Cloud Visibility
Application Performance
Network Performance Optimization
Industries
Platform
About Us
Learn
Blogs
Improved delivery, better visibility: How Accedian and VMware are working together to help CSPs navigate the 5G world
Adding a new dimension of visibility to the Cisco Full-Stack Observability portfolio with Accedian Skylight
Tools & Support
How well do you understand your organization’s business cycle?
As an IT professional, you may not think this kind of knowledge is necessary for your job, because you work with systems rather than people and customers. When it comes to threat detection, however, holding this kind of belief could be a grave mistake. All too often, the security risk is viewed as something that comes from bad actors from the outside—and it often is.
But what about your colleagues within the organization? If you’re familiar with the typical system usage patterns for different employee populations, that can help you quickly identify a user who shouldn’t be looking at certain kinds of data but suddenly is accessing portals unrelated to their job.
Threat hunting is all about this kind of storytelling, and context is king. Understanding your metadata is how you can identify anomalies in system access.
It’s essential to have a threat-detection protocol in place that looks at both internal and external activity. Here are five areas of focus for strengthening security in 2022.
1. Network traffic analysis
A majority (87 percent) of organizations say they use network traffic analysis (NTA)—the process of looking at network traffic communication patterns—to detect and respond to threats, according to research in 2020 by Enterprise Strategy Group, an IT market intelligence firm. Having real-time data available helps address any breaches more quickly.
NTA differs from other tools, such as firewalls and intrusion detection and prevention systems, because it’s not limited to perimeters. It uses a combination of machine learning and behavioral analysis to see differences over time and identify any breaches or threats. What’s more, it helps you figure out what the hacker was after.
2. Key metadata on traffic (packet analysis)
Network metadata goes deeper to help show a sequence of events that can provide context for threats and incidents. A key advantage is that it uses real-time, in-memory processing to quickly help detect and respond to events.
The term “metadata” is often used loosely in IT, so it’s important not to confuse network metadata with other types of data. Net-flow data, for example, is not provided in real-time and is not as easily “digestible” as network data. PCAP data comes in raw packets, unlike metadata. SNMP metadata pertains only to devices using that particular protocol.
When you’re looking at flow sources, such as servers, routers, switches, and firewalls, network metadata provides you with full visibility into who was involved (IP information), what was affected, and when usage started and ended. Metadata also provides usage, QoS, path, and route information.
Ultimately, you want full packet capture—HTML files, attachments, device-related data, and user-related data (credentials, duration of sessions, and so on).
3. Alerts versus incidents
How do you prioritize what to look for? This is a simple question that can open a world of hurt.
To gain better insight into attacker behavior patterns, a MITRE Attack Matrix can be utilized to help you break down the evolution of an attack. This is a framework that can be used to look at a pathway from initial access to privilege escalation, lateral movement, command and control, and, finally, to the breach’s impact.
4. Identification of unusual data flows
In what direction does evil travel? North to south? East to west?
Attackers are stealthy in how they approach taking control of systems. They know how to mimic normal behaviors in the network to avoid detection. They use multi-stage channels to hide within application layer protocols and encoded data.
This means you have to know the ins and outs of your network extremely well and be able to spot unusual patterns. For example, what about an employee who usually logs into marketing portals but now is entering those for finance? Authorization and authentication are critical here, and they become especially important in the post-COVID world of widespread telework.
5. Security practice and culture development
Cybersecurity doesn’t have to be all doom and gloom. The growing popularity of Capture the Flag (CTF) events has given IT professionals a fun way to think like a criminal and learn more about security threats and how to thwart them. CTFs can be a contest in which players search for security vulnerabilities within software—usually a string of characters in a known format embedded in the code—to receive a flag or points and ultimately win the game.
Increasing cross-functional interaction can be helpful in identifying threats and developing a plan to address a crisis quickly and efficiently. This is particularly important among network operations and security operations teams, but it also extends across the rest of the organization to build a greater understanding of what’s going on within the network.
Think like a detective
In today’s threat environment, a little paranoia isn’t a bad thing. It’s important to keep evolving threat-hunting skills. Ongoing performance monitoring is the base step to looking at typical network and application usage. You then want to perform a trend analysis to see what should be typical usage within employee populations, so you can identify any anomalies more quickly. From there, you can use insights to get more predictive in your approach and make correlations. Finally, you can get to a level where you use all this knowledge to develop stronger policy updates and behavior analytics.
If threat hunting were easy, it would likely be totally automated by now. Only human detective work can look beyond “the normal” and spot unusual activity.
To learn more about this topic, watch Accedian’s recent SANS Cyberfest webinar on threat hunting.