Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:00 AM
Connect Directly
E-Mail vvv

How Network Metadata Can Transform Compromise Assessment

Listen more closely and your network's metadata will surrender insights the bad guys counted on keeping secret

In the 1979 cult classic When a Stranger Calls, a babysitter receives numerous telephone calls from a strange man, only to discover the calls are coming from inside the house!

Indeed, the notion of a stranger lurking inside your home is terrifying. For the modern enterprise, however, it has become the new normal. Even more frightening, most businesses have no idea that their network has been compromised in the first place.

According to an IBM study, it takes the typical enterprise 197 days to identify a breach in its network and 69 days to contain it. Despite the profusion of network monitoring and traffic analysis tools on the market today, security teams are unable to distinguish the faint signal of a legitimate network incursion over the din of perpetual alerts.

But as any TV detective will tell you, a criminal always leaves something behind. And just like a CSI forensics team might use luminol to detect trace amounts of blood at a crime scene, security analysts can harness the vast amount of network metadata to identify and isolate a network compromise.

The Medium Is the Message
Taking the metaphor of a house a step further, doors and windows represent both points of ingress and egress for a potential intruder. Network IP addresses, proxy servers, and email boxes are the doors and windows of the enterprise network that digital prowlers exploit to gain access and exfiltrate data. But because these intruders must use the network itself, they also can't help but leave traces of their presence in the form of network metadata.

Metadata is often defined as data about data, or information that makes data useful. Every digital photograph includes metadata that offers detailed information about the photo — when it was taken, the type of camera used, even its GPS coordinates, all attached to the digital file as metadata, providing us with a simple way to sort and organize our photo libraries.

Similarly, metadata is attached to the many various hardware devices and software that every network infrastructure needs to run. From email and application servers to network firewalls and cloud gateways, the attendant metadata of each system provides a strand of telling information. On its own, that individual thread of data may not tell you very much. But put enough of those dots together and take a step back, a clear picture begins to emerge.

Converting Network Metadata into Useful Intel
For security teams, network metadata represents a vital yet underutilized threat intelligence resource that analysts must begin to incorporate into their compromise detection toolbox. Some of the primary sources of network metadata that can be correlated into actionable threat intelligence include:

  • DNS data: Domain Name System (DNS) translates numerical IP addresses and maps devices and services to the underlying network. Metadata from DNS queries provide a crucial contextual layer that records every connection attempt from an adversary's device to an organization's infrastructure and can be used to discern the specific route an attacker is using to infiltrate a network.
  • Network flows: Understanding how packets move across the network can offer valuable insights into which devices are being controlled by an attacker and whether or not they are using the network to move laterally. 
  • Perimeter proxy and firewall access logs: In cases where an attack avoids domain resolution, the remnants of an adversarial connection can often be found buried in the access logs of network firewalls or proxies.
  • Spambox filter: Often overlooked, archived spambox filter metadata can provide valuable intelligence regarding the type of attack an organization is receiving; more telling, if end-users are being targeted by similar attacks then the organization is more likely to be compromised. 

While much of this network metadata has been available for years now, harnessing it into something useful has not been practical for a number of reasons. Until recently, the cost of storing and processing all of this data has been cost prohibitive. However, as public cloud services have matured, the cost of storage has dropped exponentially — from $12.40 per gigabyte in 2000 to less than $0.004 today.

Meanwhile, computing power has increased by a factor of 10,000 over this same time period, creating the perfect scenario for the collection and administration of large and growing volumes of metadata. The evolution of public cloud infrastructure has not only made storing and processing network metadata viable, but critically, can manage these complex workloads in real time.

When you combine these factors with the latest advancements in powerful artificial intelligence and machine learning algorithms that can correlate these data sets at scale, you can begin to recognize the enormous potential that can be realized by security teams who are under increasing pressure to quickly identify and isolate confirmed instances of compromise in their network.

It's high time we stopped wondering if an attacker is hiding somewhere in the network — rather, we need to leverage all of the data and tools at our disposal to pinpoint these compromises in minutes, not months.

Related Content:


Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Keys to Hiring Cybersecurity Pros When Certification Can't Help."

Ricardo Villadiego is the founder and CEO of Lumu, a cybersecurity company focused on helping organizations measure compromise in real-time. Prior to LUMU, Ricardo founded Easy Solutions, a leading provider of fraud prevention solutions that was acquired by Cyxtera in 2017 as ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/11/2020 | 4:12:25 AM
Go with the Flow
Great observations about cost and need to operationalize viewing Netflow and I'd go all the way to layer 7 in real time analysis not PCAP and seek and find. Given all of the exploitable unknown and unpatched known software vulnerabilities it's critical but we have to stop doing this in point solution tech and centralize it all...not in a lake that doesn't work because it adds too much latency to the discovery time.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-10
An information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1 Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so it’s l...
PUBLISHED: 2021-05-10
Openapi generator is a java tool which allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. openapi-generator-online creates insecure temporary folders with File.createTempFile during the code generation proces...
PUBLISHED: 2021-05-10
In InvoicePlane 1.5.11, the upload feature discloses the full path of the file upload directory.
PUBLISHED: 2021-05-10
An exploitable SQL injection vulnerability exists in ‘quickFile.jsp’ page of OpenClinic GA 5.173.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
PUBLISHED: 2021-05-10
A number of exploitable SQL injection vulnerabilities exists in ‘patientslist.do’ page of OpenClinic GA 5.173.3 application. The findPersonID parameter in ‘‘patientslist.do’ page is vulnerable to authentic...