A potential threat could come from anywhere at any-time and it doesn’t have to start from the Internet. Many threats are initiated internally by infected handhelds and laptop devices which walk right past the firewall. Anti-virus has become nearly ineffective against targeted threats. Even next generation firewalls aren't stopping the outbound connections created by unwanted data exfiltration. Reviewing logs with expensive SIEM solutions is a great reactive measure when the logs they depend on haven't been tampered with.
In the VISA DATA SECURITY ALERT released on 4/2013, Visa stated “Hackers are also using anti-forensic techniques such as tampering with or deleting security event logs, using strong encryption or modifying security applications (e.g., whitelist malware files) to avoid detection.” For all these reasons, your Cisco Cyber Threat Defense strategy needs to consider alternate defensive measures.
The Cisco Cyber Threat Defense effort often includes multiple technologies, one of which is NetFlow or the IETF standard called IPFIX.
"We really like NetFlow....From a storage perspective, it's a little bit more scalable for your devices to offload-it into a database for collection and analysis vs. a full packet capture. It's also very good for sort of profiling general activities on the network."
Levi Gundert - Cisco Threat Research, Analysis and Communications (TRAC)
"If you can do one to one sampling of NetFlow meaning you are capturing the header meta data of every packet traversing the network device then you are really going to have some very useful insight into what is happening on your network.”
For example, your Cisco Cyber Threat Defense strategy for uncovering data exfiltration might include taking notes; How do the end systems running the business applications communicate over the network with the servers? Characteristics to be mindful of include:
- What ports do they use, are connections encrypted?
- How large and frequent are the traffic patterns?
- How does a busy season like Christmas or Valentine’s day impact traffic? Point of Sale systems are impacted by this.
Loaded with the above notes or possibly a saved historical behavior baseline that doesn’t include the malware, your Cisco Cyber Threat Defense solution can begin to sleuth for signs that are indicative of some type of contagion. Although there is no one solution acting as a panacea for uncovering all types data exfiltration. NetFlow should be part of your Cisco Cyber Threat Solution. Here are 4 tell-tale behaviors that could indicate a host participating in data exfiltration using flow data:
- Monitor encrypted connections to the Internet, is the upload of bytes greater than the download volume? What is the pattern?
- Watch for occasional Internet connections where the internal device does not receive a response. How often does it happen?
- Can you identify any strange DNS requests for domains that meet suspicious criteria? Is it the same reoccurring host?
- Host Reputation: are any devices communicating with known Internet bots?
False positives are expected for any one of the above individual behaviors. However, if a host is exhibiting all four characteristics, possible data exfiltration should be investigated further. Make sure your Cisco Cyber Threat Defense solution knows how to build Threat Indexes™ which help you quickly sift through the onslaught of events with the goal of identifying real data exfiltration.