What is Driving Demand for Deeper Traffic Analysis?

search

During a customer review call last week, we got a very interesting quote from a US based user who offers marketing services to the retail sector: ‘We need greater insight over what is taking place on our internal network, systems, services, and external web farm seen through a single portal. We need to keep downtime to a minimum both internally and on our external customer-facing web farm. We chose LANGuardian because of its integration with SolarWinds and its deep-packet inspection capabilities.

Before discussing this in more detail, because of all the hype these days we also always ask about cloud now, so when we asked this contact about hosting these critical services in the cloud, he countered with 3 reasons for keeping them in house:

  1. Security
  2. Control
  3. Cost

When drilled on ‘cost’ he mentioned that they were shipping huge amounts of data and if hosting and storing this in the cloud, the bandwidth and storage related charges would be huge and did not make economic sense.

Back to Deeper Traffic Analysis, turns out this customer had already purchased and installed a NetFlow based product to try and get more visibility and try to focus on his critical server farm, his external/public facing environment. His business requires him to be proactive to keep downtime to a minimum and keep his customers happy. But, as they also mentioned to us: ‘With Netflow we almost get to the answer, and then sometimes we have to break out another tool like wireshark or something. Now with Netfort DPI (Deep Packet Inspection) we get the detail Netflow does NOT provide, true endpoint visibility.

What detail? What detail did this team use to justify the purchase of another monitoring product to management? I bet it was not a simple as ‘I need more detail and visibility into traffic, please sign this’! We know with tools like wireshark one can get down to a very low level of detail, down to the ‘bits and bytes’. But sometimes that is too low, far too much detail, overly complex for some people and very difficult to see the ‘wood from the trees’ and get the big picture.

One critical detail we in Netfort sometimes take for granted is the level of insight our DPI can enable into web or external traffic, does not matter if its via a CDN, or proxy or whatever, with deep packet inspection one can look deeper to get the detail required. Users can capture and keep every domain name, even URI and IP address AND critically the amount of data transferred, tie the IP address and URI to bandwidth. As a result, this particular customer is now able to monitor usage to every single resource or service they offer, who is accessing that URI or service or piece of data, when, how often, how much bandwidth the customer accessing that resource is consuming, etc.

Users can also trend this information to help detect unusual activity or help with capacity planning. This customer also mentioned that with deeper traffic analysis they were able to take a group of servers each week and really analyze usage, find the busiest server, least busy, top users, who were using up their bandwidth and what they were accessing. Get to the right level of detail, the evidence required to make informed decisions and plan.

CDN(Content Delivery Networks) usage has increased dramatically recently and are making life very difficult for network administrators trying to keep tabs and generate meaningful reports on bandwidth usage. We had a customer recently who powered up a bunch of servers and saw a huge peak in bandwidth consumption. With Netflow the domain reported was an obscure CDN and meant nothing. The LANGuardian reported huge downloads of data from windowsupdate.com from a particular IP address and also reported the user name.

What was that about justification? How about simply greater insight to reduce downtime, maximise utilisation, increase performance, reduce costs. All this means happier customers, less stress for the network guys and more money for everybody!

Thanks to NetFort for the article.

Advertisements

How to Deal With Unusual Traffic Detected Notifications

How to Deal With Unusual Traffic Detected NotificationsIf you get an unusual traffic detected notification from Google, it usually means your IP address was or still is sending suspicious network traffic. Google can detect this and has recently implemented security measures to protect against DDoS, other server attacks and SEO rank manipulation.

The key thing to remember is that the notification is based on your Internet facing IP address, not your private IP address which is assigned to your laptop\PC\device. If you don’t know what your Internet facing (or public) IP address is you can use something like this service.

