Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:00 AM
Connect Directly
E-Mail vvv

How Network Metadata Can Transform Compromise Assessment

Listen more closely and your network's metadata will surrender insights the bad guys counted on keeping secret

In the 1979 cult classic When a Stranger Calls, a babysitter receives numerous telephone calls from a strange man, only to discover the calls are coming from inside the house!

Indeed, the notion of a stranger lurking inside your home is terrifying. For the modern enterprise, however, it has become the new normal. Even more frightening, most businesses have no idea that their network has been compromised in the first place.

According to an IBM study, it takes the typical enterprise 197 days to identify a breach in its network and 69 days to contain it. Despite the profusion of network monitoring and traffic analysis tools on the market today, security teams are unable to distinguish the faint signal of a legitimate network incursion over the din of perpetual alerts.

But as any TV detective will tell you, a criminal always leaves something behind. And just like a CSI forensics team might use luminol to detect trace amounts of blood at a crime scene, security analysts can harness the vast amount of network metadata to identify and isolate a network compromise.

The Medium Is the Message
Taking the metaphor of a house a step further, doors and windows represent both points of ingress and egress for a potential intruder. Network IP addresses, proxy servers, and email boxes are the doors and windows of the enterprise network that digital prowlers exploit to gain access and exfiltrate data. But because these intruders must use the network itself, they also can't help but leave traces of their presence in the form of network metadata.

Metadata is often defined as data about data, or information that makes data useful. Every digital photograph includes metadata that offers detailed information about the photo — when it was taken, the type of camera used, even its GPS coordinates, all attached to the digital file as metadata, providing us with a simple way to sort and organize our photo libraries.

Similarly, metadata is attached to the many various hardware devices and software that every network infrastructure needs to run. From email and application servers to network firewalls and cloud gateways, the attendant metadata of each system provides a strand of telling information. On its own, that individual thread of data may not tell you very much. But put enough of those dots together and take a step back, a clear picture begins to emerge.

Converting Network Metadata into Useful Intel
For security teams, network metadata represents a vital yet underutilized threat intelligence resource that analysts must begin to incorporate into their compromise detection toolbox. Some of the primary sources of network metadata that can be correlated into actionable threat intelligence include:

  • DNS data: Domain Name System (DNS) translates numerical IP addresses and maps devices and services to the underlying network. Metadata from DNS queries provide a crucial contextual layer that records every connection attempt from an adversary's device to an organization's infrastructure and can be used to discern the specific route an attacker is using to infiltrate a network.
  • Network flows: Understanding how packets move across the network can offer valuable insights into which devices are being controlled by an attacker and whether or not they are using the network to move laterally. 
  • Perimeter proxy and firewall access logs: In cases where an attack avoids domain resolution, the remnants of an adversarial connection can often be found buried in the access logs of network firewalls or proxies.
  • Spambox filter: Often overlooked, archived spambox filter metadata can provide valuable intelligence regarding the type of attack an organization is receiving; more telling, if end-users are being targeted by similar attacks then the organization is more likely to be compromised. 

While much of this network metadata has been available for years now, harnessing it into something useful has not been practical for a number of reasons. Until recently, the cost of storing and processing all of this data has been cost prohibitive. However, as public cloud services have matured, the cost of storage has dropped exponentially — from $12.40 per gigabyte in 2000 to less than $0.004 today.

Meanwhile, computing power has increased by a factor of 10,000 over this same time period, creating the perfect scenario for the collection and administration of large and growing volumes of metadata. The evolution of public cloud infrastructure has not only made storing and processing network metadata viable, but critically, can manage these complex workloads in real time.

When you combine these factors with the latest advancements in powerful artificial intelligence and machine learning algorithms that can correlate these data sets at scale, you can begin to recognize the enormous potential that can be realized by security teams who are under increasing pressure to quickly identify and isolate confirmed instances of compromise in their network.

It's high time we stopped wondering if an attacker is hiding somewhere in the network — rather, we need to leverage all of the data and tools at our disposal to pinpoint these compromises in minutes, not months.

Related Content:


Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Keys to Hiring Cybersecurity Pros When Certification Can't Help."

Ricardo Villadiego is the founder and CEO of Lumu, a cybersecurity company focused on helping organizations measure compromise in real-time. Prior to LUMU, Ricardo founded Easy Solutions, a leading provider of fraud prevention solutions that was acquired by Cyxtera in 2017 as ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/11/2020 | 4:12:25 AM
Go with the Flow
Great observations about cost and need to operationalize viewing Netflow and I'd go all the way to layer 7 in real time analysis not PCAP and seek and find. Given all of the exploitable unknown and unpatched known software vulnerabilities it's critical but we have to stop doing this in point solution tech and centralize it all...not in a lake that doesn't work because it adds too much latency to the discovery time.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174732.
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 174735.
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174738.
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 could disclose sensitive information on the login page that could aid in further attacks against the system. IBM X-Force ID: 174805.
PUBLISHED: 2020-06-03
IBM Security Guardium 10.6, 11.0, and 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174851.