Are we witnessing the death of malware? According to this story at InfoWorld the answer seems to be … maybe. While it will likely never go away completely, it’s less and less becoming the tool of choice for many hackers.
It seems, according to several studies quoted in the article, that the more discerning hackers are using social engineering techniques to trick people into giving them legitimate login credentials and hackers are using those to access the network, making it harder to tell when a network has been breached.
Hackers using malware will likely trip sensors set up on a well-secured network. That’s not the case when they get in with legitimate credentials. The traffic, in that case, looks legitimate. So if hackers aren’t using things that can be detected, how can you tell if you’ve been breached? By knowing what’s normal on your network and looking for traffic that deviates from that. But what specifically should you be looking for? Here are three things, all of them a bit related.
Network Anomaly Detection is a term that’s been around a while, and it’s what you’d think it’d be. It monitors the network and tries to find things that are out of place.
It’s looking for things like somebody trying to access a portion of the network that it shouldn’t be. It’s looking for ports or protocols that are being used for certain tasks, like a mail server on port 25, and making sure those ports and protocols are doing the things they are meant to do. A mail server sends mail, that’s what it does. So why is the mail server now attempting outbound SSH? Why would it even try? It’d be worth checking out.
The problem with anomaly detection is that it’s not Network Security 101. It’s somewhat sophisticated stuff and hard for a small staff or staff without a lot of security knowledge to handle well. (Luckily, there are vendors out there that can be hired to help – see the conclusion for a few suggestions.)
Network anomalies would be a symptom of data exfiltration. What you want to look for here is unusual or unauthorized transfer of data from a computer. Is something leaving that shouldn’t be? Is there a box on the network that’s not normally talking out to the Internet, but now it is? Or, more complicated, is a box that does normally talk out to the Internet over a normal port suddenly bursting at 2 a.m. every morning?
NetFlow is a protocol created by Cisco, but there are many other vendors that utilize it as well. Basically, it’s analyzing network traffic on a high level. You are looking at who is talking to whom on your network. You are looking at the ports over which that communication is taking place, and you are looking at the protocols being used.
The Quickest Solution: Know What’s Normal
All of this is important. Of course, you want to be prepared for when you are breached. And you need to know what to look for in case hackers get inside your network with legitimate credentials after a successful phishing scam.
To find something that isn’t normal on your network requires you to know what is normal. So, a thorough understanding of your network’s topography – what’s installed on what, and what should be talking to what on what ports and at what volume – is essential. Once you have that baseline, the bad stuff should be easier to spot.
So, consider a tool to analyze NetFlow from a company like Cisco or SolarWinds, or investigate an open-source option like NTop. The visibility these tools give you can help detect and mitigate breaches that don’t carry the typical signature (no IPS-related pun intended) of malware activity.