What is Driving Demand for Deeper Traffic Analysis?

During a customer review call last week, we got a very interesting quote from a US based user who offers marketing services to the retail sector: ‘We need greater insight over what is taking place on our internal network, systems, services, and external web farm seen through a single portal. We need to keep downtime to a minimum both internally and on our external customer-facing web farm. We chose LANGuardian because of its integration with SolarWinds and its deep-packet inspection capabilities.”

Before discussing this in more detail, because of all the hype these days we also always ask about cloud now, so when we asked this contact about hosting these critical services in the cloud, he countered with 3 reasons for keeping them in house:

1. Security
2. Control
3. Cost

When drilled on ‘cost’ he mentioned that they were shipping huge amounts of data and if hosting and storing this in the cloud, the bandwidth and storage related charges would be huge and did not make economic sense.

Back to Deeper Traffic Analysis, turns out this customer had already purchased and installed a NetFlow based product to try and get more visibility and try to focus on his critical server farm, his external/public facing environment. His business requires him to be proactive to keep downtime to a minimum and keep his customers happy. But, as they also mentioned to us: ‘With Netflow we almost get to the answer, and then sometimes we have to break out another tool like wireshark or something. Now with Netfort DPI (Deep Packet Inspection) we get the detail Netflow does NOT provide, true endpoint visibility.

What detail? What detail did this team use to justify the purchase of another monitoring product to management? I bet it was not a simple as ‘I need more detail and visibility into traffic, please sign this’! We know with tools like wireshark one can get down to a very low level of detail, down to the ‘bits and bytes’. But sometimes that is too low, far too much detail, overly complex for some people and very difficult to see the ‘wood from the trees’ and get the big picture.

One critical detail we in Netfort sometimes take for granted is the level of insight our DPI can enable into web or external traffic, does not matter if its via a CDN, or proxy or whatever, with deep packet inspection one can look deeper to get the detail required. Users can capture and keep every domain name, even URI and IP address AND critically the amount of data transferred, tie the IP address and URI to bandwidth. As a result, this particular customer is now able to monitor usage to every single resource or service they offer, who is accessing that URI or service or piece of data, when, how often, how much bandwidth the customer accessing that resource is consuming, etc.

Users can also trend this information to help detect unusual activity or help with capacity planning. This customer also mentioned that with deeper traffic analysis they were able to take a group of servers each week and really analyze usage, find the busiest server, least busy, top users, who were using up their bandwidth and what they were accessing. Get to the right level of detail, the evidence required to make informed decisions and plan.

CDN(Content Delivery Networks) usage has increased dramatically recently and are making life very difficult for network administrators trying to keep tabs and generate meaningful reports on bandwidth usage. We had a customer recently who powered up a bunch of servers and saw a huge peak in bandwidth consumption. With Netflow the domain reported was an obscure CDN and meant nothing. The LANGuardian reported huge downloads of data from windowsupdate.com from a particular IP address and also reported the user name.

What was that about justification? How about simply greater insight to reduce downtime, maximise utilisation, increase performance, reduce costs. All this means happier customers, less stress for the network guys and more money for everybody!

Thanks to NetFort for the article.

How to Deal With Unusual Traffic Detected Notifications

If you get an unusual traffic detected notification from Google, it usually means your IP address was or still is sending suspicious network traffic. Google can detect this and has recently implemented security measures to protect against DDoS, other server attacks and SEO rank manipulation.

The key thing to remember is that the notification is based on your Internet facing IP address, not your private IP address which is assigned to your laptop\PC\device. If you don’t know what your Internet facing (or public) IP address is you can use something like this service.