Top tips for dealing with unusual traffic detected messages:

  1. Get an inventory. Do you have unknown devices on your network? There are many free applications which can do network scans. Another option is to deploy deep packet inspection tools which will passively detect what is running on your network.
  2. Monitor traffic on your Internet gateway. Watch out for things like network scans, traffic on unusual port numbers, TOR traffic. I have included a video below which explains how you can do this.
  3. Track down the device using its MAC address. Network switches maintain a list of what MAC addresses are associated with what network switch ports. The guide at this link shows you how to do this on Cisco switches but similar commands are available on other switch models.
  4. See if your IP address is blacklisted. You can use something like this http://www.ipvoid.com/ to see if your IP address is known black lists.
  5. If you cannot find any issues, talk to your ISP. Maybe you need an IP change. IP addresses are recycled so it could be that you were allocated a dodgy one. This is a remote possibility so make sure you cover tips 1 to 4 first.

How to Monitor Internet Activity Using a SPAN Port

Further reading

In a previous blog post I also looked at how you can use LANGuardian to track down the source of unusual traffic on your network.

Blog Post: How to deal with “Google has detected unusual traffic from your network” notifications

Please don’t hesitate to get in contact with our support team if you are having an issue with a unusual traffic notification. They can help you quickly get to the root cause of issues associated with suspicious network traffic.

Thanks to NetFort for the article.

How Can We Monitor Traffic Associated with Remote Sites?

How Can we Monitor Traffic Associated with Remote Sites?Many IT teams are now tasked with managing remote sites without having the luxury of local IT support. Business owners expect everything to be done remotely, we do live in the connected age, don’t we? Is it possible to see what is happening in these networks without the need for installing client or agent software everywhere?

You can gather some network performance information using SNMP or WMI but you will be limited to alerts or high level information. What you need is some form of deeper traffic analysis. Software applications that do traffic analysis are ideal for troubleshooting LAN and link problems associated with remote sites.

There are two main technologies available to analyze network traffic associated with remote sites, those that do flow analysis and those that capture network packets. Flow statistics are typically available from devices that can route data between two networks, most Cisco routers support NetFlow for example. If your remote networks are flat (single subnet) or you don’t have flow options on your network switches then packet capture is a viable option.

You can implement packet capture by connecting a traffic analysis system to a SPAN or mirror port on a network switch at your remote site. You can then log onto your traffic analysis system remotely to see what is happening within these networks.

How Can we Monitor Traffic Associated with Remote Sites?

NetFort LANGuardian has multiple means of capturing data associated with remote sites. The most popular option is to install an instance of the LANGuardian software at your HQ. Sensors can be deployed on physical or virtual platforms at important remote sites. Data from these is stored centrally to you get a single reference point for all traffic and security information across local and remote networks.

LANGuardian can also capture flow based statistics such as NetFlow, IPFix and SFlow, routers/switches on the remote sites can be configured to send flow traffic to LANGuardian. Watch out for issues associated with NetFlow as it has limitations when it comes to monitoring cloud computing applications.

Download White Paper

How to monitor WAN connections with NetFort LANGuardian

Download this whitepaper which explains in detail how you can monitor WAN connections with NetFort LANGuardian

How Can we Monitor Traffic Associated with Remote Sites?

How To Find Bandwidth Hogs

Thanks to NetFort for the article.

Cyber Attacks – Businesses Held for Ransom in 2015

Cyber Attacks – Businesses Held for Ransom in 2015Really nice crisp clear morning here in Galway, bit chilly though. Before I dropped my 14 year old son to school, I tuned into an Irish station, NewsTalk and caught most of a very interesting conversation between a member of a large Irish law firm, William Fry and the presenter.

They were discussing the increasing threat of cyber-attack for Irish businesses. They spoke about the importance of detection as 43% of business are not even aware that they are being attacked and the hackers can have access for weeks/months before they are detected.

They also indicated that 4 out of 5 businesses have been impacted, hard to believe but if this also includes recent Ransomware attacks for example, based on feedback from NetFort customers I would believe it. Maybe also as large enterprise are spending more on security and have ‘tightened up’ the hacker has moved on, redefined the ‘low hanging fruit’, it is now the small to medium enterprise (SME)?

