Detecting "Fake" Applications with Stealthwatch
It is sometimes important for security operators to be able to detect applications used over non-standard ports. Cisco Stealthwatch Flow Sensors have the ability to tag traffic and automatically detect applications using deep packet inspection (DPI). Applications in Stealthwatch are defined by:
- IP Address of the server or Host group (i.e.: 192.168.0.1 or Inside Host/Servers)
- Port/Protocol combination (i.e.: 22/tcp)
- DPI Classification (i.e.: SSH)
It is possible to query Stealthwatch to retrieve all SSH traffic not on port 22/tcp. We will show two scenarios that would get different benefits.
Scenario 1 – Filters using JavaUI
On the JavaUI it is possible to use the Top Conversations Report, filtered as shown in the image below, to get all SSH traffic not on port 22/tcp:
The results of the query are shown in the following image:
Same query type, run for HTTP and HTTPS traffic not on port 80/tcp and 443/tcp. Results shown in the image below:
Additional filters could be applied to fine tune the query and lookup for specific compliancy issues.
The query can be saved for future reference. Once the document is saved, it can be scheduled to run automatically. The scheduler has the option “Suppress empty files” in order to be notified on only the real issues.
Scenario 2 – Policy for Fake Applications
In the Host policy manager, we can create specific policies for specific host groups. In the example below we will create a policy that alarms for any application that is not going to a standard IANA assigned port:
In this case we are setting a policy applied to the group “Confidential Servers” and turned on the security event “Fake Application Detected”. We have enabled the event and set to generate an alarm. No automatic mitigation actions have been set.
The result of the policy:
Additional filters could be applied to fine-tune all the queries and lookup for specific compliancy issues.
Once the results are acceptable, it is possible to set alarms using the custom event manager and the response manager in order to generate emails, SNMP Traps, or syslog messages, as required.
This is only one type of advanced threat that can be detected by Stealthwatch. Others include command-and-control activity, distributed denial-of-service (DDoS) attacks, insider threats, malware propagation, and more.