Top tips for dealing with unusual traffic detected messages:

1. Get an inventory. Do you have unknown devices on your network? There are many free applications which can do network scans. Another option is to deploy deep packet inspection tools which will passively detect what is running on your network.
2. Monitor traffic on your Internet gateway. Watch out for things like network scans, traffic on unusual port numbers, TOR traffic. I have included a video below which explains how you can do this.
3. Track down the device using its MAC address. Network switches maintain a list of what MAC addresses are associated with what network switch ports. The guide at this link shows you how to do this on Cisco switches but similar commands are available on other switch models.
4. See if your IP address is blacklisted. You can use something like this http://www.ipvoid.com/ to see if your IP address is known black lists.
5. If you cannot find any issues, talk to your ISP. Maybe you need an IP change. IP addresses are recycled so it could be that you were allocated a dodgy one. This is a remote possibility so make sure you cover tips 1 to 4 first.

Further reading

In a previous blog post I also looked at how you can use LANGuardian to track down the source of unusual traffic on your network.

Blog Post: How to deal with “Google has detected unusual traffic from your network” notifications

Please don’t hesitate to get in contact with our support team if you are having an issue with a unusual traffic notification. They can help you quickly get to the root cause of issues associated with suspicious network traffic.

Thanks to NetFort for the article.

How Can We Monitor Traffic Associated with Remote Sites?

Many IT teams are now tasked with managing remote sites without having the luxury of local IT support. Business owners expect everything to be done remotely, we do live in the connected age, don’t we? Is it possible to see what is happening in these networks without the need for installing client or agent software everywhere?

You can gather some network performance information using SNMP or WMI but you will be limited to alerts or high level information. What you need is some form of deeper traffic analysis. Software applications that do traffic analysis are ideal for troubleshooting LAN and link problems associated with remote sites.

There are two main technologies available to analyze network traffic associated with remote sites, those that do flow analysis and those that capture network packets. Flow statistics are typically available from devices that can route data between two networks, most Cisco routers support NetFlow for example. If your remote networks are flat (single subnet) or you don’t have flow options on your network switches then packet capture is a viable option.

You can implement packet capture by connecting a traffic analysis system to a SPAN or mirror port on a network switch at your remote site. You can then log onto your traffic analysis system remotely to see what is happening within these networks.

NetFort LANGuardian has multiple means of capturing data associated with remote sites. The most popular option is to install an instance of the LANGuardian software at your HQ. Sensors can be deployed on physical or virtual platforms at important remote sites. Data from these is stored centrally to you get a single reference point for all traffic and security information across local and remote networks.

LANGuardian can also capture flow based statistics such as NetFlow, IPFix and SFlow, routers/switches on the remote sites can be configured to send flow traffic to LANGuardian. Watch out for issues associated with NetFlow as it has limitations when it comes to monitoring cloud computing applications.

Download White Paper

How to monitor WAN connections with NetFort LANGuardian

Download this whitepaper which explains in detail how you can monitor WAN connections with NetFort LANGuardian

Thanks to NetFort for the article.

Cyber Attacks – Businesses Held for Ransom in 2015

Really nice crisp clear morning here in Galway, bit chilly though. Before I dropped my 14 year old son to school, I tuned into an Irish station, NewsTalk and caught most of a very interesting conversation between a member of a large Irish law firm, William Fry and the presenter.

They were discussing the increasing threat of cyber-attack for Irish businesses. They spoke about the importance of detection as 43% of business are not even aware that they are being attacked and the hackers can have access for weeks/months before they are detected.

They also indicated that 4 out of 5 businesses have been impacted, hard to believe but if this also includes recent Ransomware attacks for example, based on feedback from NetFort customers I would believe it. Maybe also as large enterprise are spending more on security and have ‘tightened up’ the hacker has moved on, redefined the ‘low hanging fruit’, it is now the small to medium enterprise (SME)?

It reminds me of a discussion I had last year with a network admin of a college in Chicago. ‘John, we are entering an era where continuous monitoring, visibility is becoming more and more critical because there is no way all the inline active systems can protect us internally and externally these days’.

I am biased but I think he is absolutely correct. Visibility, actionable intelligence, data normal users can read and interpret and act on is critical.

Visibility not just at the edge though, also at the core, the internal network because it is critical to be able to see and detect suspicious activity or network misuse here also. It is also important to track this, to keep a record of it to help troubleshoot, to provide proof for management, auditors and even users.

