New weapons offer hope against advanced cyber-attacks

One of the most frightening things about modern cyber-attacks is that a breach can remain undetected within networks for weeks, months or even years. This time gives hackers the luxury of lateral movement within a network, meaning they can acquire better credentials, compromise more systems and search for the most profitable and most damaging information.

And perimeter defense tools are almost worthless once hackers are quietly rampaging behind the lines. But malware has to communicate back to the hackers somehow, and new monitoring tools have emerged that can identify that traffic.

As such, traffic monitoring tools could very well be the next big thing in network security, protecting networks against cyber-attacks and helping even if a breach has already happened.

We evaluated security programs from Damballa, Lancope and LightCyber with traffic monitoring at their core. Because these programs require real-world traffic, the topography of which in some cases must be predefined, each was evaluated using a production environment provided by the companies. (Watch the slideshow version for an abbreviated rundown of each product.)

We were given training as to each program’s features and then had unrestricted administrator access to the systems during the testing period. Each program was evaluated based on ease of use, accuracy, how quickly the program could be deployed, and what level of customization and automation could be implemented.

While all three programs worked extremely well at identifying malware based on its communications, the Damballa Failsafe product was the easiest to use, had the best user interface and would be the quickest to deploy, an important consideration if an organization suspects that their network has already been compromised.

Lancope StealthWatch provided the most details about the communications going on within a network and the relationships between groups and devices, making it a useful tool for other things beyond security, such as network optimization or even capital planning.

And LightCyber Magna proved a perfect tool for detecting hidden threats that are trying to find specific data inside a network or elevate its privileges. It can also be useful in identifying insider threats.

Here are the individual reviews:                                                                              

Damballa Failsafe

Damballa officials say the company monitors a whopping 35 percent of all Internet traffic worldwide every day, and 55 percent of all US-based DNS traffic, though their partnerships with ISPs like Comcast and others. It’s a pretty safe bet that any new malware is going to run through a gateway monitored by Damballa at some point early in its life cycle.

Damballa uses that incredible reach, a team of data scientists and machine learning capabilities to profile malware. However, Failsafe isn’t signature based. Damballa samples more than 100,000 new variants of malware every day, but is only concerned with the characteristics of the malware as it pertains to network traffic.

The company then generalizes each component of HTTP requests from the samples, looking at the requests by data type, encoding and length. In this way the characteristics of malware are identified because even though the control server, destination and camouflaging techniques used by malware change all the time, the communication structure is always going to be same. That information is shared with Failsafe appliances protecting networks.

Failsafe is installed as a single appliance with one sensor device deployed at each Internet access point so that every communication to or from a network can be monitored. Although there is some pre-installation work to determine how many sensors are needed and what IP addresses they will use, the actual installation process itself generally takes less than an hour.

+ MORE ON NETWORK WORLD Enterprise security monitoring weaknesses telegraph lots of future cybersecurity opportunities +

Damballa engineers monitor a network following installation to ensure that devices are placed at the correct location and that no rogue communication streams exist, but barring any missteps, Failsafe can begin working at that point without further intervention. Of the three products evaluated, this makes Failsafe the quickest to deploy. Also, there is no danger that existing malware could be added to some type of good profile baseline because Failsafe only monitors traffic.

The interface is surprisingly user friendly. The top level screen is comprised of a series of widgets that show the characteristics of network traffic with an emphasis on the detected threats. There are quite a few widgets available, which go into more or different details, like the type of activity that the found malware is attempting or a list of places network traffic is being sent. These can be dragged and dropped into place to become part of the main dashboard.

Drilling down into the network architecture, administrators can observe everything that is going on as it relates to suspicious activity. To reduce false positives, Failsafe does not immediately elevate suspicious activity into an alert, though administrators can look at everything the program currently considers suspicious. There are actually two engines running on the main appliance to prevent security alert overloads, one for breach detection and one for risk analysis. Both require suspicious activity to cross a certain threshold before an alert is generated.

The breach detection engine looks at three areas: behavioral analysis, content and payload analysis, and threat intelligence. Behavioral analysis includes how automated a process is, if it’s using the new domain fluxing technique employed by advanced malware, peer to peer communications and what is being executed. Content and payload analysis is mostly concerned with the type of requests being generated. And threat intelligence uses all of the Internet traffic data collected by Damballa to compare the queries and connection makeups against malware variants.

The risk profiler uses machine learning and human intelligence to determine if suspicious behavior is actually malicious. It uses variables like how much data is being transferred, if the communications were successful, if it was part of a spanning process, the importance of the protected endpoint within the organization, the threat actor being communicated with and even things like alerts from anti-virus coverage. Rather than just elevating threats once they are confirmed, the risk profiler also ranks them based on severity. It was very easy to tell which systems should be investigated right away, and which could be quarantined and worked on later.

