informa
Commentary

You've Been Hacked, But For How Long?

One of the big themes at the recent RSA Conference was awareness of threats already inside the network. The way you learn about these threats and lower your ‘Mean Time To Know’ (MTTW) about an intrusion is with profile-based network monitoring

I first heard the term MTTK for "Mean Time To Know" at the recent RSA Conference. In fact, I heard it a few times, and it struck me as one of the few larger themes of a show that always has lot of different things going on.

But there had been big news in the weeks before about hacks of newspapers, the hacks being attributed to China. One of the interesting parts of the news was that some of the organizations had been compromised for many months and didn't know.

This is what MTTK refers to: How long is it from when you are compromised to when you find out about it? Part of the message is to admit that you will be compromised. No perimeter or endpoint defense is impenetrable. All good security planning involves layers of security, and one angle on this is to plan on detecting intrusions after hackers have gotten in. A low MTTK is good. One of the intrusions attributed to the Chinese People's Liberation Army Unit 61398 was in place for four years and 10 months. That's a big MTTK.

How do you detect intrusions after they've already passed your anti-intrusion measures? The answer is network monitoring, which is why I heard the term from network monitoring companies like Lancope, with its StealthWatch system, and Fluke, with Visual TruView. Solera DeepSee also takes this approach.

The idea is that APTs resident in your network do things that should be identifiable as suspicious, like opening SSL sessions on nonstandard ports. Some of these products will automatically create profiles of network traffic in order to identify what is normal. Then when something out of the ordinary happens, it's time to alert the administrators.

Obviously the systems have become more sophisticated over the years, especially the analytics, but the basic idea of MTTK isn't new. Here's an 8-year-old Cisco presentation on Netflow. It asks, "What is an anomaly?" The answer:

  • An event or condition in the network that is identified as a statistical abnormality when compared to typical traffic patterns gleaned from previously collected profiles and baselines.
  • NetFlow allows the user to identify anomalies by producing detailed accounting of traffic flows.
Sounds the same to me.

Of course, the idea back in 2005 with NetFlow was to look at traffic at the perimeter, not traffic inside of your network. That's what's relatively new in MTTK: an acknowledgement of the need for internal network intelligence. No longer can you just look at border crossings; you have to be vigilant even on trusted internal paths. You won't find what you don't look for.

It's a shame that this has become one more thing companies must do to provide reasonable protection to their networks. It's an added cost -- one that takes the courage to admit that they have to plan for the failure of their other security investments. But better to make this investment than to explain how you overlooked a hostile intrusion on your network for four years and 10 months.

Larry Seltzer is the editorial director for BYTE, Dark Reading, and Network Computing.

Recommended Reading: