Network threat detection moves beyond signatures

Network threat detection requires content monitoring and analysis, rather than solely relying on matching network packets to existing signatures.

Finding malware, or worse, attackers pivoting from server to server on your network, is a difficult proposition. Persistent, motivated hackers are adept at developing code that evades detection from signature-based network security devices. And more often than not, attackers are penetrating enterprise networks using legitimate credentials stolen via social engineering scams.

The cat-and-mouse game between security analysts and attackers has become a high-stakes game too, with more than stolen payment information at stake. More and more, corporate and political espionage is motivating hackers to poke and prod network threat detection, looking for anything from intellectual property to military secrets.

Surely, long gone are the days when security managers can hide behind their firewalls and feel protected.

“The guys who are more aware of the game these days know firewalls and IDS are not enough; sure, some are still in that compliance mindset, but that’s got to change and it’s going to change,” said Marty Roesch, developer of the Snort intrusion detection system, and CTO and founder of Columbia, Md.-based Sourcefire Inc. “Those who don’t change? Attackers will change the game for them.”

Packet filtering firewalls are no longer enough to safeguard networks from attackers. Experts recommend a gamut of new security means to keep data safe, ranging from sandboxing capabilities, smarter re-architecting of networks and configurations, content analysis, visibility and context into what’s happening on a network, and intelligence about the latest threats and hacker techniques.

In other words, this ain’t your father’s network security any more.

“I think the packet-centric approach has been, if it’s not dead, eclipsed by much more focus on the content. All of the exciting developments have been less about making good matches against packets or streams, and more about observing the traffic flow, extracting content , analyzing it and making a determination,” said Richard Bejtlich, chief security officer at Alexandria, Va.-based Mandiant Corp., and author of the popular TaoSecurity blog. “The file-centric method is how we’re catching the most interesting activity.”

If you look at blacklist technology, it’s similar to the concept of immunizations. As a kid, you get measles, polio shots. Just because you got a shot in the arm, you’re not going to swim in a cesspool. You have to exercise and make healthy lifestyle choices.
John StrandOwner, Black Hills Information Security

Companies relying on detection technologies such as network monitoring tools, IDS, IPS and more are finding complementary success using those tools along with sandbox technology. Sandbox tools, such as those offered by FireEye, Damballa and others, capture potentially malicious or untrusted code on the network and execute it in a controlled environment. Sandboxes are becoming a popular failsafe as signature-based defenses come under fire.

“If you want to test something in the environment, sandboxing makes a lot of sense,” said Derek Gabbard, CEO of Baltimore, Md.-based LookingGlass Cyber Solutions Inc., which sells products that correlate and analyze threats in an enterprise environment. Testing code in a sandbox enables an analyst to see code behavior and react accordingly, rather than engage in an endless loop of vulnerability management.

“Sandboxing is really popular, and part of the reason is the realization you can’t reverse engineer everything,” Bejtlich said. “You don’t need to know about vulnerabilities. You need to know what it does when it’s successfully run.”

Ripping and replacing signature-based detection technologies isn’t feasible for any organization. Instead, John Strand, owner of security consultancy Black Hills Information Security and a senior SANS Institute instructor, would rather educate security managers to properly architect networks with internal segmentation in order to improve detection, analysis and visibility into traffic and potential events.

“For example, workstation segments should be kept separate from each other, “said Strand, a longtime penetration tester. “If they’re talking, you should block it and it should fire off an alert. On really good networks, they’ll enable the firewall on Windows workstations so none are talking to each other, only to network devices -- gateways, file servers and printers. Workstation-to-server subnets are OK. That contains exploits.”

Such segmentation helps limit the spread and effectiveness of exploits, and helps network managers and security analysts with detection and analysis.

“In that example, if you limit the number communication pathways you have to monitor, you can now focus on detection between workstations and servers,” Strand said. “If you block access to workstation communication, and forcing the bad guys to try to get access via servers, you can monitor that intensely. Architect so there are fewer possibilities for communication so you can put more resources into monitoring those that are left.”

The notion of having security visibility into networks is supremely important in the context of today’s attacks. Experts urge companies to have an automated way to understand the environment they’re protecting and analyze threats relevant to their organization.

“Prevention as a methodology will fail,” Sourcefire’s Roesch said. “You need to go beyond that. You cannot control things you’re unaware of. If something happens, and no one observes it, you have a problem. If all your technology missed it, how will you find it and get it out? You only get one shot at prevention. If your initial chance for prevention came and went, it won’t work.”

Often, attacks are carried out using legitimate credentials stolen via social engineering campaigns. Attackers with access look like insiders, have staying power inside a network, and a lot more opportunity to exfiltrate data or drop customized malware that will evade signature-based AV or IPS monitoring. Signatures, meanwhile, still have their function as a protector of networks, but attackers have figured out sometimes painfully easy ways of getting around this type of security. Strand, for one, disagrees that this blacklisting type of approach is dead.

“If you look at blacklist technology, it’s similar to the concept of immunizations. As a kid, you get measles, polio shots. Just because you got a shot in the arm, you’re not going to swim in a cesspool. You have to exercise and make healthy lifestyle choices,” he said. “When you look at traditional blacklist technology, you can’t think you’re immune to attacks and your users can go anywhere on the Internet. (Signatures) have their place.”

They may have their place, but they get stale quickly, Bejtlich said. “It does come down to the quality of signatures. If you have good intelligence and know what to look for, you can find stuff. Most of the time, what you get from an IPS vendor won’t help much,” he said. “Most of the value comes from signatures you develop yourself. As you can imagine though, most companies don’t have that kind of intel, or a crew to write signatures. Many times you have to go outside, and it becomes an arms race for signatures.”

Roesch too is hesitant to say signatures don’t work anymore. “IPS and the original prevention technologies did well,” he said. “Attackers are now operating out of that scope. If you take away IPS, for example, you can go back to easy hacking.”

Dig deeper on Monitoring Network Traffic and Network Forensics

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close