It reminds me of a discussion I had last year with a network admin of a college in Chicago. ‘John, we are entering an era where continuous monitoring, visibility is becoming more and more critical because there is no way all the inline active systems can protect us internally and externally these days’.

I am biased but I think he is absolutely correct. Visibility, actionable intelligence, data normal users can read and interpret and act on is critical.

Visibility not just at the edge though, also at the core, the internal network because it is critical to be able to see and detect suspicious activity or network misuse here also. It is also important to track this, to keep a record of it to help troubleshoot, to provide proof for management, auditors and even users.

I was discussing some recent LANGuardian use cases with an adviser in the US this week and mentioned that we are hearing the term ‘network misuse’ a lot more these days and I was not sure why. Maybe organizations are becoming more concerned about data theft?

His explanation makes sense, it was all about the attack surface for him, if users are misusing the network, accessing sites and applications that are non-critical or inappropriate and infected, it is increasing the attack surface, the security risk and will result in pain for everybody.

In defence of Irish business though, a lot of the systems out there in this space are only suitable for large enterprises, too expensive and complex to manage, tune and get real actionable intelligence. The SMEs all over the world, not just Ireland cannot afford them in terms of time, people and money.

Thanks to NetFort for the article.

Detecting XCodeGhost Activity By Monitoring HTTP Traffic

Detecting XCodeGhost Activity By Monitoring HTTP Traffic

Apple is presently working on issues with malware (XCodeGhost) in their App Store. According to this blog post, over 50 iOS apps contained malicious code that made iPhones and iPads part of a botnet that stole potentially sensitive user information including:

  • Application name
  • Application version
  • OS version
  • Language
  • Country
  • Developer info
  • Application installation type
  • Device name
  • Device type

One of the quick ways to check for suspicious activity on your network is to look for HTTP or DNS traffic associated with:

Lately criminals have been targeting user of mobile devices more as people are less cautious on mobile devices than on desktops. This attack also highlights how security awareness is so important throughout the application development process. Everyone from the developer from the end user needs to be alert. In this incident developers were tricked into using counterfeit software to build their applications which created an ideal environment for malware to spread.

The BBC is reporting that the majority of people affected by this attack were in China. However, we would recommend that you check your own network for activity, especially if you allow mobile devices to connect to the corporate network.

A recommended approach to do this would be to use network packet capture. Tools which use NetFlow (or other flow source) are poor when it comes to web usage tracking. Packet capture allows you to look inside HTTP headers where interesting data like User-Agent can be found.

You can use a free tool like Wireshark or a commercial product like LANGuardian. Once installed you should setup a SPAN or mirror port to get a copy of network packets going in and out of your Internet connection. This is a passive monitoring approach so you wont need to install client or agent software on all of your network devices.

Deep packet inspection (DPI) based monitoring also works whether you have a proxy or not, just need to sniff the traffic at the correct location. Many organizations are not using proxies these days because they are a potential bottleneck, another inline device that can degrade performance or cause issues. If you do not have one and need visibility, you have the option of using a SPAN port or port mirror.

The following video shows how you can setup a SPAN or mirror port to monitor Internet or mobile device activity. This is an ideal way for detecting HTTP or DNS traffic associated with XCodeGhost. Even if you don’t have a problem today, you should get familiar with the concept so that you are prepared for the next big security issue.

How_to_Monitor_Internet_Activity_Using_a_Span_Port

Our support team is here to help if you have any questions about detecting XCodeGhost activity on your network. Contact information can be found at the very top of this blog post. Use the following procedure if you want to use LANGuardian for detecting XCodeGhost activity.

  • Enter websites in the find field which is located in the top right of the GUI
  • Select Web : Top Websites & URI
  • Search for init.icloud-analysis.com or init.crash-analytics.com by using the website name filter.

