In view of the fact that NBA-type (Network Behavior Analysis) solutions do not base on signatures of already known threats, this type of system won’t give us information that one of our hosts has been infected by Trojan Ramnit. Instead, we get the information that one of the hosts began to behave in an unusual manner for himself, began to use excessively specific ports by sending data to other hosts, or perform any unwanted attempts to scan the network or access attacks. This is obviously a big generalization and, depending on the vulnerability used or type of malicious software, such behavior will appeared as a different set of security incidents. With this approach, we are able to detect even unknown and customized threats.
Fig. 1: Flowmon ADS architecture for detection of network traffic anomalies and security incidents.
In the present day of "cyberwar" to be best protected, we cannot longer simply look for known threats that may occur, but need to change the approach to be one step earlier-analyze any anomalies that may indicate a still unknown threats. Defensive approach is not enough anymore and also respected authorities such as Gartner recommend businesses to strengthen their IT environment by advanced network behavior analytics.
The growing interest in NBA systems from Internet Service Providers, not only the largest ones, is the result of caring for the security of their customers and of their own internal infrastructure. In 2015 year we also observe increased interest in network behavior analysis systems in enterprise companies and SMEs. Why? Well, it is not so extraordinary that traditional security systems deployed on the edge of the network and on the end point are being bypassed by advanced threat or by human fault. Also in the last year these incidents then led to temporary work obstruction in a company, sometimes abused corporate hosts to attack or leak of internal data.
Fig. 2: Flowmon ADS dashboard with sample of detected events.
During the tests of our solution Flowmon ADS (Anomaly Detection System) in three of five of companies were detected different kinds of malicious software. We observed for example collection of information and spreading across LAN using IPv6, and after that tunneling traffic to outside using IPv4. There were also cases of attempts to direct traffic within the company by an infected host using fake DNS. Through analysis of suspicious host we can not only relate last events associated with it, but also refer to historical data. In this way, one of our customers watched the malware communication with a suspicious IP address in the US every 2-3 months, which was the only connection that was not blocked, other attempts to connect to servers have been effectively blocked by the firewall. Analyzing further, it turned out that the infected host after a long time began to send unusual DNS requests (such communication can be recorded to pcap for a more detailed analysis), and were able to observe the URLs it began to visit.
Fig. 3: Each detected event can be analysed. User can drill down into the flow level.
That all is enabled by using an analysis of NetFlow statistics based on network traffic which provide IT professionals crucial information for modern network management and security. Hard to believe that NetFlow v5 exists for almost twenty years, and this technology is still not known at many companies. Over the years were changed a standards of this protocol to provide more and more information and f.eg. Netflow v5 is not so flexible like NetFlowv9 or IPFIX. However from our observations indicate that in 2014 NetFlow v5 was the most widely used version of this protocol in companies that benefit from this technology. Fortunately, year 2015 has shown that more and more companies goes to newer versions and Flexible NetFlow (the measurement process used for Netflow v9 and IPFIX). In November 2015 I expect that there can be 60% users of new versions vs the old one. It's very comforting trend, because it gives the opportunity to observe more precisely internal traffic (f.eg. IPv6 traffic) and is good basis for the NBA systems.
Fig. 4: Event details with summary for detected event and event details with list of flows based of which the attack was detected.
Gartner already in 2013 year said that “The traditional defense-in-depth components are still necessary, but are no longer sufficient in protecting against advanced targeted attacks and advanced malware.” In the report Five Styles of Advanced Threat Defense Framework recommend network monitoring and analysis as an essential component of new protection strategies against advanced attacks.
You can’t protect, what you can’t see! Get the insight with Flowmon, try NBA technology in your network using our free Flowmon TRIAL and stay in touch for further information on our products!