• United States



by John Breeden II

New weapons offer hope against advanced cyber-attacks

Feb 23, 201518 mins

Traffic monitoring tools from Damballa, Lanscope, LightCyber can detect hidden malware.

One of the most frightening things about modern cyber-attacks is that a breach can remain undetected within networks for weeks, months or even years. This time gives hackers the luxury of lateral movement within a network, meaning they can acquire better credentials, compromise more systems and search for the most profitable and most damaging information.

And perimeter defense tools are almost worthless once hackers are quietly rampaging behind the lines. But malware has to communicate back to the hackers somehow, and new monitoring tools have emerged that can identify that traffic.

As such, traffic monitoring tools could very well be the next big thing in network security, protecting networks against cyber-attacks and helping even if a breach has already happened.

We evaluated security programs from Damballa, Lancope and LightCyber with traffic monitoring at their core. Because these programs require real-world traffic, the topography of which in some cases must be predefined, each was evaluated using a production environment provided by the companies. (Watch the slideshow version for an abbreviated rundown of each product.)

We were given training as to each program’s features and then had unrestricted administrator access to the systems during the testing period. Each program was evaluated based on ease of use, accuracy, how quickly the program could be deployed, and what level of customization and automation could be implemented.

While all three programs worked extremely well at identifying malware based on its communications, the Damballa Failsafe product was the easiest to use, had the best user interface and would be the quickest to deploy, an important consideration if an organization suspects that their network has already been compromised.

Lancope StealthWatch provided the most details about the communications going on within a network and the relationships between groups and devices, making it a useful tool for other things beyond security, such as network optimization or even capital planning.

And LightCyber Magna proved a perfect tool for detecting hidden threats that are trying to find specific data inside a network or elevate its privileges. It can also be useful in identifying insider threats.

Here are the individual reviews:                                                                              

Damballa Failsafe

Damballa officials say the company monitors a whopping 35 percent of all Internet traffic worldwide every day, and 55 percent of all US-based DNS traffic, though their partnerships with ISPs like Comcast and others. It’s a pretty safe bet that any new malware is going to run through a gateway monitored by Damballa at some point early in its life cycle.

Damballa uses that incredible reach, a team of data scientists and machine learning capabilities to profile malware. However, Failsafe isn’t signature based. Damballa samples more than 100,000 new variants of malware every day, but is only concerned with the characteristics of the malware as it pertains to network traffic.

The company then generalizes each component of HTTP requests from the samples, looking at the requests by data type, encoding and length. In this way the characteristics of malware are identified because even though the control server, destination and camouflaging techniques used by malware change all the time, the communication structure is always going to be same. That information is shared with Failsafe appliances protecting networks.

Failsafe is installed as a single appliance with one sensor device deployed at each Internet access point so that every communication to or from a network can be monitored. Although there is some pre-installation work to determine how many sensors are needed and what IP addresses they will use, the actual installation process itself generally takes less than an hour.

+ MORE ON NETWORK WORLD Enterprise security monitoring weaknesses telegraph lots of future cybersecurity opportunities +

Damballa engineers monitor a network following installation to ensure that devices are placed at the correct location and that no rogue communication streams exist, but barring any missteps, Failsafe can begin working at that point without further intervention. Of the three products evaluated, this makes Failsafe the quickest to deploy. Also, there is no danger that existing malware could be added to some type of good profile baseline because Failsafe only monitors traffic.

The interface is surprisingly user friendly. The top level screen is comprised of a series of widgets that show the characteristics of network traffic with an emphasis on the detected threats. There are quite a few widgets available, which go into more or different details, like the type of activity that the found malware is attempting or a list of places network traffic is being sent. These can be dragged and dropped into place to become part of the main dashboard.

Drilling down into the network architecture, administrators can observe everything that is going on as it relates to suspicious activity. To reduce false positives, Failsafe does not immediately elevate suspicious activity into an alert, though administrators can look at everything the program currently considers suspicious. There are actually two engines running on the main appliance to prevent security alert overloads, one for breach detection and one for risk analysis. Both require suspicious activity to cross a certain threshold before an alert is generated.

The breach detection engine looks at three areas: behavioral analysis, content and payload analysis, and threat intelligence. Behavioral analysis includes how automated a process is, if it’s using the new domain fluxing technique employed by advanced malware, peer to peer communications and what is being executed. Content and payload analysis is mostly concerned with the type of requests being generated. And threat intelligence uses all of the Internet traffic data collected by Damballa to compare the queries and connection makeups against malware variants.

The risk profiler uses machine learning and human intelligence to determine if suspicious behavior is actually malicious. It uses variables like how much data is being transferred, if the communications were successful, if it was part of a spanning process, the importance of the protected endpoint within the organization, the threat actor being communicated with and even things like alerts from anti-virus coverage. Rather than just elevating threats once they are confirmed, the risk profiler also ranks them based on severity. It was very easy to tell which systems should be investigated right away, and which could be quarantined and worked on later.

