Analytics //

Security Monitoring

3/8/2013
11:13 PM
50%
50%

Five Ways To Better Hunt The Zebras In Your Network

For the cybercriminal lions out on the Internet, your company is full of zebras. Defenders should not just protect the herd, but pay attention to those who stray, experts argue

At the recent RSA Conference in San Francisco, Chris Larsen, a malware researcher at Web security firm Blue Coat Systems, talked about zebras -- not the kind that roam the African savannah, but the kind that sit at computers behind the corporate firewall.

Zebras are the employees, and their computers, who are doing something odd. Defenders are right to want to protect the zebras in their networks, but defenders should occasionally "radio tag" and follow their zebras to see where they go, he said.

On one day, for example, Larsen saw more than 700 users had visited a malicious domain at least once. So he focused on the nine users with more than six hits each, finding one who visited a malicious domain whose name consisted of more than 50 characters. That's suspicious, he said.

"You don't just want to send the box off to get reimaged; you want to know what this is," he told attendees. "This potentially could be something scary. And that is what we are looking for: Things that could be advanced and targeted."

Larsen's data came from crunching the anomalies from Blue Coat's K9 Web Protection browser plug-in, which warns users of malicious Web sites and enforces parental controls. Yet companies can mine the information from firewall logs in the same way to turn the mass of log data into much more focused intelligence on the potential threat in their networks, he said.

Firewall and managed-security experts weighed in on the best ways for security professionals to find the unusual activity -- the zebras -- in their networks.

1. Know the network.
Before crunching any numbers, companies need to know what "normal" looks like. Larsen only got about 5 percent of the data from Blue Coat's K9 network -- anonymized, of course -- because those were the zebras showing abnormal behavior.

Companies need to do the same. By profiling their networks over time, companies can know what behavior seems strange and find the 5 percent to which they need to pay attention, says Jeff Williams, director of security strategy for managed-security provider Dell SecureWorks.

"If you know what you have in your network, and what systems should be talking to what other systems, and what those conversations should look like, and how often they should be occurring, that helps you understand what is normal," he says. "Only once you understand what is normal can you spot those anomalies."

[For big companies looking to spend big budgets, the Big Data pitch for security information and event management (SIEM) systems is a good fit, but other improvements are on the way. See More Improvements To SIEM Than Big Data.]

2. Collect all the data.
Companies also need to configure their firewalls and other devices to collect the right data. In many cases, a company will store only the dropped traffic, arguing that such data is most interesting. But the most serious attacks are the ones that get through the firewall, says Jody Brazil, chief technology officer and co-founder of firewall management firm FireMon.

Companies will commonly disable the logs on their most used firewall rules, many times because their firewalls are overtaxed, he says.

"If the firewall is doing its job and dropping traffic, and you trust the technology that you have purchased, why are we focusing all of our attention on the traffic that is being dropped and not on the traffic that is getting through?" Brazil says.

3. Find the foolish zebras.
Many security teams attempt to find every threat that enters their networks and quickly become overwhelmed. Instead, companies should look for the low-hanging fruit -- the foolish zebras -- and figure out what is going on there first.

Blue Coat's Larsen pays attention to only the most blatantly anomalous traffic to cut down on his team's workload. In his RSA presentation, for example, he looked at users who had gone to sites classified as "suspicious," but raised the bar even higher and checked out the 10 users who had hit more than 30 suspicious sites each. One user visited a domain consisting of 35 x's and the .com top-level domain name 37 times.

"There are a bunch of zebras that have the same kind of infection, the same kind of behavior, but I'm really interested in the abnormal-abnormal," Larsen said. "In my little group of foolish zebras, if there is one guy that is red-and-black striped, that is where I want to spend my time, because that is where I may find something really interesting and really targeted."

4. Combine with threat intelligence.
Much of the time, it's not large volumes of traffic that will tip off a security team to malicious activity, but where the traffic is coming from or going to. Free blacklists and commercial sources of threat data, when combined with a company's firewall logs, can find the malicious attacks that may otherwise escape notice, FireMon's Brazil says.

There are a lot of decent threat sources out there today, and inexpensive tools that can be used to combine them with firewall data, he says.

"For someone that is low on budget, you can perform this with existing log aggregation tools, but I would not try to do this by hand," says Brazil, who is a big proponent of security information and event monitoring (SIEM) systems.

5. Check back on your foolish zebras.
Gathering intelligence on attacks can reveal the motives of the attackers and help train the security team and incident responders at the same time. Yet even after a system has been cleaned and the investigation completed, checking up on the infected users can return dividends, Blue Coat's Larsen said.

"Once you have found a good foolish zebra, they are worth their weight in gold," he said. "It's not just this investigation. Give that zebra a week or two, go back and see where they have been lately."

In his experience, zebras rarely change their stripes.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.