Keith Bromley
Sr. Manager, Product Marketing at Ixia

Give Your Network An Unfair Advantage Against Hidden Malware

March 14, 2019 by Keith Bromley

The IT role is extremely hard today. Whether you are part of the DevOps or SecOps team makes no difference—threats and problems are a daily, if not hourly, occurrence. What you need is good quality data as fast as you can get it to counter security threats, troubleshoot network outages, and remediate performance problems.

Unfortunately, IT security and analytics tools are only as good as the data they are seeing. An integrated approach for proper network visibility, network security, and network testing ensures that your tools get the right data at the right time, every time. Without an approach like this, IT teams will continue to struggle with preventing security breaches—and many will fail.

News broadcasts for the last several years have shown that most enterprise networks will be hacked at some point. It’s not a question of if your network will be breached anymore, but when. In addition, the time it takes for most IT departments to notice the intrusion usually takes months—over six months according to the Ponemon Institute. This gives hackers plenty of time to find what they want and exfiltrate whatever information they want.

What is needed is a resilient architecture that can combat the multitude of threats. For instance, there are some clear activities that you can implement to minimize your corporate risk and the potential costs of a breach. Here are some examples:

  • Use indicators of compromise to identify security breaches faster
  • Remove low risk data for faster security threat screening
  • Eliminate data exfiltration to known bad IP addresses
  • Simulate malware so that security fixes can be validated correctly

All of this gives your network an unfair advantage against hidden malware. Why unfair? Because while the items listed here form a powerful and resilient solution, they are also easy to install and easy to maintain. They can be so easy that it is almost literally “unfair” to security threats.

Let’s look at the four examples above in more detail.

Example 1 – Using indicators of compromise to identify security breaches

Security breaches almost always leave behind some indication of the intrusion, whether it is malware, suspicious activity, some sign of other exploit, or the IP addresses of the malware controller. Despite this, according to the 2016 Verizon Data Breach Investigation Report, most victimized companies do not discover security breaches themselves. Approximately 75% have to be informed by law enforcement and 3rd parties (customers, supplier, business partners, etc.) that they have been breached. In other words, the company had no idea the breach had happened. To make matter worse, the average time for the breach detection was 197 days, according to the Ponemon Institute 2018 Cybersecurity Report.

Here is one easy way to combat this issue. Ixia’s AppStack software delivers context aware information like geo-location, browser type, and device type as extensions to NetFlow which we call IxFlow. IxFlow delivers critical intelligence to reduce troubleshooting costs and boost network security protection (especially for indicators of compromise). Early detection of breaches using application intelligence reduces the loss of personally identifiable information (PII) and reduces breach costs. You can read this solution brief to get more details if you want.

If you’re like me, you probably want an example of how this is useful to you. Here you go. Suppose there is a foreign actor in Eastern Europe (or other areas of the world) that has gained access to your network. Using application data and geo-location information, you would easily be able to see that someone in Eastern Europe is transferring files off the network from an FTP server in Dallas, Texas. First, the FTP application would show up on the dashboard as being in use. Then you could quickly set up a filter in less two minutes that would focus on the signature for the FTP application. Once this is in place, you would then be able to see the geographic flow of data from Dallas to the eastern European country. If you have no legitimate users at the endpoint location, you would be able to clearly identify that something suspicious is happening.

After you have discovered the data exfiltration attempt, you can start the remediation process. In this case, NetFlow data (along with the unique information from Ixia like geolocation, device type, DNS information, and browser type) captured from the event can be forwarded to an external data storage device (e.g. Splunk) for retention and further analysis. At the same time, you have actionable information (like the destination IP address) that can be used to immediately terminate the data transfer and prevent any further loss of corporate or personal information.

Example 2 – Remove low risk data for faster security threat screening

When conducting searches for potential security breaches, time is obviously of essence. This is where a packet broker, like the Ixia Vision One, can be used to capture and filter monitoring data at line rate (all the way up to 100 GBps). Most filtering tends to focus on Layer 2 through 4. However, Ixia’s AppStack capability also enables Layer 7 application filtering. This means that you can filter on the application.

The value of filtering based upon application is enormous. If you try to filter and analyze all of the packet data on your network, it would take a long time. However, by screening data based upon application signature, you can eliminate the deep packet inspection (DPI) process for a significant amount of data and make the threat hunting and detection task faster and more efficient.

Here is an example. Ixia’s AppStack can again be used to screen traffic before it is sent to an intrusion detection system (IDS).  Information that does not require screening (e.g. voice and video) can be simply eliminated from the IDS inspection. Specifically, low risk or uninteresting application data like Hulu, Netflix, Pandora, etc. is deleted from the data stream heading to your IDS, which could make the IDS up to 35% more efficient. See this case study for more information.

Example 3 – Eliminate data exfiltration to known bad IP addresses

While security threats can be introduced into your network from any IP address, many come from just a few locations where bad actors are located. With constant monitoring by professional security teams, common IP addresses for these activities are captured and reported to the international community as known bad IP addresses.

One way to improve your network security is to block traffic from these IP addresses. Once you do this, you can eliminate risk and reduce the load on your internal security defenses. Unfortunately, bad actors constantly change IP addresses to avoid detection. This requires constant, daily updates to the access lists to keep up with the bad actors. Threat intelligence appliances like Ixia’s ThreatARMOR product can take care of this task for you. ThreatARMOR deletes any incoming traffic from those known bad IP addresses. Daily access list updates keep the product continually up to date.

However, there is usually still a delay from when a bad actor launches their attack and when the IP address is identified. This means that malware could still make it into your network. This is another advantage that can be derived from ThreatARMOR. It will also delete any outgoing traffic going to known bad IP addresses. This means that should malware make it through your security screening protocols, data exfiltration can still be potentially stopped. This further reduces the risk and cost associated with a data breach.

Example 4 – Simulate malware so that security fixes can be validated correctly

After a security breach, you need confidence that the defenses you are deploying will actually stop that type of attack again in the future. The last thing you want to do is incur a breach and then roll out a fix just to find out later that the fix doesn’t completely work.

The answer to the problem is simple. All you need to do is test the fix in a lab environment under realistic (if not actual) attacks by the specific malware. Ixia has the perfect solution here. One of our products, BreakingPoint, is a malware and DDOS generator that you can use to faithfully recreate malware exploits to attack your new configuration. This will let you see if the fix accurately block new attacks by a specific type of malware.

Network security resilience solutions are an area that Ixia excels in. We empower the enterprise to give IT an unfair advantage over security threats that have penetrated your network. If you want more information on this topic, try reading this white paper Best Practices for Security Resilience.