Webinar Q&A: Hunting Attackers with Network Audit Trails
Q&A from the September 26th webinar "Hunting Attackers with Network Audit Trails" with Lancope's Director of Research, Tom Cross.
Q: Can StealthWatch be configured to alert via e-mail or SMS in the event of unusually large exfiltrations of data from servers, such as the example you've identified in this presentation?
A. Yes! Lancope's StealthWatch has a variety of different responses that can be configured when events are detected, including e-mail and Syslog.
Q: Recon based on strange data flows will require extensive knowledge about hosts and their function. How do you identify malware behavior and prevent false positives?
A. We look for both anomalous and suspicious behaviors based on behavioral profiles that we develop for each host. Our algorithms have seen a lot of use in the field across many customers and key in on behaviors that are worth investigating. In our product you can organize hosts into host groups by function, and this does help to reduce false positives.
Q: StealthWatch works for internal scanning patterns but how do you deal with proxy aware APT traffic?
A. We have a number of anomalies that will work against proxy aware malware. For example, we can detect exfiltration through the proxy based on anomalous amounts of data, and we can detect long or repeated connections that are consistent with command and control activity.
Q: When you see a computer that talked to the skull and bones sites is this a compromise or a potential drive by?
A. The skull and cross bones icon in Stealthwatch is associated with our SLIC threat feed. That feed has malware command and control addresses in it – so when you see a computer that talked to those destinations, that computer is infected with malware. There are no drive-by-download sites in the SLIC threat feed today, although we may add them in the future.
See today's top threats on our SLIC threat scope maps.
Q: What’s the best way of getting attackers info without them knowing they are been watched and followed?
A. NetFlow can provide a good way to monitor the activity of attackers operating in your network. It is totally passive so the attacker would not inherently be aware of it.
Q: Using NetFlow, can you see the actual data file names being transported out of your environment? Example reame.txt
A. No, in NetFlow you can’t see content, generally. In some cases you can get the first few bytes of content from a particular network transaction, and I used that feature in the webinar to show an example where you could see that a my sql dump was being uploaded, but the first few bytes of content may not necessarily tell you the filename.
Q: Is there merit to sampling flows? Or should everything be collected.
A. It is best to collect everything. When you are doing forensic analysis of a network audit trail you want to see every transaction that happened and not just randomly sampled ones, so that you can fully reconstruct every action taken by an attacker.
Q: How does Lancope compares to Splunk's NetFlow app ?
Our sales engineer Charles Herring did a very thorough rundown on that question in the following blog post: http://f15hb0wn.com/blog/evaluating-netflow-tools-infosec
Q: Can your analysis of NetFlow packets to indicate where a human is accessing the network or a bot?
A. This is an area of constant research for us. We baseline host behavior and can identify when that behavior is anomalous. Anomalous behavior can be an indicator that a host is compromised. We also look for specific behaviors that are suspicious, such as scanning and data exfiltration. We are continuing to explore ways to leverage our integration with Cisco ISE to find new ways to identify compromised user accounts.
To learn how network logging technologies such as NetFlow and IPFIX can be applied to the problem of detecting sophisticated, targeted attacks and used to create an audit trail of network activity that can be analyzed, both automatically and by skilled investigators, to uncover anomalous traffic watch the full webinar here.
Follow Alicia Butler on Google+.
TAGS netflow, network security, network visibility, advanced threats, advanced persistent threat