I was discussing some recent LANGuardian use cases with an adviser in the US this week and mentioned that we are hearing the term ‘network misuse’ a lot more these days and I was not sure why. Maybe organizations are becoming more concerned about data theft?

His explanation makes sense, it was all about the attack surface for him, if users are misusing the network, accessing sites and applications that are non-critical or inappropriate and infected, it is increasing the attack surface, the security risk and will result in pain for everybody.

In defence of Irish business though, a lot of the systems out there in this space are only suitable for large enterprises, too expensive and complex to manage, tune and get real actionable intelligence. The SMEs all over the world, not just Ireland cannot afford them in terms of time, people and money.

Thanks to NetFort for the article.

Detecting XCodeGhost Activity By Monitoring HTTP Traffic

Apple is presently working on issues with malware (XCodeGhost) in their App Store. According to this blog post, over 50 iOS apps contained malicious code that made iPhones and iPads part of a botnet that stole potentially sensitive user information including:

• Application name
• Application version
• OS version
• Language
• Country
• Developer info
• Application installation type
• Device name
• Device type

One of the quick ways to check for suspicious activity on your network is to look for HTTP or DNS traffic associated with:

• http://init.icloud-analysis.com
• http://init.crash-analytics.com

Lately criminals have been targeting user of mobile devices more as people are less cautious on mobile devices than on desktops. This attack also highlights how security awareness is so important throughout the application development process. Everyone from the developer from the end user needs to be alert. In this incident developers were tricked into using counterfeit software to build their applications which created an ideal environment for malware to spread.

The BBC is reporting that the majority of people affected by this attack were in China. However, we would recommend that you check your own network for activity, especially if you allow mobile devices to connect to the corporate network.

A recommended approach to do this would be to use network packet capture. Tools which use NetFlow (or other flow source) are poor when it comes to web usage tracking. Packet capture allows you to look inside HTTP headers where interesting data like User-Agent can be found.

You can use a free tool like Wireshark or a commercial product like LANGuardian. Once installed you should setup a SPAN or mirror port to get a copy of network packets going in and out of your Internet connection. This is a passive monitoring approach so you wont need to install client or agent software on all of your network devices.

Deep packet inspection (DPI) based monitoring also works whether you have a proxy or not, just need to sniff the traffic at the correct location. Many organizations are not using proxies these days because they are a potential bottleneck, another inline device that can degrade performance or cause issues. If you do not have one and need visibility, you have the option of using a SPAN port or port mirror.

The following video shows how you can setup a SPAN or mirror port to monitor Internet or mobile device activity. This is an ideal way for detecting HTTP or DNS traffic associated with XCodeGhost. Even if you don’t have a problem today, you should get familiar with the concept so that you are prepared for the next big security issue.

Our support team is here to help if you have any questions about detecting XCodeGhost activity on your network. Contact information can be found at the very top of this blog post. Use the following procedure if you want to use LANGuardian for detecting XCodeGhost activity.

• Enter websites in the find field which is located in the top right of the GUI
• Select Web : Top Websites & URI
• Search for init.icloud-analysis.com or init.crash-analytics.com by using the website name filter.

Please use the comment section below if you have any feedback or further information for detecting XCodeGhost activity.

Thanks to NetFort for the article.

NetFort 12.4 – Network Traffic and Security Monitoring

New Version of NetFort LANGuardian Provides Customers with a Single Point of Reference for Network Traffic and Security Monitoring.

NetFort, a leading provider of network traffic and security monitoring (NTSM) solutions, today unveiled version 12.4 of the LANGuardian application. The new version ensures network teams today have the visibility required to collaborate and work with their security colleagues and manage the daily security issues prevalent in today’s world.

