happening on the network. Figure 6 shows that 10.37.28.132 is talking to 87.104.76.39 with BitTorrent on port 6881. We discover that an "actor" is using his laptop to VPN into the network. The event is immediately flagged as a red alert, and the appropriate people are notified for remediation.
To see a list of known "bad actor" sites, I get a monthly block list that is continually updated with the suspicious domain names and IP addresses for situational awareness and computer network defense. I get this list from the LA-SAFE's Cyber Fusion Unit (LCFU) and put it on an outside Cisco firewall. Eliminating known bad actors significantly drops the number of alerts received.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.