Too often, when looking for malicious network traffic you either search for known bad or investigate anomalous traffic that doesn’t look normal. That reactive approach is time consuming, and potentially over-reliant on searching for larger concerns. Fortunately, new solutions use advanced analytics to proactively identify, enrich and alert on malicious traffic.
Why is this important? Detecting known bad traffic is great when it works, but it’s a lot like signature-based AV (which is rigid and unable to detect unknown threats):
- Only really effective for widespread, generalized attacks – not so great for unique targeted attacks
- There’s an indefinite amount of time before the malicious traffic signature, domain name or IP makes it into the pattern updates and threat intel feeds from your vendors
Detecting anomalous traffic can address the aforementioned weaknesses, but in practice it depends heavily on how – and how well – you define anomalous traffic, and how quickly (accurately) you can spot it.
Security practitioners are getting better by the day at looking for anomalies. Here’s just a few:
- Protocols
- Unrecognized port protocol numbers
- Malformed/non-compliant traffic compared to protocol expected on known port
- Protocols you don’t want or at least don’t expect to see in the given context
- High bandwidth usage for that protocol
- Traffic patterns
- Disproportionate inbound/outbound bandwidth usage for a given endpoint
- Suspicious Destination/Source IP combinations
Network engineers alongside network monitoring tools can do generalized anomaly detection based on what you expect to see on a typical corporate network, but this will inevitably result in a lot of false negatives (missed anomalies) and likely at least some false positives.
However, with more knowledge about the particular organization you’re monitoring you can greatly reduce both false negatives and false positives.
This requires consuming whatever organizational knowledge is available out of the network – especially:
- The type of business (healthcare, industrial, manufacturing, utilities, retail)
- How users interact with and behave on your network
- The technologies deployed
- Network topology including its segmentation and north/south, east/west traffic flows
But this information and documentation is never complete (if it’s available at all). There’s no substitute for deploying probes on your network and analyzing the actual traffic. In addition, once you’ve detected a threat, you need the tools and capabilities to manually or automatically take action to contain it.
In this real training for free event, we will explore how to analyze your network so that you can learn and understand its traffic patterns and get a handle for what’s normal. You’ll then be able to take this information and look for anomalous traffic, build known-bad detections and make your network detection and response (NDR) technologies and efforts smarter.
Rick Fernandez from our sponsor LogRhythm is deep into technical network analysis and is helping me develop this event. After the real training for free, he will show you how LogRhythm NDR goes beyond limited network traffic analytics with advanced security analytics, search and visualization, and automation for a wide variety of incident investigation and response tasks.
Please join us for this real training for free session.