Necessary Roughness: Tackle Network Threats with NetFlow by David Brooks

Necessary Roughness: How to Tackle Today's Top Threats with NetFlow

The Superbowl  is this coming Sunday, and like any good tech company should, Lancope decided we needed a Superbowl-themed blog post.  I labored for a few days on how to tie together two unrelated things; football and infosec, or even football and NetFlow.  There’s not a ton of obvious corollary to be honest, but before I went down the path of attempting to make a horrible comparison between a 3-4 defense and a layered security approach that people could groan at, a colleague of mine mentioned to me that the Miami Dolphins actually had their website defaced back in 2006, right before the Superbowl. 

My first thought was one of shock, mostly at the notion that the Dolphins had been anywhere near a Superbowl since TCP/IP was even a thing.  A quick Google search soothed the fear that I’d gone crazy and forgot about what would have been a monumental moment in sports and turned up what actually occurred:  in 2007, the Dolphin Stadium website (where the Superbowl was being held between the Indianapolis Colts and Chicago Bears) was defaced, and was hosting malicious code. 

So, there you have it: a Superbowl-related cybersecurity incident.  The game on the field often isn’t the primary draw on that particular Sunday; on more than one occasion the commercials have been the bigger star.  More advertising dollars are spent on this single sporting event than anything else, and the Superbowl is the single most watched television event annually with an estimated 111 million viewers on average.  With ads come an attentive audience, some portion of which wanting to part with their money for a particular product.  This opens up a rather large window for attackers to exploit people’s willingness to open their wallets. 

This year, as in most recent years, there may be an uptick in the amount of malicious emails sent in an attempt to lure their recipient into clicking a nasty link under the cover of being from a legitimate source, potentially a source that’s hot on everybody’s mind.  With the rise of ransomware (like Cryptolocker) over the past year, the stakes may be higher now than ever. 

The usual adages remain true – educate yourself and your users, ensure that you know what’s happening holistically on your network (not just the edge), and rely on a layered approach to practical security.  Targeted emails may likely waltz right through the front door and leave you vulnerable.  

The StealthWatch System can help with this by leveraging NetFlow/IPFIX and applying behavioral algorithms to your organization’s traffic patterns to determine what activity may be anomalous, but the ultimate responsibility relies on the user to exercise caution with their own activity, and a security organization that is effective in educating its users.