Security is a top concern for anyone running a network today. The recent Heartbleed bug and other high-profile hacks have shined a new light on the fact that security strategies in the enterprise must constantly evolve to meet the challenges of new and ever-changing attacks.
In the spring of 2014 news of the Heartbleed bug hit the wire sending the tech world scrambling to patch the now notorious OpenSSL vulnerability that allowed individuals to steal private information like certificate keys, passwords, and other content commonly used to breach systems or impersonate users.
“Heartbleed is a programming bug in the 1.0.1 through 1.0.1f versions of OpenSSL,” says EMA Director of Security and Risk Research, David Monahan on the specific versions affected by the vulnerability. “The only means of identifying if the bug is exploited would be doing network sniffing from a network analyzer perspective while the attack was taking place, or with a retrospective analysis tool.”
Network tools with back-in-time analysis like Network Instruments’ GigaStor are designed to watch the network, analyze conversations, identify issues, and alert administrators to problem scenarios. These features make them an excellent tool to help identify and isolate unauthorized activity. In addition to the regular assortment of firewalls and other defensive security measures, network forensic tools like these can be used after an event to identify both known and unknown attacks, speeding the cleanup process.
“You can get a lot more detail if you have the entire packet stream,” says Monahan. “In a case like Heartbleed, you get the details on what was sent back in the communication between the client and your server. You can say, ‘Yes, we were attacked,’ and review the communications exchange to see what data was returned to the attacker. You can determine whether they got passwords or private keys, or any other confidential information, or they just got other areas of information that, in and of itself, are not valuable.”
Solutions like GigaStor provide critical details post-event, allowing the user to reconstruct the entire conversation, view the information compromised, or focus on the content extracted. How did the attacker gain access? What was stolen?
“You need advanced traffic analytics and filtering to identify and correct issues such as Heartbleed,” says Network Instruments Professional Services Manager, Casey Louisiana. “With GigaStor, I was able to rapidly build a filter to detect its signature, set up an alarm to alert on it, and then quickly process terabytes of data to determine if the network had been compromised,” he says, calling attention to the need for tools to contain and solve threats after the security perimeter has been breached.
“Beyond the ability to perform layer two through seven analysis, many users don’t appreciate that GigaStor provides sophisticated packet pattern recognition that is ideal for addressing security threats,” Louisiana says. “GigaStor, like a security camera in a retail store, requires a place to store the data that’s coming in. This is often immense amounts of data for extended periods of time. But it’s the ‘secret sauce’ or ‘magic’ of the advanced analytics and pattern recognition that makes sense of the mass of data.”
Not all tools offer this analytical capability, but it has proven essential in the enterprise where breaches are not immediately detected and the ability to “rewind” back to an attack-in-progress can yield more insight.
“With large enterprises there is so much data that’s coming back,” says Monahan. “It’s impossible for humans to actually process.”
Network Instruments’ GigaStor packet capture appliance offers storage of up to a petabyte of data, and used in conjunction with a network analyzer, plays a significant role for transaction-heavy organizations in data mining, security forensics, and data retention compliance.
“The two most critical points for identifying malware intrusions are to know what’s going on in the network and what’s going on at the end point,” says Monahan. “To obtain the detail for the network level, you really need the packets.”
One of the most potentially damaging aspects of these types of breaches is that many network teams have no idea they are being hacked despite both the number of tools on the market, and the solutions already installed on their networks and not being utilized.
“We need to do a better job of helping our customers see that there’s value in this type of approach,” says Louisiana on GigaStor’s packet capture function and its use in post-event network forensics. “Heartbleed is a recent example, but what’s the next Heartbleed? How do you look for abnormal traffic patterns? It’s about establishing a baseline and knowing that anything happening outside of that is abnormal. Many of our customers are not using our tools in that way.”
“When we need more information, retrospective network packet capture and analysis is one of the ways to do that,” says Monahan. “And it’s a very strong way. There are basically two ways to get something malicious on the network. I can take a USB-type removable media and plug it in, and infect my endpoint or I’m going to get it downloaded across the network. If it just sits on that machine and it never goes anywhere else, is it really a threat? Probably not. At some point it’s going to need to communicate to home base to transfer information or create that bot network. If you have something watching the network, you’re going to catch that. Network analyzers can definitely be a portion of that capability. They will see the communication assuming proper placement. From that point we can see what’s out there, what data it’s trying to move, how often it’s communicating, and determine how malicious it really is.”
An attentive security team, the right network analyzer, and enough storage for effective post-event retrospective analysis are powerful weapons in the constant battle to keep threats off your network. These elements working interdependently can create strong defenses that are higher in value than the sum of their parts. “Having both trained personnel and the right tooling are key,” says Monahan. “You can’t do it with either one alone.”
Thanks to Network Instruments for the article.