Attempts to achieve threat detection and prevention have failed. 2017 has already become the year of the cyber attack. In just the first three months, 312 data breaches have been recorded and,according to the Identity Theft Resource Center, more than 1.3 million records have been exposed.Evolving malware combined with new techniques like distributed denial-of-service attacks (DDoS), plus the insecurity of the IoT makes for a perfect cyber storm. Dealing with cyber threats is an inherent consequence of society’s appetite for all things connected, and as such, rapid access to forensic data is a must-have for all organizations

Threat Detection has failed

Threat detection has clearly failed as cyber criminals, nation state actors and organized crime jump into what is a most lucrative market. Cyberattacks are costing U.S. businesses about $3.5 million annually according to the Ponemon Institute.Security efforts with antivirus, access lists, dual authentication, DNS firewalls, intrusion detection systems, second generation firewalls, etc. are all consistently allowing malware to pass undetected. When it comes to targeted attacks, nothing can stop all cyber criminals. Despite the billions of dollars spent by the industry on research and development, bad actors are consistently finding and leveraging new exploits, staying ahead of the curve. Not only has active threat detection failed, but cybercriminals attacking fromboth the inside and out are adept at covering their tracks. This means if the initial threat is missed, finding good forensic data post-event can prove difficult as well.

Following the Digital Footprints

In an effort to stay under the radar of threat detection systems, many forms of modern malware have stopped actively scanning the network and are written to operate in a low-and-slow fashion. These infections first observe the behaviors of their host, then make note of the network resources they connect to as well as the protocols they use to transfer data. Only then, after learning what is normal for the infected host, do they start connecting to the same systems, scanning directories, installing infections and then moving on to the next system. This methodical spreading tactic allows the bad actor to set up entire camps of infected machines. Once valuable data is identified, files can be moved slowly, in some cases over several days, all while trying to avoid detection.

The vendor community, as the next wave of trying to get ahead, is looking to user element behavior analytics.The idea is to use statistical analysis or machine learning to find anomalies that humans are unlikely to uncover. This strategy watches for specific events in several ways: using thresholds, baselines, correlation and pattern matching. Triggers can occur for behaviors that to the human eye have a high probability of being a false positive. However, by weighing the individual security events from multiple systems and totaling their value over time, probability indices can be compiled with the goal of identifying extremely stealthy forms of malware.

Like all emerging mechanisms of detection and prevention, bad actors will look for means of circumvention. During the never-ending game of cat and mouse between the industry and bad actors, the need for strong forensic data in support of fast and efficient incident response will never go away!

Flow data allows for deep network traffic analysis of virtually all communications that occur on the internal network

Mine the Built-in Forensic Data

One hundred percent of all communications, including every malicious transaction and every low-and-slow data theft that uses the network, can easily be logged by 99.999 percent of all Internet-connected infrastructures. All major hardware vendors allow for this by exporting a flow technology called NetFlow or IPFIX. By enabling this already embedded technology, the hardware will export a steady stream of near real-time details about every connection it observes. Flow data is sent over UDP and is a summarization of the details in every stream of packets between end systems. This means the data is very accurate and much less voluminous, which avoids the storage problem surrounding packet probes. Since this data can be exported from all major vendors, network administrators gain the equivalent of communication cameras in every corner of a globally connected network.

NetFlow and IPFIX collectors that receive the steady stream of flows from thousands of devices act as a kind of DVR for playing back communications, making them the turn-to investigative system when suspicious behaviors are uncovered by security appliances. This is similar to how security officers leverage camera systems in large department stores. ‘Where are the logs?’is one of the first questions the FBI will ask when investigating a cyber-event. Without flow data, the attacked organization becomes part of a statistic that counts up cyber attacks that can’t be properly investigated.

Go with the Flow

All major firewall vendors including Barracuda, Check Point, Cisco, Fortinet, Symantec and EMC know that they can’t uncover and mitigate every contagion. However, they all export either NetFlow or IPFIX. This is partly because they know that second-tier security efforts need to include forensic investigations. Flow data allows for deep network traffic analysis of virtually all communications that occur on the internal network. In fact, all major router and switch vendors also export some form of flow data. Even VMware exports IPFIX, which is the official Internet standard for all proprietary flow technologies such as NetFlow and sFlow. When flow data is not available from the existing infrastructure, security appliances from Apcon, Gigamon, Ixia, nProbe and others can be deployed on the network to gather traffic, extract the flow data and inturn export it to flow analysis systems.

The Hat Trick

Bad actors are well aware of the all-seeing eyes that can be provided by flow data. In some attacks, the villains will compromise a router or firewall to try and discern where the flow data is going and delete it. To prevent this from happening, many organizations are opting to deploy a UDP replicator. These systems receive UDP data such as syslogs, NetFlow, IPFIX and sFlow and duplicate it before sending it off to multiple collection systems. This process of UDP duplicating dramatically increases the difficulty for the cyber criminals behind an attack to cover their tracks. First, they would need to compromise the UDP replicator to find out where the flows are going. Then they would need to compromise each unique system that is receiving the UDP stream. Using a UDP replicator can ensure the integrity of forensic data and often, the effort involved simply isn’t worth the insurgent’s time and they move onto an easier victim.

The Forensic Jackpot

Logs and flow data are the turn-to technologies when an infection is discovered. Network Traffic Analysis is recognized by all hardware and security vendors as the fall back technology when detection fails. When NetFlow and IPFIX collectors are deployed in conjunction with UDP replicators, organizations can be 100 percent sure they will have the data they need when forensic investigations need to take place.