Version 12.4 includes a number of significant changes:

• SMTP Email Decoder Enhancements
• HTTPS Website Use Reporting
• Updated BitTorrent Decoder
• Snort 2.9
• SYSLOG Forwarding Feature
• SMTP Email Decoder Enhancements

SMTP Email Decoder Enhancements

The SMTP decoder is a great feature from a network security monitoring point of view. It is a powerful tool if you want to monitor email for phishing type network attacks. Malicious attachments have made a comeback as top attack vector. An interesting post on this here.The SMTP decoder has been upgraded to record the following information

• Attachments to SMTP emails, including attachment name, MIME type and description. A sample report is shown below, some information is blurred as it came from a live network.
• Embedded hyper Link detection in emails. This is a beta release for evaluation. Where an SMTP email contains a hyper link, but the link target doesn’t seem to match the description, LANGuardian will log the link target and the description.

HTTPS Website Use Reporting

The Website monitoring module has been upgraded to now report on HTTPS domains. Domain information (such as https://facebook.com) and traffic volumes are recorded. As packet payloads are encrypted, Individual URIs cannot be reported.

Updated BitTorrent Decoder

BitTorrent continues to be a popular protocol for downloading and uploading media from the Internet. LANGuardian has the ability to detect BitTorrent use and record metadata such as Infohash values and IP addresses. In 12.4 the BitTorrent decoder has been upgraded to record Peer Exchange messages (PEX). This increases the detection rate for BitTorrent activity and will record media titles, if included in the PEX message.

Snort 2.9

Snort is a network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging. Snort performs protocol analysis, content searching and matching. LANGuardian 12.4 now includes Snort version 2.9.7. This allows LANGuardian to take advantage of new keywords supported in IDS signatures for Snort 2.9, distributed from the ET Open project

SYSLOG Forwarding Feature

Many customers choose LANGuardian as it can integrate with existing tools like SolarWinds, McAfee or WhatsUp. Version 12.4 extends this functionality with the addition of a new configuration page to manage the forwarding of events to external syslog collector (SIEM) systems.

This means you end up with a centralized dashboard for all network activity or as one customer described it “single point of reference for network and user activity monitoring and first stop in troubleshooting any issues”

Version 12.4 is available from our download page and it can be deployed on physical or virtual platforms.

Thanks to Netfort for the article.

 

How Hiring Employees Increases Your Chance of a Ransomware Attack

It seems like a strange combination, employee hiring and Ransomware but there is a connection. Ransomware is one of the biggest network security issues in today’s world and businesses have paid out tens of millions in ransoms this year. Thankfully a lot more people are aware of the problems it can cause and how it can get into a network. This is making things more difficult for the virus writers but they are a resourceful bunch with a lot of time on their hands.
Most people avoid opening attachments in emails from strangers. However, there are ways to trick people into opening attachments with virus payloads.

One such way which I observed recently is where companies advertise for new job positions. A common approach is to advertise jobs on websites and make a bit of noise about it on social media. Contact details are usually published and people submit their applications.

What we now have is strangers sending their CV’s as attachments and this introduces a new attack vector as it is not seen as unusual activity. Malicious attachments really have made a comeback as top attack vector.

Ransomware bandits know that sending email to a generic human resources email address may not be successful as HR teams will be used to dealing with attachments. They will employ social engineering tactics and send their ‘CV’ to other email addresses within the company. The helpful recipient will probably forward it on and may even open it. As soon as they do they will find their files are encrypted.

These social engineering attacks are getting more and more advanced. Not that long ago you could spot the suspicious emails easily as they contained lots of spelling mistakes or started off with something like “Dear Firstname”. This is no longer the case, one off emails are written for specific attacks and they can look legitimate at first glance. You should also be on the guard for unsolicited messages in LinkedIn and other social networks.

Tips For Preventing Ransomware Attacks

The lessons here of course are to continue to educate employees on the dangers of opening emails from strangers. Perform spot checks by creating a new Gmail address and send emails to see if employees open them or forward them on to others.
As well as sending in bogus CV’s you will see tactics such as sending bogus purchase orders, software licenses, delivery notices and banking statements. In most cases the email will be tailored to match the recipients role or to coincide with specific company events.

I am beginning to wonder in the age of cloud applications, do we really need to be sending attachments in emails? They have been the source of countless virus outbreaks over the years. For example, the ILOVEYOU virus from a few years ago affected over 45 million computers.

