Today’s threat actors have cracked the code for making money through hacking. Cryptocurrency, ransomware, marketplaces for personal and financial data among other things have facilitated a thriving cybercrime industry, and threat actors have responded by becoming more agile, responsive, and innovative.
For network defenders, this means cybersecurity can no longer be something you check off on a list before moving on to the next thing. Custom malware, stolen credentials, and other methods are often used by attackers to infiltrate networks and move laterally without raising any alarms. To find these threats before data is lost, security professionals need comprehensive network visibility and security analytics.
Do you know how many hosts are on your network? Can you verify that? Do you know what they are doing on a day-to-day basis? Most organizations cannot answer these questions because they don’t have to the necessary visibility into their network traffic. A few may collect packets, but these are usually in small, defined areas of the network, and the data is often only kept for short periods of time.
Packet capture is useful, but the answer for complete network visibility is NetFlow and other forms of traffic metadata. You can think of NetFlow as a phone bill for network transactions. Phone bills do not record the content of a phone call, but they do record when a conversation takes place, who the sender and receiver were, how long it lasted, etc. NetFlow records important aspects of network conversations, including the following:
IP addresses of the sender and receiver What time it took place How long it lasted How much data was transferredWhat NetFlow lacks in packet content, it makes up for by being able to record metadata from the entire network with minimal storage requirements or bandwidth overhead. Coupled with the right analytics tool, NetFlow can help organizations understand what their normal network behavior looks like, automatically detect signs of threat activity, and drastically reduce incident investigation and response times.
Here are three examples where NetFlow-based visibility identified a breach:
Healthcare company finds activity from ChinaUsing NetFlow-based analysis, a large healthcare company found they had “internal users” logging in from China and Singapore. This was an immediate red flag since the company had no business dealings outside the state of Texas and the employees logging in remotely were not based in China or Singapore. Further investigation indicated the attackers were masquerading as legitimate users with stolen credentials in order to exfiltrate data to a Dropbox account.
Rogue server interrupts K-12 educationA large school district conducted a test deployment of network visibility with NetFlow in an area with about 1,500 hosts. Within the first seven days, the security team identified a compromised rogue server that was launching internal DDoS attacks. The attacks were responsible for outages and performance problems with their critical student information platform. The network team had been trying to identify the source of the problems for months, but they were able to solve it in under a week with network visibility.
Custom malware infects technology companyUsing network visibility, a large technology company uncovered evidence that nearly half of their end-user workstations were infected with a custom piece of malware written specifically for their organization. The company was unsure how long the malware was active on the network, but they were able to identify data exfiltration. Because this malware was never seen before, there was no signature for it. With visibility and behavioral analysis, the security team were able to detect the scanning, connecting, and propagation activities of this malware and build a forensic trail of every host that needed to be removed from the network and cleaned up.
Network visibility is a security necessityToday’s threats are sophisticated, well-financed, and motivated. Network defenders cannot afford to underestimate them. After all, you can’t protect what you can’t see. A successful security program consists of a variety of people, processes, and technology, and comprehensive network visibility is a vital component.
With complete visibility and the right analytics, security professionals can detect threat activity that would otherwise have gone undetected, including lateral movement, data hoarding, exfiltration, custom malware, and attackers who gain entry to the network using stolen credentials or zero-day exploits.
To learn about how network visibility can identify the most vital risky and malicious network behaviors, read the whitepaper You Can't Protect What You Can't See: How to Gain Critical Visibility into Seven Network Blind Spots.
