Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

11:13 PM

Five Ways To Better Hunt The Zebras In Your Network

For the cybercriminal lions out on the Internet, your company is full of zebras. Defenders should not just protect the herd, but pay attention to those who stray, experts argue

At the recent RSA Conference in San Francisco, Chris Larsen, a malware researcher at Web security firm Blue Coat Systems, talked about zebras -- not the kind that roam the African savannah, but the kind that sit at computers behind the corporate firewall.

Zebras are the employees, and their computers, who are doing something odd. Defenders are right to want to protect the zebras in their networks, but defenders should occasionally "radio tag" and follow their zebras to see where they go, he said.

On one day, for example, Larsen saw more than 700 users had visited a malicious domain at least once. So he focused on the nine users with more than six hits each, finding one who visited a malicious domain whose name consisted of more than 50 characters. That's suspicious, he said.

"You don't just want to send the box off to get reimaged; you want to know what this is," he told attendees. "This potentially could be something scary. And that is what we are looking for: Things that could be advanced and targeted."

Larsen's data came from crunching the anomalies from Blue Coat's K9 Web Protection browser plug-in, which warns users of malicious Web sites and enforces parental controls. Yet companies can mine the information from firewall logs in the same way to turn the mass of log data into much more focused intelligence on the potential threat in their networks, he said.

Firewall and managed-security experts weighed in on the best ways for security professionals to find the unusual activity -- the zebras -- in their networks.

1. Know the network.
Before crunching any numbers, companies need to know what "normal" looks like. Larsen only got about 5 percent of the data from Blue Coat's K9 network -- anonymized, of course -- because those were the zebras showing abnormal behavior.

Companies need to do the same. By profiling their networks over time, companies can know what behavior seems strange and find the 5 percent to which they need to pay attention, says Jeff Williams, director of security strategy for managed-security provider Dell SecureWorks.

"If you know what you have in your network, and what systems should be talking to what other systems, and what those conversations should look like, and how often they should be occurring, that helps you understand what is normal," he says. "Only once you understand what is normal can you spot those anomalies."

[For big companies looking to spend big budgets, the Big Data pitch for security information and event management (SIEM) systems is a good fit, but other improvements are on the way. See More Improvements To SIEM Than Big Data.]

2. Collect all the data.
Companies also need to configure their firewalls and other devices to collect the right data. In many cases, a company will store only the dropped traffic, arguing that such data is most interesting. But the most serious attacks are the ones that get through the firewall, says Jody Brazil, chief technology officer and co-founder of firewall management firm FireMon.

Companies will commonly disable the logs on their most used firewall rules, many times because their firewalls are overtaxed, he says.

"If the firewall is doing its job and dropping traffic, and you trust the technology that you have purchased, why are we focusing all of our attention on the traffic that is being dropped and not on the traffic that is getting through?" Brazil says.

3. Find the foolish zebras.
Many security teams attempt to find every threat that enters their networks and quickly become overwhelmed. Instead, companies should look for the low-hanging fruit -- the foolish zebras -- and figure out what is going on there first.

Blue Coat's Larsen pays attention to only the most blatantly anomalous traffic to cut down on his team's workload. In his RSA presentation, for example, he looked at users who had gone to sites classified as "suspicious," but raised the bar even higher and checked out the 10 users who had hit more than 30 suspicious sites each. One user visited a domain consisting of 35 x's and the .com top-level domain name 37 times.

"There are a bunch of zebras that have the same kind of infection, the same kind of behavior, but I'm really interested in the abnormal-abnormal," Larsen said. "In my little group of foolish zebras, if there is one guy that is red-and-black striped, that is where I want to spend my time, because that is where I may find something really interesting and really targeted."

4. Combine with threat intelligence.
Much of the time, it's not large volumes of traffic that will tip off a security team to malicious activity, but where the traffic is coming from or going to. Free blacklists and commercial sources of threat data, when combined with a company's firewall logs, can find the malicious attacks that may otherwise escape notice, FireMon's Brazil says.

There are a lot of decent threat sources out there today, and inexpensive tools that can be used to combine them with firewall data, he says.

"For someone that is low on budget, you can perform this with existing log aggregation tools, but I would not try to do this by hand," says Brazil, who is a big proponent of security information and event monitoring (SIEM) systems.

5. Check back on your foolish zebras.
Gathering intelligence on attacks can reveal the motives of the attackers and help train the security team and incident responders at the same time. Yet even after a system has been cleaned and the investigation completed, checking up on the infected users can return dividends, Blue Coat's Larsen said.

"Once you have found a good foolish zebra, they are worth their weight in gold," he said. "It's not just this investigation. Give that zebra a week or two, go back and see where they have been lately."

In his experience, zebras rarely change their stripes.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
[email protected],
User Rank: Apprentice
3/11/2013 | 9:59:40 PM
re: Five Ways To Better Hunt The Zebras In Your Network
Wait, what was the foolish red-and-black striped zebra doing hitting the malicious site? You're leaving us in suspense?- Lorna Garey, IW Reports
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Why AI Will Create Far More Jobs Than It Replaces
John DiLullo, CEO, Lastline,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Talk about vendor lock in...
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-05-20
Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request.
PUBLISHED: 2019-05-20
A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
PUBLISHED: 2019-05-20
A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
PUBLISHED: 2019-05-20
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.
PUBLISHED: 2019-05-20
The WP Booking System plugin 1.5.1 for WordPress has no CSRF protection, which allows attackers to reach certain SQL injection issues that require administrative access.