In order to detect serious security incidents, it is important to understand, characterize, and analyze information about normal network functioning. Networks, servers, and hosts all exhibit typical behavior for a given point in time. Network and device profiling can provide a statistical baseline that serves as a reference point. Unexplained deviations from the baseline may indicate a compromise.
Care must be taken when capturing baseline data so that all normal network operations are included in the baseline. In addition, it is important that the baseline is current. It should not include network performance data that is no longer part of normal functioning. For example, rises in network utilization during periodic server backup operations is part of normal network functioning and should be part of the baseline data. However, measurement of traffic that corresponds to outside access to an internal server that has been moved to the cloud would not be. A means of capturing just the right period for baseline measurement is known as sliding window anomaly detection. It defines a window that is most representative of network operation and deletes data that is out of date. This process continues with repeated baseline measurements to ensure that baseline measurement statistics depict network operation with maximum accuracy.
Increased utilization of WAN links at unusual times can indicate a network breach and exfiltration of data. Hosts that begin to access obscure internet servers, resolve domains that are obtained through dynamic DNS, or use protocols or services that are not needed by the system user can also indicate compromise. Deviations in network behavior are difficult to detect if normal behavior is not known.
Tools like NetFlow and Wireshark can be used to characterize normal network traffic characteristics. Because organizations can make different demands on their networks depending on the time of day or day of the year, network baselining should be carried out over an extended period. The figure displays some questions to ask when establishing a network baseline.
The table lists important elements of the network profile.
| Network Profile Element? | Description |
|---|---|
| Session duration | This is the time between the establishment of a data flow and its termination. |
| Total throughput | This is the amount of data passing from a given source to a given destination in a given period of time. |
| Ports used | This is a list of TCP or UDP processes that are available to accept data. |
| Critical asset address space | These are the IP addresses or the logical location of essential systems or data. |
In addition, a profile of the types of traffic that typically enter and leave the network is an important tool in understanding network behavior. Malware can use unusual ports that may not be typically seen during normal network operation. Host-to-host traffic is another important metric. Most network clients communicate directly with servers, so an increase of traffic between clients can indicate that malware is spreading laterally through the network.
Finally, changes in user behavior, as revealed by AAA, server logs, or a user profiling system like Cisco Identity Services Engine (ISE) is another valuable indicator. Knowing how individual users typically use the network leads to detection of potential compromise of user accounts. A user who suddenly begins logging in to the network at strange times from a remote location should raise alarms if this behavior is a deviation from a known norm.
Server Profiling
Server profiling is used to establish the accepted operating state of servers. A server profile is a security baseline for a given server. It establishes the network, user, and application parameters that are accepted for a specific server.
In order to establish a server profile, it is important to understand the function that a server is intended to perform in a network. From there, various operating and usage parameters can be defined and documented.
The table lists elements of a server profile.
| Server Profile Element | Description |
|---|---|
| Listening ports | These are the TCP and UDP daemons and ports that are normally allowed to be open on the server. |
| Logged in users and accounts | These are the parameters defining user access and behavior. |
| Service accounts | These are the definitions of the type of service that an application is allowed to run. |
| Software environment | These are the tasks, processes, and applications that are permitted to run on the server. |
Network Anomaly Detection
Network behavior is described by a large amount of diverse data such as the features of packet flow, features of the packets themselves, and telemetry from multiple sources. One approach to detection of network attacks is the analysis of this diverse, unstructured data using Big Data analytics techniques. This is known as network behavior analysis (NBA).
This entails the use of sophisticated statistical and machine learning techniques to compare normal performance baselines with network performance at a given time. Significant deviations can be indicators of compromise. In addition, network behavior can be analyzed for known network behaviors that indicate compromise.
Anomaly detection can recognize network traffic caused by worm activity that exhibits scanning behavior. Anomaly detection also can identify infected hosts on the network that are scanning for other vulnerable hosts.
The figure illustrates a simplified version of an algorithm designed to detect an unusual condition at the border routers of an enterprise.
The figure shows a textbox labeled on border routers every x min: and an arrow to the next textbox labeled count flows with sampling 1 / 6 during z sec with an arrow flowing down to a decision symbol with the words if # of flows > N. The yes arrow points to a box labeled Alarm! The now arrow points to a box labeled end. The alarm! Box has an arrow pointing to the same box labeled end.
For example, the cybersecurity analyst could provide the following values:
- X = 5
- Y = 100
- Z = 30
- N = 500
Now, the algorithm can be interpreted as: Every 5th minute, get a sampling of 1/100th of the flows during second 30. If the number of flows is greater than 500, generate an alarm. If the number of flows is less than 500, do nothing. This is a simple example of using a traffic profile to identify the potential for data loss.
In addition to statistical and behavioral approaches to anomaly detection is rule-based anomaly detection. Rule-based detection analyzes decoded packets for attacks based on pre-defined patterns.
Network Vulnerability Testing
Most organizations connect to public networks in some way due to the need to access the internet. These organizations must also provide internet facing services of various types to the public. Because of the vast number of potential vulnerabilities, and the fact that new vulnerabilities can be created within an organization network and its internet facing services, periodic security testing is essential.
The table lists various types of tests that can be performed.
| Term | Description |
|---|---|
| Risk Analysis | This is a discipline in which analysts evaluate the risk posed by vulnerabilities to a specific organization. A risk analysis includes assessment of the likelihood of attacks, identifies types of likely threat actors, and evaluates the impact of successful exploits on the organization. |
| Vulnerability Assessment | This test employs software to scan internet facing servers and internal networks for various types of vulnerabilities. These vulnerabilities include unknown infections, weaknesses in web-facing database services, missing software patches, unnecessary listening ports, etc. Tools for vulnerability assessment include the open source OpenVAS platform, Microsoft Baseline Security Analyzer, Nessus, Qualys, and FireEye Mandiant services. Vulnerability assessment includes, but goes beyond, port scanning. |
| Penetration Testing | This type of test uses authorized simulated attacks to test the strength of network security. Internal personnel with hacker experience, or professional ethical hackers, identify assets that could be targeted by threat actors. A series of exploits is used to test security of those assets. Simulated exploit software tools are frequently used. Penetration testing does not only verify that vulnerabilities exist, it actually exploits those vulnerabilities to determine the potential impact of a successful exploit. An individual penetration test is often known as a pen test. Metasploit is a tool used in penetration testing.CORE Impact offers penetration testing software and services. |
The table lists examples of activities and tools that are used in vulnerability testing.
| Activity | Description | Tools |
|---|---|---|
| Risk analysis | Individuals conduct comprehensive analysis of impacts of attacks on core company assets and functioning | Internal or external consultants, risk management frameworks |
| Vulnerability Assessment | Patch management, host scans, port scanning, other vulnerability scans and services | OpenVas, Microsoft Baseline Analyzer, Nessus, Qualys, Nmap |
| Penetration Testing | Use of hacking techniques and tools to penetrate network defenses and identify depth of potential penetration | Metasploit, CORE Impact, ethical hackers |