Employee training and security awareness is the number one way you will prevent Ransomware attacks. In parallel to this you should make sure you have some sort of network monitoring tool in place that can track who is accessing file shares and give you warnings when something suspicious is happening. Also consider:

• Block attachments on emails or restrict them to specific accounts.
• Use contact forms on your website instead of publishing email addresses.
• If you use Google Apps check out the attachment filtering feature. It lets you block specific attachment types or quarantine them for review later.

The image below shows a sample SMTP email report from NetFort LANGuardian which shows suspicious looking attachments that were detected moving around on a network. This information was captured using Wire Data Analytics. Two things look strange from this. Firstly the same email was sent to two people and secondly the compressed attachment (zip) is a tactic used to try and get past email filters.

New variants of Ransomware are appearing on a daily basis. Do not rely on host based antivirus as they struggle to keep up. Training and constant monitoring are the most vital activities and don’ forget about your backups.

Dealing With A Ransomware Attack

I would recommend that you create an incident response document before you get hit by Ransomware. Just something basic like backup information, support contact details, what tools to use for forensics etc… Also include notes on shutdown steps for key servers and applications.

If you do get hit, don’t just pay the ransom. As soon as you have it paid you will be dealing with another outbreak. Watch out for infected files on cloud storage services such as DropBox, files encrypted or infected with malware could be synchronized with a cloud service within seconds. It is a good example of why should really know what applications your users are running on your network. We have a few other blog posts which you may find useful in the event of a Ransomware outbreak.

• Support team stories – Detecting the source of Ransomware
• Angler Exploit Kit and CryptoWall 3.0 Incident Response
• 5 Tips For Preventing Ransomware On Your Network

The following video also shows how you can use file activity logs to track down the source of Ransomware on a network

I cannot stress how important training is for the prevention of network security attacks. If you make noise about something within your company like job postings, financial updates or corporate events, be prepared for advanced social engineering attacks.

Do you have any experiences with Ransomware attacks? Comments welcome.

Thanks to NetFort for the article.

 

What’s new in LANGuardian v12?

LANGuardian version 12 is a major new release that contains significant new traffic analysis and user interface features.

The new features include Content-Based Application Recognition (CBAR), a new approach to deep packet inspection that generates more accurate reports, a new rendering engine that displays the data in clickable drilldown graphs and charts, hundreds of new built-in reports that reflect common forensics and monitoring tasks, and significant user interface improvements.

Content-based application recognition (CBAR)

Content-Based Application Recognition (CBAR) is a new LANGuardian feature that takes traffic-based application recognition to a new level. With support for hundreds of the most common applications and protocols, and a unique deep packet inspection algorithm, CBAR delivers greater accuracy and fewer false positives than other approaches to application recognition.

New graphics rendering engine

Previous versions of LANGuardian displayed traffic data visually but LANGuardian v12 goes a step further! Its new rendering engine replaces static graphs and charts with interactive versions that enable you to drill down to greater levels of detail.

Application-aware drilldown

By combining CBAR and the new graphics rendering engine, LANGuardian now offers application-aware drilldown to provide you with the right information at the right time. For example, if you drill down on HTTP traffic, you will see a breakdown of the traffic by website domain, but if you drill down on SMTP traffic you will see a breakdown of traffic by message subject line.

Top Website Domains report

The new Top Website Domains report gives an overview of the website domains that have consumed the most bandwidth in a specified time period. You can drill down on the top-level report for a breakdown of the traffic by user and client, and then drill down again to see the individual web pages or resources accessed.

Top Applications report

The new Top Applications report gives a consolidated view of all traffic associated with a specific application or protocol, regardless of the ports involved. You can drill down on the traffic for a breakdown by application or protocol, and then drill further down into details for each user, client, domain, and IP address.

Top Fileservers report

The new Top Fileservers report gives an overview of fileservers and files accessed, along with cumulative bandwidth consumed by accesses to the files during the specified time period. You can drill down on the top-level report for a breakdown of the traffic by user and by accesses to individual files.