Once an alert is generated by Failsafe, it only takes one click to drill down and see all the evidence proving that the client or device is infected. Looking at the alerts generated by the test network, the ones that bubbled to the top were clearly persistent malware, though they were able to remain hidden from traditional monitoring tools because they did things like domain fluxing, introducing jitter into their communications windows and only sneaking out a couple of kilobytes of data at a time. Failsafe pointed all this out however, clearly making the case as to why identified items were malicious.

Failsafe also has a high level of automation, which is integrated in a step-by-step basis depending on the threat level, and totally customizable by users. By default, the network that was evaluated for this review had Failsafe separate suspected systems away from critical data stores, even if the threat was not yet made into an alert. This precautionary step would keep malware from getting to the crown jewels even while the investigation was continuing. Once an infection was proven and verified by both engines, the device was automatically moved to quarantine where no more network traffic was allowed. This is the default behavior for most Failsafe installations, but what the program does and how it acts in different circumstances is customizable by users if needed.

A final feather in the cap of Failsafe is that it’s designed to work with other security programs like TippingPoint or Splunk, integrating their capabilities and allowing full control over them from its user-friendly interface. Thus, Failsafe can be dropped into any existing security architecture and become complementary instead of competitive.

LightCyber Magna

The LightCyber Magna platform is designed to separate normal user behavior from the anomalies caused by attackers. Magna is not just concerned with outgoing and incoming traffic either. It can detect, evaluate and if necessary mitigate an attacker’s lateral movement inside the network. 

+ Reining in out-of-control security alerts +

The Magna platform is installed in components, and not every organization will need every one. The Magna Master is an appliance that collects data from all other parts of the system and is also what users log into to configure their protection and receive alerts.

The Magna Detector is another appliance which is deployed to monitor traffic and connects to a span port in a switch or a tap.

There is also a Probe appliance that can be used to connect the traffic monitoring at branch offices back to the main master console. Most deployments are hardware based, but virtual installations of all components are also available.

An additional component is Pathfinder which performs agent-free endpoint analysis to complement network information in the automated decision making process, and to find the root cause of suspicious behavior within endpoints. 

Once installed, Magna typically waits for two to three weeks before taking any actions. During that time the software watches all network traffic to come up with baselines for each group, user and device. These baselines are used as part of a very detailed plan preventing false positives. Even during the settling-in period, Magna does not assume that everything it sees is valid traffic. Outliers are set aside for later examination. 

The interface for the Magna platform is very simple at first, and drills down into increasing complexity as needed. Some of the lower-level menus can be quite complicated, especially if there is a lot of suspicious activity going on with a device. However, for the most part the parsing of data makes it so that administrators probably won’t drill down that far unless Magna is sure that a breach has occurred. 

The main dashboard shows how many known breached hosts and devices exist on a network, how many suspicious hosts that Magna is monitoring, if any systems have been quarantined and how many incidents have been fixed and closed.

Magna is very careful not to elevate incidents to alert status unless they have been verified by several sources. So for example, just because a host is periodically instigating command and control traffic does not mean that a breach has happened. There might be a valid reason, especially if the group the device belongs to or the user does that type of thing all the time.

However, adding in something like remote code execution would further raise the concern level of Magna, all of which would be visible to an administrator because suspicious hosts are shown outlined in yellow. But it would generally take something else, such as the actual detection of executable code, to raise a full alert. 

One of the most interesting things we discovered was Magna’s ability to detect lateral movement within an enterprise, something that wouldn’t trigger some traffic monitoring tools that are only concerned with packets that cross a network threshold. In one instance, a system on the monitored network suddenly began making peer-to-peer connections with other local devices, which elevated the problem to suspicious. This didn’t trigger a full alert, but looking at the profile, it was determined that the computer that initiated the new connections had never done so before. The protocols used for the odd connections, the ports, the size and type of data transmitted and the user who was logged in at the time were all recorded. As an added precaution, the computers or servers that were communicated with were also marked as being low-level suspicious, just in case that action caused them to become infected as well. 

In the case of that suspicious event, there might be an explanation, such as a new administrator who needed to check something out. But it gets flagged just in case, as it could also be an indication that a user has gone rogue. In this way, trusted insiders who suddenly start to do bad things can possibly be caught. It’s worth noting that the action in question was not flagged as an alert, as Magna only elevates to that level when the assurance is close to 100 percent.

LightCyber officials said that on networks they monitor with thousands of devices, the average number of alerts that get raised averages about two or three per day. Once an alert is triggered, response teams have some basic options. To halt an ongoing attack on the test network, we were given the option to lock out the infected computer using Active Directory, remove any malicious files from the infected host, remove all files located on different parts of the network with the same MD5 hash or create a firewall rule that would block a malicious website belonging to a threat actor.

All of these actions, or only a few, could be selected with a series of check boxes and instigated with a single click. 

Light Cyber Magna is a great tool for organizations concerned with advanced persistent threats or attacks that are instigated from within a network. No matter if it’s a program that comes from the outside, gets installed from a key drive, or even if it’s a human trying to do something malicious, none of them can hide their actual communications. Magna can monitor, record and stop them.

