Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/10/2020
10:00 AM
Connect Directly
Twitter
Facebook
LinkedIn
RSS
E-Mail vvv
50%
50%

How Network Metadata Can Transform Compromise Assessment

Listen more closely and your network's metadata will surrender insights the bad guys counted on keeping secret

In the 1979 cult classic When a Stranger Calls, a babysitter receives numerous telephone calls from a strange man, only to discover the calls are coming from inside the house!

Indeed, the notion of a stranger lurking inside your home is terrifying. For the modern enterprise, however, it has become the new normal. Even more frightening, most businesses have no idea that their network has been compromised in the first place.

According to an IBM study, it takes the typical enterprise 197 days to identify a breach in its network and 69 days to contain it. Despite the profusion of network monitoring and traffic analysis tools on the market today, security teams are unable to distinguish the faint signal of a legitimate network incursion over the din of perpetual alerts.

But as any TV detective will tell you, a criminal always leaves something behind. And just like a CSI forensics team might use luminol to detect trace amounts of blood at a crime scene, security analysts can harness the vast amount of network metadata to identify and isolate a network compromise.

The Medium Is the Message
Taking the metaphor of a house a step further, doors and windows represent both points of ingress and egress for a potential intruder. Network IP addresses, proxy servers, and email boxes are the doors and windows of the enterprise network that digital prowlers exploit to gain access and exfiltrate data. But because these intruders must use the network itself, they also can't help but leave traces of their presence in the form of network metadata.

Metadata is often defined as data about data, or information that makes data useful. Every digital photograph includes metadata that offers detailed information about the photo — when it was taken, the type of camera used, even its GPS coordinates, all attached to the digital file as metadata, providing us with a simple way to sort and organize our photo libraries.

Similarly, metadata is attached to the many various hardware devices and software that every network infrastructure needs to run. From email and application servers to network firewalls and cloud gateways, the attendant metadata of each system provides a strand of telling information. On its own, that individual thread of data may not tell you very much. But put enough of those dots together and take a step back, a clear picture begins to emerge.

Converting Network Metadata into Useful Intel
For security teams, network metadata represents a vital yet underutilized threat intelligence resource that analysts must begin to incorporate into their compromise detection toolbox. Some of the primary sources of network metadata that can be correlated into actionable threat intelligence include:

  • DNS data: Domain Name System (DNS) translates numerical IP addresses and maps devices and services to the underlying network. Metadata from DNS queries provide a crucial contextual layer that records every connection attempt from an adversary's device to an organization's infrastructure and can be used to discern the specific route an attacker is using to infiltrate a network.
  • Network flows: Understanding how packets move across the network can offer valuable insights into which devices are being controlled by an attacker and whether or not they are using the network to move laterally. 
  • Perimeter proxy and firewall access logs: In cases where an attack avoids domain resolution, the remnants of an adversarial connection can often be found buried in the access logs of network firewalls or proxies.
  • Spambox filter: Often overlooked, archived spambox filter metadata can provide valuable intelligence regarding the type of attack an organization is receiving; more telling, if end-users are being targeted by similar attacks then the organization is more likely to be compromised. 

While much of this network metadata has been available for years now, harnessing it into something useful has not been practical for a number of reasons. Until recently, the cost of storing and processing all of this data has been cost prohibitive. However, as public cloud services have matured, the cost of storage has dropped exponentially — from $12.40 per gigabyte in 2000 to less than $0.004 today.

Meanwhile, computing power has increased by a factor of 10,000 over this same time period, creating the perfect scenario for the collection and administration of large and growing volumes of metadata. The evolution of public cloud infrastructure has not only made storing and processing network metadata viable, but critically, can manage these complex workloads in real time.

When you combine these factors with the latest advancements in powerful artificial intelligence and machine learning algorithms that can correlate these data sets at scale, you can begin to recognize the enormous potential that can be realized by security teams who are under increasing pressure to quickly identify and isolate confirmed instances of compromise in their network.

It's high time we stopped wondering if an attacker is hiding somewhere in the network — rather, we need to leverage all of the data and tools at our disposal to pinpoint these compromises in minutes, not months.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Keys to Hiring Cybersecurity Pros When Certification Can't Help."

Ricardo Villadiego is the founder and CEO of Lumu, a cybersecurity company focused on helping organizations measure compromise in real-time. Prior to LUMU, Ricardo founded Easy Solutions, a leading provider of fraud prevention solutions that was acquired by Cyxtera in 2017 as ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DarylD655
100%
0%
DarylD655,
User Rank: Apprentice
3/11/2020 | 4:12:25 AM
Go with the Flow
Great observations about cost and need to operationalize viewing Netflow and I'd go all the way to layer 7 in real time analysis not PCAP and seek and find. Given all of the exploitable unknown and unpatched known software vulnerabilities it's critical but we have to stop doing this in point solution tech and centralize it all...not in a lake that doesn't work because it adds too much latency to the discovery time.
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
CVE-2020-29379
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
CVE-2020-29380
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
CVE-2020-29381
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
CVE-2020-29382
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.