Remote - Summer 2013 - (Page 16)

Feature Article Securing Remote Networks Against Cyber Security – NetFlow to the Rescue Mike Patterson, CEO and Founder Plixer International Managed Security Service Providers (MSSP) are depending on NetFlow and IPFIX as one of the top three enablers for improving network threat detection for onsite, as well as remote sites. The distributed NetFlow collection nature of this technology allows IT security teams to gain threat insight into remote areas without actually visiting the location. Most firewalls today, including those from Barracuda, Cisco ASA, Palo Alto Networks, SonicWALL and others, provide NetFlow or IPFIX exports, which with the right flow analytics solution, allow for several types of additional threat detection methods. • Unfinished Flows: Identifies hosts that have a high percentage of unfinished flows. This indicates scanning, Malware or poorly configured applications on a host. • XMAS Tree Scan: The XMAS Tree scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set. This is called a XMAS Tree scan because of the alternating bits turned on and off in the flags byte (00101001), much like the lights of a Christmas tree. Why Companies Turn to MSSPs With 50 percent of Internet thefts occurring at companies with less than 2,500 employees and the cost of hiring a security expert increasing, many organizations are turning to MSSPs in hopes of gaining access to a team of security experts. In turn, MSSPs provide their customers with services in areas such as virus blocking, IDS, VPN and firewall maintenance. Monthly fees generally include a block of hours for system changes, modifications and upgrades. When they aren’t working on specific customer issues, they collaborate with other experts to identify the latest threats and the best security countermeasures. Because these experts can’t wait for the next software update to fight the latest cyber battle, security teams often turn to flow technologies to monitor for the latest malware. “IPS, or deep packet inspection, is our number one security defense, Netflow is a very close number two,” said Gavin Reid, manager, Cisco CSIRT. Threat Detection with NetFlow Traditionally, NetFlow and IPFIX have been used by MSSPs to perform Network Behavior Analysis by running dozens of algorithms against the flows collected. Examples include: • Breach Attempts: Looks for many small flows from one source to one destination. This can indicate things such as a brute force password attack. A typical scenario would be a dictionary attack on an SSH server. • DDoS: Identifies a Distributed Denial of Service attack such as those that can be launched by a BOTNET. • DNS Violation: Alerts when a host initiates an excessive number of DNS queries. This can help to identify hosts that may be infected with a mailer worm or other issues that require an inordinate number DNS lookups. • FIN Scan: The FIN scan’s “stealth” frames are unusual because they are sent to a device without first going through the normal TCP handshaking routine. • ICMP Destination Unreachable: This is a message that comes back from the router to the requesting host stating that it doesn’t have a route to the destination network of the target host. • ICMP Port Unreachable: This is a message that comes back from the destination server stating that it will not open communication on the specified port requested by the host. • Nefarious Activity Violation: Looks for hosts communicating with many hosts with a low number of flows. An example would be a port 80 scan of an entire subnet. • NULL Scan: The null scan turns off all TCP flags in an attempt to open a connection with the target host. Sometimes it consists of flows where the source port is 0 with various destination ports. • RST/ACK: RST/ACK packets are connection denials that come back from destinations to the originating hosts. It can be caused by network scanning. • SYN Scan/Flood: SYN packets are sent out in an attempt to make a network connection with a target host. It can be caused by network scanning. 16 www.RemoteMagazine.com Security Logs The above algorithms are an excellent step toward the automation of detecting malware that could be trying to penetrate and compromise hosts on the network. Notice that these algorithms focus on network behavior analysis since deep packet inspection to match packets to signatures isn’t generally possible with NetFlow. Much like a flu virus, malware can use a polymorphic technique, which means it can constantly vary its structure and content in order to avoid detection. Solutions that perform deep packet inspection in an attempt to pattern match through the use of constantly updated signatures can easily be evaded by these new malware techniques. Even with all the above, more needs to be done to detect the latest forms of malware and this means thinking outside the proverbial threat detection box. “I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2,000 firms into two categories: those that know they’ve been compromised and those that don’t yet know,” said Dmitri Alperovitch, former VP of Threat Research, McAfee. IP Host Reputation Today, some NetFlow collector vendors are comparing IP addresses found in flows to reputation lists. This host reputation lookup process is a routine that goes out to an Internet-based reputation list provider every hour and downloads an updated list of known hosts that end-systems on the network should not be communicating with. Typically this is a list of compromised hosts that have a reputation for sending nefarious traffic (e.g. C&C). To keep the list as accurate as possible, it is generally updated by several Internet Service Providers and government agencies. Host Reputation is also one of the best detection methods used against Advanced Persistent Threats (APTs). “We’ve learned that NetFlow can tell us who is talking to who across our network but how can we tell if either “who” is a bad actor? By checking the reputation of the IP addresses at both ends of the conversation,” said Mike Schiffman, researcher, Cisco. In locations where NetFlow or IPFIX hardware is not available, inex- http://www.RemoteMagazine.com

Table of Contents for the Digital Edition of Remote - Summer 2013

Editor's Choice
Grid Modernization and Cyber Security Trends
Navigating the Big Data Jungle - How Utilities Can Rise To the Challenge with Analytics
Remote Monitoring: Is it a Global Trend?
Critical Infrastructure, Crital Need
Solutions for Transformer Monitoring
Securing Remote Networks Against Cyber Security – NetFlow to the Rescue
ZigBee Resource Guide
SCADA
Networking
Remote Conference Update
Security
Onsite Power
Industry News
Application Feature

Remote - Summer 2013

https://www.nxtbook.com/nxtbooks/webcom/remote_2016winter
https://www.nxtbook.com/nxtbooks/webcom/remote_2016fall
https://www.nxtbook.com/nxtbooks/webcom/remote_2016
https://www.nxtbook.com/nxtbooks/webcom/remote_2016spring
https://www.nxtbook.com/nxtbooks/webcom/remote_2015fall
https://www.nxtbook.com/nxtbooks/webcom/remote_2015m2m
https://www.nxtbook.com/nxtbooks/webcom/remote_2015spring
https://www.nxtbook.com/nxtbooks/webcom/remote_industrialnetworking2014
https://www.nxtbook.com/nxtbooks/webcom/remote_2014fall
https://www.nxtbook.com/nxtbooks/webcom/remote_2014m2m
https://www.nxtbook.com/nxtbooks/webcom/remote_2014spring
https://www.nxtbook.com/nxtbooks/webcom/remote_2013winter
https://www.nxtbook.com/nxtbooks/webcom/remote_2013m2m
https://www.nxtbook.com/nxtbooks/webcom/remote_2013fall
https://www.nxtbook.com/nxtbooks/webcom/remote_2013summer
https://www.nxtbook.com/nxtbooks/webcom/remote_2013spring
https://www.nxtbook.com/nxtbooks/webcom/remote_2012winter
https://www.nxtbook.com/nxtbooks/webcom/remote_2012m2m
https://www.nxtbook.com/nxtbooks/webcom/remote_2012fall
https://www.nxtbook.com/nxtbooks/webcom/remote_2012summer
https://www.nxtbook.com/nxtbooks/webcom/remote_2012scada
https://www.nxtbook.com/nxtbooks/webcom/remote_2012spring
https://www.nxtbook.com/nxtbooks/webcom/remote_201112
https://www.nxtbook.com/nxtbooks/webcom/remote_201110
https://www.nxtbook.com/nxtbooks/webcom/remote_201108
https://www.nxtbookmedia.com