Lancope StealthWatch

Lancope StealthWatch offers up some of the most granular information of any product in this evaluation, and it gathers that data in a fairly unique way. The downside is that it also requires the most training in order to be able to set up and use it properly, and also has the longest set up process before administrators can begin to receive helpful reports.

StealthWatch exclusively monitors flow data. All flow formats are supported including NetFlow, IPFIX, sFlow, jFlow and others. StealthWatch is deployed as two appliances, a flow collector that records all transactions and a management console that opens up an SSL connection and allows for user interaction. Because flow is a Layer 3 process, almost every router and communication device will make use of it.

However, because there are a few rare hardware configurations, such as in the high-performance computing environment, that do not support flow, Lancope has another smaller appliance that can be added to individual routers or devices if needed. Our test environment didn’t have any exceptions.

Flow is an interesting way to record traffic because a flow represents a single end-to-end transmission over a network. As such, a single transmission can generate many flows as it moves in and through devices within the network. However, the StealthWatch collector, which can handle as many as 240,000 flows per second, also removes duplicate information so that administrators only see one record per communication. The entire chain is saved if needed, but that parsing helps to keep the user interface uncluttered. One management console can handle up to 25 collectors, so even a baseline StealthWatch system can process an incredible amount of flow data.

While all that flow data shows a complete picture of what communications are going on within a network, sorting everything into meaningful information takes time. Devices within a network need to be identified to StealthWatch by a variety of criteria. While the group definitions are optional, the more there are, the better chance that a network administrator can identify anomalies in the system that could point to malware or the presence of attackers. Lancope recommends that groups be defined by location, function and type.

Populating a group in StealthWatch can be done using a third party network IP management system, importing a .csv file or right clicking and specifying an IP range. So if every device in a Baltimore office falls within a range, you can tell StealthWatch that range and it will automatically populate the Baltimore group.

Individual devices can also be designated into groups like servers, DNS appliances, file servers, antivirus scanners, firewalls or anything else. As such, many devices will likely fall into multiple groups. All of this setup could seem a bit tedious, and Lancope officials said a typical setup takes between two and eight weeks, but once in place, it gives an incredibly detailed view of network connectivity. In addition to the setup time, StealthWatch also needs seven additional days of continuous monitoring to be able to start spotting anomalous activity.

The overview of network concerns identified by StealthWatch will appear on the main dashboard and there is also an app for use on mobile devices. From there, administrators can drill down as far as they want, all the way down to scrutinizing individual flows. Everything in the GUI is clickable, even the charts and graphs, so performing a drill down into the data is more or less effortless. And because all network traffic is graphed, it becomes easy to use StealthWatch for things other than security, such as seeing that one mail server is maxed out with traffic while others are hardly being used, as was the case in our evaluation network.

Users can also click on individual groups and see specific concerns within those systems. Anomalous behavior is rated based on a concern index. StealthWatch adds points, sort of like demerits, each time a system does something suspicious. StealthWatch adds more points if the behavior is more active.

On the test network, devices that were spoofing, pinging oversized packets and TCP scanning shot up to over 2,000 percent concern. As with the rest of the program it was quite easy to drill down into those systems and see absolutely everything about them in terms of communications. That included every protocol they were using, how many bytes were in and outbound, what applications were initiating those communications and which user credentials were being used.

A particularly large communication was identified that went on for over three hours, dumping a huge amount of data from a client desktop to a remote server. Once that communication was clicked on, everything about it was available. Clicking on the user showed a history of other odd communications, possible evidence that a rogue trusted insider situation might be developing. If the person in question has a valid reason for those communications, they can be manually removed from the concern list, or have specific activities removed so that they drop off the list.

StealthWatch still records all activity, but won’t send it up into the list of highly concerning items to track. In the event of malware on a system that eventually gets cleaned, the infected system will no longer behave badly and its demerit points will quickly erode, starting the day after the cleansing. After a few days of no more anomalous activity, it drops off the concern list entirely.

Another big advantage to StealthWatch, which no other program had, was the ability to define relationships between devices and groups and specifically monitor that traffic. So if an organization has regulatory requirements where certain devices are not allowed to communicate with each other, defining that restriction to StealthWatch will set up a communications map and alert administrators if any traffic occurs between restricted devices or groups.

In addition, entire protocols can be restricted. During the test, Telnet was made a restricted protocol. Thereafter, any Telnet communication within a network was immediately flagged as a concern. Incoming Telnet requests were also flagged, and given a much higher concern index score if any of those requests from outside were successful.

StealthWatch is an incredibly powerful tool, but it is also difficult to use because of its complexity. Were it not equipped with such a good graphical front end user interface, it would be even more challenging to master. It’s not something that an organization would install as a quick fix to halt a breach, but it can be very good at finding them once all the work is done to put StealthWatch in place.

Once running, StealthWatch has a lot of value beyond just security, which is something to consider when deciding whether or not to make the investment in time and money. It has a steep learning curve, but the network visibility that administrators can achieve at the very top likely makes the climb worth the effort.

John Breeden is an award winning reviewer and public speaker with over 20 years of experience. He is currently the CEO of the Tech Writers Bureau, a group of influential journalists and writers who work in government and other circles. He can be reached at