Once an alert is generated by Failsafe, it only takes one click to drill down and see all the evidence proving that the client or device is infected. Looking at the alerts generated by the test network, the ones that bubbled to the top were clearly persistent malware, though they were able to remain hidden from traditional monitoring tools because they did things like domain fluxing, introducing jitter into their communications windows and only sneaking out a couple of kilobytes of data at a time. Failsafe pointed all this out however, clearly making the case as to why identified items were malicious.

Failsafe also has a high level of automation, which is integrated in a step-by-step basis depending on the threat level, and totally customizable by users. By default, the network that was evaluated for this review had Failsafe separate suspected systems away from critical data stores, even if the threat was not yet made into an alert. This precautionary step would keep malware from getting to the crown jewels even while the investigation was continuing. Once an infection was proven and verified by both engines, the device was automatically moved to quarantine where no more network traffic was allowed. This is the default behavior for most Failsafe installations, but what the program does and how it acts in different circumstances is customizable by users if needed.

A final feather in the cap of Failsafe is that it’s designed to work with other security programs like TippingPoint or Splunk, integrating their capabilities and allowing full control over them from its user-friendly interface. Thus, Failsafe can be dropped into any existing security architecture and become complementary instead of competitive.

LightCyber Magna

The LightCyber Magna platform is designed to separate normal user behavior from the anomalies caused by attackers. Magna is not just concerned with outgoing and incoming traffic either. It can detect, evaluate and if necessary mitigate an attacker’s lateral movement inside the network. 

+ Reining in out-of-control security alerts +

The Magna platform is installed in components, and not every organization will need every one. The Magna Master is an appliance that collects data from all other parts of the system and is also what users log into to configure their protection and receive alerts.

The Magna Detector is another appliance which is deployed to monitor traffic and connects to a span port in a switch or a tap.

There is also a Probe appliance that can be used to connect the traffic monitoring at branch offices back to the main master console. Most deployments are hardware based, but virtual installations of all components are also available.

An additional component is Pathfinder which performs agent-free endpoint analysis to complement network information in the automated decision making process, and to find the root cause of suspicious behavior within endpoints. 

Once installed, Magna typically waits for two to three weeks before taking any actions. During that time the software watches all network traffic to come up with baselines for each group, user and device. These baselines are used as part of a very detailed plan preventing false positives. Even during the settling-in period, Magna does not assume that everything it sees is valid traffic. Outliers are set aside for later examination. 

The interface for the Magna platform is very simple at first, and drills down into increasing complexity as needed. Some of the lower-level menus can be quite complicated, especially if there is a lot of suspicious activity going on with a device. However, for the most part the parsing of data makes it so that administrators probably won’t drill down that far unless Magna is sure that a breach has occurred. 

The main dashboard shows how many known breached hosts and devices exist on a network, how many suspicious hosts that Magna is monitoring, if any systems have been quarantined and how many incidents have been fixed and closed.

Magna is very careful not to elevate incidents to alert status unless they have been verified by several sources. So for example, just because a host is periodically instigating command and control traffic does not mean that a breach has happened. There might be a valid reason, especially if the group the device belongs to or the user does that type of thing all the time.

However, adding in something like remote code execution would further raise the concern level of Magna, all of which would be visible to an administrator because suspicious hosts are shown outlined in yellow. But it would generally take something else, such as the actual detection of executable code, to raise a full alert. 

One of the most interesting things we discovered was Magna’s ability to detect lateral movement within an enterprise, something that wouldn’t trigger some traffic monitoring tools that are only concerned with packets that cross a network threshold. In one instance, a system on the monitored network suddenly began making peer-to-peer connections with other local devices, which elevated the problem to suspicious. This didn’t trigger a full alert, but looking at the profile, it was determined that the computer that initiated the new connections had never done so before. The protocols used for the odd connections, the ports, the size and type of data transmitted and the user who was logged in at the time were all recorded. As an added precaution, the computers or servers that were communicated with were also marked as being low-level suspicious, just in case that action caused them to become infected as well. 

In the case of that suspicious event, there might be an explanation, such as a new administrator who needed to check something out. But it gets flagged just in case, as it could also be an indication that a user has gone rogue. In this way, trusted insiders who suddenly start to do bad things can possibly be caught. It’s worth noting that the action in question was not flagged as an alert, as Magna only elevates to that level when the assurance is close to 100 percent.

LightCyber officials said that on networks they monitor with thousands of devices, the average number of alerts that get raised averages about two or three per day. Once an alert is triggered, response teams have some basic options. To halt an ongoing attack on the test network, we were given the option to lock out the infected computer using Active Directory, remove any malicious files from the infected host, remove all files located on different parts of the network with the same MD5 hash or create a firewall rule that would block a malicious website belonging to a threat actor.