Detecting XCodeGhost Activity By Monitoring HTTP Traffic

Please use the comment section below if you have any feedback or further information for detecting XCodeGhost activity.

Thanks to NetFort for the article.

NetFort 12.4 – Network Traffic and Security Monitoring

NetFort 12.4 – Network Traffic and Security Monitoring

New Version of NetFort LANGuardian Provides Customers with a Single Point of Reference for Network Traffic and Security Monitoring.

NetFort, a leading provider of network traffic and security monitoring (NTSM) solutions, today unveiled version 12.4 of the LANGuardian application. The new version ensures network teams today have the visibility required to collaborate and work with their security colleagues and manage the daily security issues prevalent in today’s world.

Version 12.4 includes a number of significant changes:

  • SMTP Email Decoder Enhancements
  • HTTPS Website Use Reporting
  • Updated BitTorrent Decoder
  • Snort 2.9
  • SYSLOG Forwarding Feature
  • SMTP Email Decoder Enhancements

SMTP Email Decoder Enhancements

The SMTP decoder is a great feature from a network security monitoring point of view. It is a powerful tool if you want to monitor email for phishing type network attacks. Malicious attachments have made a comeback as top attack vector. An interesting post on this here.The SMTP decoder has been upgraded to record the following information

  • Attachments to SMTP emails, including attachment name, MIME type and description. A sample report is shown below, some information is blurred as it came from a live network.
  • Embedded hyper Link detection in emails. This is a beta release for evaluation. Where an SMTP email contains a hyper link, but the link target doesn’t seem to match the description, LANGuardian will log the link target and the description.

NetFort 12.4 – Network Traffic and Security Monitoring

HTTPS Website Use Reporting

The Website monitoring module has been upgraded to now report on HTTPS domains. Domain information (such as https://facebook.com) and traffic volumes are recorded. As packet payloads are encrypted, Individual URIs cannot be reported.

NetFort 12.4 – Network Traffic and Security Monitoring

Updated BitTorrent Decoder

BitTorrent continues to be a popular protocol for downloading and uploading media from the Internet. LANGuardian has the ability to detect BitTorrent use and record metadata such as Infohash values and IP addresses. In 12.4 the BitTorrent decoder has been upgraded to record Peer Exchange messages (PEX). This increases the detection rate for BitTorrent activity and will record media titles, if included in the PEX message.

NetFort 12.4 – Network Traffic and Security Monitoring

Snort 2.9

Snort is a network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging. Snort performs protocol analysis, content searching and matching. LANGuardian 12.4 now includes Snort version 2.9.7. This allows LANGuardian to take advantage of new keywords supported in IDS signatures for Snort 2.9, distributed from the ET Open project

SYSLOG Forwarding Feature

Many customers choose LANGuardian as it can integrate with existing tools like SolarWinds, McAfee or WhatsUp. Version 12.4 extends this functionality with the addition of a new configuration page to manage the forwarding of events to external syslog collector (SIEM) systems.

NetFort 12.4 – Network Traffic and Security Monitoring

This means you end up with a centralized dashboard for all network activity or as one customer described it “single point of reference for network and user activity monitoring and first stop in troubleshooting any issues”

NetFort 12.4 – Network Traffic and Security Monitoring

Version 12.4 is available from our download page and it can be deployed on physical or virtual platforms.

NetFort 12.4 – Network Traffic and Security Monitoring - download free trial NetFort 12.4 – Network Traffic and Security Monitoring - Web Demo

Thanks to Netfort for the article.

 

How Hiring Employees Increases Your Chance of a Ransomware Attack

How Hiring Employees Increases Your Chance of a Ransomware AttackIt seems like a strange combination, employee hiring and Ransomware but there is a connection. Ransomware is one of the biggest network security issues in today’s world and businesses have paid out tens of millions in ransoms this year. Thankfully a lot more people are aware of the problems it can cause and how it can get into a network. This is making things more difficult for the virus writers but they are a resourceful bunch with a lot of time on their hands.
How Hiring Employees Increases Your Chance of a Ransomware AttackMost people avoid opening attachments in emails from strangers. However, there are ways to trick people into opening attachments with virus payloads.