User interface improvements

LANGuardian v12 contains many user interface improvements, including:

• Dashboard reports now include drilldown graphs and charts
• Bandwidth consumption data incorporated in web domain reports
• File size data incorporated in file share reports
• Revised report designs make it easier to access DPI information with fewer drilldown levels

More about network traffic monitoring

If you have any questions about how LANGuardian can meet your requirements, please contact us. If you would like to see LANGuardian network monitoring software in action, please try our online demo system or download a free 30-day trial to try it on your own network with your own data.

Find out more

If you have any questions about how LANGuardian can meet your requirements, please contact us. If you would like to see LANGuardian in action, please try our online demo system or download a free 30-day trial to try it on your own network with your own data.

Thanks to NetFort for the article.

The Three Primary Use Cases for Network Forensics

When it comes to network forensics we are primarily dealing with three use cases.

The first is operational intelligence. This tends to manifest in metrics and visibility into availability and performance. Management personnel typically require high level reporting whereas network and engineering teams require drill down capabilities to get root cause answers quickly. Network forensics is crucial for anyone who needs to drive down mean time to repair or mean time to identify. Organizations such as media companies, ecommerce businesses, and anyone with an online presence where downtime is money use forensics tools on a daily basis.

The second use case is security and compliance. Network forensics can be used to identify traffic patterns that look malicious, identify DDoS vectors, attempted breaches, and malware. Real-time and historical reports with the ability to associate network activity with devices or users are the foundations of most compliance standards. Organizations of all sizes and in all sectors need to keep their networks secure which means forensic solutions are a must have.

The third use case is customer insights. This is business performance analysis, which includes real-time revenue monitoring, event impact and correlations. The customer in this instance is typically on-line and requires a stable and fast connection to applications, games, or services. Gaming, media and entertainment, hi-tech are all areas where this is seen as a requirement rather than a nice to have.

Thanks to NetFort for the article.

Windows 10 Is Already Using Up Your Bandwidth

A lot of people out there are looking forward to upgrading to Windows 10 and in less than 24 hours, Microsoft will start upgrading Windows 7 and Windows 8 machines to Windows 10. The release is scheduled for 12AM ET on July 29th (9PM PST on July 28th).

If you are responsible for the management of a network you should be aware that the software updates download in advance. Microsoft want to speed up the process by pre-loading the final version of Windows 10 on PCs eligible for the upgrade.

If you notice Internet connectivity slowdowns or if you are concerned about bandwidth use, you may see connections like the following on your Internet gateway. There are many ways to capture this information including logs, flow data and deep packet inspection.

One thing to watch out for if you are using logs or flow data is that reverse lookups of the IP addresses may be misleading. I noticed the IP addresses above using up a lot of bandwidth on my network. A reverse lookup using my favorite security lookup site (incidents.org) reported that the IP address is registered to Eircom which at first seems strange. Further analysis of the IP address and DNS traffic also shows it to be associated with AkamaiHD.net which is a content delivery network (CDN).

What you need to do is look inside the network packets associated with this activity. The HTTP headers will reveal what is actually happening. Many organizations now use content delivery networks to distribute content like software. For the consumer this means fast and reliable downloads but it also means that the network traffic coming into your network is arriving from a third party. In my case the third party is Eircom who in turn host services for Akamai and Microsoft uses them to distribute content.

When the network packets are analyzed by a deep packet inspection engine we can see that the downloads are from Windows update and that they are associated with the Windows 10 upgrade. I saw over 1GB of downloads in less than 1 hour for a single client. Quick glance at the screenshot below shows some of the downloads and the level of detail that can be captured from network packets.

I for one am looking forward to upgrading to Windows 10. My own experiences with Windows 8 were not good and I got rid of it after 1 month. Windows 7 has served me well but there is enough in 10 to convince me to upgrade. If you are responsible for the management of a network, watch out for heavy bandwidth use in the coming weeks which may be associated with this upgrade process. Ideally you should use a monitoring tool which can look inside HTTP headers so you can see exactly what is happening.

Thanks to NetFort for the article.