Review: Bricata adds threat hunting to traditional IPS/IDS

Bricata offers advanced IPS/IDS protection, but also goes a step farther, adding the ability to launch threat hunts based on events, or simply anomalies.

binary code, magnifying lens, skull and crossbones
Thinkstock

These days, even the most basic cybersecurity defenses for any medium to large enterprise will include an intrusion prevention system (IPS) or an intrusion detection system (IDS). Even by itself, a well-tuned IPS/IDS system that is constantly monitored by security teams will catch most network problems and security breaches. However, the fact that many organizations stop there has led to an uptick in successful attacks designed specifically to operate in IDS blind spots.

Making the next step along the cybersecurity maturity ladder is no small feat. To increase protection, most organizations struggle to add new programs and technologies such as endpoint protection platforms or deception networks. Better security also normally requires increasing IT staff, and providing them with better tools and training. Even then, new staffers and programs must be integrated into something like a security information and event management (SIEM) console, or even a full-scale network operations center to be completely effective. It’s more like running a marathon than taking the next step towards increased protection and cyber maturity.

And that is where the Bricata platform can come into play. At it’s core, Bricata offers advanced IPS/IDS protection with multiple detection engines and threat feeds to defend network traffic and core assets. But it goes a step farther, adding the ability to launch threat hunts based on events, or simply anomalies. This would enable an organization to begin network-level threat hunting using the same staff and tools they are already using for IPS monitoring. It would be a good step in the right direction towards better protection without the pain of installing additional programs or re-training staff.

Bricata won’t provide complete visibility into everything happening at the far corners of the network, such as active processes running on endpoints, but it does deliver coverage of core network traffic in a more comprehensive way than most other IPS/IDS devices. When combined with its threat hunting capabilities, it can help to ferret out unknown threats that have bypassed other protections – and it can be done with existing staff using tools they are already familiar with.

Looking first at Bricata as a pure IDS system, it is deployed as a physical or virtual appliance that serves as the main collator point and user interface. This in turn links to network sensors that are deployed at network choke points to capture traffic data. While the Bricata sensors will almost always be deployed at network gateways, they can additionally be placed around core assets or internal points where network traffic flows to give the platform visibility into horizontal movement of potential threats.

The entire installation is done on-premises, and no collected traffic data ever needs to leave the network. It’s also not dependent on having an always-on connection to cloud services or external hosts, though it does regularly receive updates for its threat intelligence engine. Traffic data is stored in the appliance for 11 days by default, striking a balance between having look-back capabilities and eating up a lot of space. This also keeps the interface speedy by limiting the amount of data that can be searched when performing threat hunting. There is an option to export traffic data to external storage or the cloud, in case an organization wants to keep it longer than Bricata stores everything.

Bricata Main Dash John Breeden II/IDG

The main dashboard for the Bricata platform looks like a traditional IPS/IDS system, with various alerts and warnings about events or programs that have been caught or flagged by protection engines.

In my testing, the efficiency of Bricata as an IPS/IDS with advanced capabilities was obvious. Looking at the main IPS interface, a potential threat was located in the form of a piece of suspected malware that came into the network and was downloaded onto a client. Confirming that the program was likely malicious was fairly easy. And that is where most IDS systems would stop. Administrators could purge the infected machine and move on to the next alert. However, in this case, that would not have stopped the problem.

Bricata Drilldown John Breeden II/IDG

Clicking on any event brings up increasingly detailed data about it. This includes the ability to see packets and even download files. By default, Bricata keeps all records for 11 days.

Diving in a bit more, Bricata was able to show that a few seconds after landing on the client, the malware began beaconing out to other systems in the network. The Bricata sensors detected lateral movement that would have been invisible to most IPS consoles. The malware had in fact replicated onto other systems, so chasing down and purging it from the initial system would not have done much good. Bricata was able to detect this because of the traffic generated by that lateral movement, recorded by the internal sensors -- and it could do it without having an agent on the endpoint itself.

Given the amount of traffic data that Bricata can collect, adding threat hunting tools makes a lot of sense, although using it in this way does not really feel like threat hunting at all, and could be accomplished by anyone already trained to use the core IPS console.

Bricata Hunting Button John Breeden II/IDG

Every recorded event within the Bricata IPS/IDS system can be the basis of a threat hunt. Users simply click the orange Hunt button to begin.

Bricata adds a bright orange Hunt button at the top of every event information screen. Clicking on the button brings up the option to start a hunt that focuses on the destination or source IP addresses, or both together. This provides a jumping off point as a natural extension to what security teams would be doing anyway when monitoring the IDS. Launching a hunt brings up all relevant information regarding traffic coming to or from a suspected host, or communications between them. This can show at a glance, for example, if any other clients on a network are involved with a suspected IP address.

4 bricata ip pair hunt John Breeden/IDG

Here a hunt has been launched, and all information about the two IP addresses involved in the incident have been automatically collected.

Bricata Sending Out New John Breeden II/IDG

As part of this hunt, lateral movement within the network has been detected, exposing the danger of infected clients though lateral movement. Traditional IPS probably would not have found this.

Other Bricata hunting tools enable deep packet inspection and even the downloading of the actual suspected malware for additional testing with antivirus, sandboxing or other external tools. A back-testing feature even enables discovered threats to be run against historical data to see if they would have been able to slip past previously unpatched defenses.

Even though there is a lot of information available, Bricata does a great job of collecting exactly what is needed to help build the all-important picture of how and where suspicious events are occurring. Anyone familiar with how the IPS/IDS part of the console works will have little trouble becoming a competent threat hunter. Only minimal training would be required, if that.

Bricata Pure Hunting Traffic John Breeden II/IDG

In addition to launching hunts based on IPS alerts, Bricata allows analysts to survey all traffic data on their own, looking for threats that even the Bricata IPS/IDS missed.

There are also several advanced threat hunting features bundled into the interface that are normally only present in dedicated threat hunting programs. For example, traffic can be examined to look for anomalies manually, even ones that are not triggering alerts. This would be more of a pure threat hunting activity where users would form a hunch and do their own investigating. Although this is an advanced technique, its easy enough to learn here by simply working with the program’s more guided hunting features.

Organizations that want to improve their cybersecurity maturity, but don’t know how to grasp such a high bar as institutionalized threat hunting, could instead consider installing the Bricata IPS/IDS platform. Not only will that enable extremely robust intrusion protection, but can act as a gateway for threat hunting activities, allowing users to train themselves as they work at doing their everyday tasks, and protecting networks from both known and unknown threats.

Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)