Hunting for Threats Using Network Traffic Flows

The point of enterprise threat hunting is to give organizations a chance to find potential attacks and take corrective action before the attacks can cause damage and become a security crisis. But there is a lot of network data to scrutinize, a set number of hours in a day, and only so many analysts to do the work.

Enter NetworkSage, a cloud platform from SeclarityIO, which aims to analyze network traffic flow, focus triage alerts, and provide analysts with insights on potential problems that need to be addressed. With NetworkSage, managed service providers, security operations centers, and threat researchers can offload their entire triage workflow and get "expert analysis at machine speed," says David Pearson, co-founder and CEO of SeclarityIO.

Network data can be an "exceptionally strong source of truth," Pearson wrote in a blog post describing how threat hunters could use NetworkSage to identify phishing attacks. Threat hunters can look for traffic that could indicate a phishing attack, such as a user visiting sites and entering information, near an active email session. Or there might be sessions and communications that may indicate command-and-control activity.

In network security, anomaly detection depends on identifying "bad" activity in a network, but to do so requires establishing a meaningful baseline of "good" behavior. That is difficult in an enterprise environment because users are doing all kinds of different things and communicating with different people and systems on a daily basis. All of this contributes to high volumes of security alerts, because analysts have to track down every single deviation from so-called-normal activity. The problem is compounded by the fact that organizations are working with multiple security tools, Pearson says.

Alert fatigue is a major problem for enterprises as security practitioners receive hundreds of unprioritized alerts every day. Understanding which alerts are actually indicators of a problem is critical to security defense, but can be tedious and time-consuming. In a recent Orca Security study, 59% of respondents say they receive more than 500 public cloud security alerts per day. In the same survey, 55% said that critical alerts were being missed, often on a weekly and even daily basis.

By using NetworkSage to automate the correlation and analysis, there is less likelihood of an analyst overlooking something or not getting to the real issues in a timely manner because they are distracted by less-important alerts.

Finding Bad Patterns

Pearson refers to NetworkSage as "network interpreter technology," as it analyzes network traffic to identify attack vectors, not specific payloads or individual URLs. The network flow is categorized across different categories. Analysts can find commonalities to identify traffic that is part of a malicious pattern. For example, the platform categorizes communications to any port on any site, which helps identify malicious activity associated with command-and-control servers, Pearson says.

Security analysts can load the organization's network flows into NetworkSage using an API and visualize who communicated with whom on the network, how a user interacted with a malicious site, and how many packets were sent and received, among other metrics. The platform also analyzes the flows and informs analysts if the interaction is actually problematic and requires remediation.

For example, security tools would raise an alert if the user (or multiple users) accessed a known phishing site, but they wouldn't say whether the user actually entered credentials. Without that knowledge, the analyst has to investigate and follow up with each user in order to find the ones who did fall for the phishing attack. NetworkSage looks at the organization's network data, so it can see how the user interacted with the site and identify which user entered credentials. The analyst now knows which of the potential issues resulted in an actual compromise and can respond accordingly.

In the past, security analysts would have to look at alerts and dig into the associated network logs to suss out whether a user accidentally entered the wrong credentials in a site, or if it was a malicious login attempt. NetworkSage automates that analysis to determine that the user did actually put their credentials in a phishing site, or opened a malicious executable.

Common Use Cases

Analysts can use NetworkSage in a number of ways, including as a tool to automatically triage alerts, review results from threat hunting exercises, and threat hunt using crowdsourced information, Pearson says. Automated triage is perhaps the most common. In that scenario, the platform captures the network activity that triggered an alert as well as activity just before and after. NetworkSage provides a high-level overview of what happened and whether it was interesting, as well as associated details that would be needing during the investigation.

Uploading the results from threat hunts to NetworkSage provides teams with an understanding of whether the activity is something that requires remediation. This could be useful if the threat hunt uncovers activity that could indicate a widespread phishing attack, for example.

There is also a community aspect, as well, Pearson says. NetworkSage can display the labelled information to all users without exposing sensitive details for each organization. This makes crowdsource threat hunting possible because everyone can see different parts of the threat landscape, and not just their own personal network view. Analysts can add details about what they are seeing and the platform shows metadata such as how long a particular flow to a specific destination has been in NetworkSage's data set. The broader perspective provides threat hunting teams with more information about places they should be looking for potential attacker activity. 

Pearson says NetworkSage is attempting to do for threat hunting and network traffic data what GreyNoiseIO does for analyzing Internet traffic to identify malicious traffic.