One such way which I observed recently is where companies advertise for new job positions. A common approach is to advertise jobs on websites and make a bit of noise about it on social media. Contact details are usually published and people submit their applications.

What we now have is strangers sending their CV’s as attachments and this introduces a new attack vector as it is not seen as unusual activity. Malicious attachments really have made a comeback as top attack vector.

Ransomware bandits know that sending email to a generic human resources email address may not be successful as HR teams will be used to dealing with attachments. They will employ social engineering tactics and send their ‘CV’ to other email addresses within the company. The helpful recipient will probably forward it on and may even open it. As soon as they do they will find their files are encrypted.

These social engineering attacks are getting more and more advanced. Not that long ago you could spot the suspicious emails easily as they contained lots of spelling mistakes or started off with something like “Dear Firstname”. This is no longer the case, one off emails are written for specific attacks and they can look legitimate at first glance. You should also be on the guard for unsolicited messages in LinkedIn and other social networks.

How Hiring Employees Increases Your Chance of a Ransomware Attack

Tips For Preventing Ransomware Attacks

The lessons here of course are to continue to educate employees on the dangers of opening emails from strangers. Perform spot checks by creating a new Gmail address and send emails to see if employees open them or forward them on to others.
How Hiring Employees Increases Your Chance of a Ransomware AttackAs well as sending in bogus CV’s you will see tactics such as sending bogus purchase orders, software licenses, delivery notices and banking statements. In most cases the email will be tailored to match the recipients role or to coincide with specific company events.

I am beginning to wonder in the age of cloud applications, do we really need to be sending attachments in emails? They have been the source of countless virus outbreaks over the years. For example, the ILOVEYOU virus from a few years ago affected over 45 million computers.

Employee training and security awareness is the number one way you will prevent Ransomware attacks. In parallel to this you should make sure you have some sort of network monitoring tool in place that can track who is accessing file shares and give you warnings when something suspicious is happening. Also consider:

  • Block attachments on emails or restrict them to specific accounts.
  • Use contact forms on your website instead of publishing email addresses.
  • If you use Google Apps check out the attachment filtering feature. It lets you block specific attachment types or quarantine them for review later.

The image below shows a sample SMTP email report from NetFort LANGuardian which shows suspicious looking attachments that were detected moving around on a network. This information was captured using Wire Data Analytics. Two things look strange from this. Firstly the same email was sent to two people and secondly the compressed attachment (zip) is a tactic used to try and get past email filters.

How Hiring Employees Increases Your Chance of a Ransomware Attack

New variants of Ransomware are appearing on a daily basis. Do not rely on host based antivirus as they struggle to keep up. Training and constant monitoring are the most vital activities and don’ forget about your backups.

Dealing With A Ransomware Attack

I would recommend that you create an incident response document before you get hit by Ransomware. Just something basic like backup information, support contact details, what tools to use for forensics etc… Also include notes on shutdown steps for key servers and applications.

If you do get hit, don’t just pay the ransom. As soon as you have it paid you will be dealing with another outbreak. Watch out for infected files on cloud storage services such as DropBox, files encrypted or infected with malware could be synchronized with a cloud service within seconds. It is a good example of why should really know what applications your users are running on your network. We have a few other blog posts which you may find useful in the event of a Ransomware outbreak.

The following video also shows how you can use file activity logs to track down the source of Ransomware on a network

How Hiring Employees Increases Your Chance of a Ransomware Attack

I cannot stress how important training is for the prevention of network security attacks. If you make noise about something within your company like job postings, financial updates or corporate events, be prepared for advanced social engineering attacks.

Do you have any experiences with Ransomware attacks? Comments welcome.

Thanks to NetFort for the article.