One of the best methods for detecting hard-to-find hackers, such as those using APTs, is through network traffic flow analysis or netflow.
Here's the basic idea: Most servers don’t talk to other servers. Most servers don’t connect to most workstations. Workstations almost never talk to another workstation. Most workstations don’t talk to every server. Thus, if you understand the legitimate, expected network traffic flows in your environment, you can discover badness with a tool that detects abnormalities and generates alerts.
To do this, you need a good netflow analysis tool. I’ve been trying to find the perfect one for many years; I even offered a few reasonable candidates last month. But nothing I came across was exactly what I was looking for -- until now.
My new favorite tool is Lancope’s StealthWatch. When I say it’s perfect, I really mean it’s near-perfect. I saw one or two small flaws, which I’ll share later.
StealthWatch (available as a virtual or physical appliance) works by collecting network flow statistics from network devices using industry-accepted netflow collection. This includes Sflow, Cisco’s NetFlow, Juniper’s Jflow, and IPFIX.
The netflows are collected and deduped (which would be a huge effort if you tried to collect and analyze the traffic yourself), then used to generate a clear picture of the network traffic flows within your organization. Much like the Internet knows more about you than you know about yourself, StealthWatch knows more about what your computers are doing than the users accessing them know.
Initially, StealthWatch gathers all computers into two or three logical containers: Inside Hosts, Outside Hosts, and Command & Control servers. The last one is populated by imported reputation feeds from Lancope. If a computer in your environment is communicating with an outside C&C computer, the destination host will turn up here. You can create as many logical containers as you like (such as Servers, Domain Controllers, Workstations, SharePoint servers, and so on) and easily place a single device into multiple logical containers.
StealthWatch then baselines each monitored device using 90 different attributes: what it’s communicating with, how long the communication is, how much data is sent or downloaded, and the rest. We're talking more attributes than you would ever baseline manually. You can also create defined allowed connections and disallowed connections. An example of the latter might be an alert that pops up whenever a workstation talks to another workstation.
Each logical group is assigned a Concern Index -- basically, a criticality ranking. You'll want to explore yellow and red rankings first. StealthWatch comes with dozens of scenarios you can define and alert on. I was like a kid in a candy shop. Here are some of the ones I found within a few minutes:
- Large traffic ("suspected data hoarder")
- An employee downloading too much as they are separated from employment
- Devices bypassing legitimate egress points
- Identifying devices connecting to known malicious networks
- Port scanning traffic (many different types)
- Various DDoS attack types
- Usual times or large flows for particular times or regions
- Beaconing hosts (sending data outbound one direction)
- Tons of firewall denials to the same source or port
- Number of initiated connections over average
- Quiet long flows
- High volume of email
From the graphical display you can drill down and see the underlying data in detail. Depending on the netflow fields you are able to collect (different devices contain different information), you can see what applications are tied to what data streams and track datastreams to users. You can filter and view the data dozens of different ways. I was highly impressed by the management console and how much data I could quickly put up on the screen at once.
Lancope loves to demo the feature where you tell StealthWatch to show you victim zero in a network-wide malware attack. In one second, StealthWatch shows you everyone infected by a particular piece of malware and which was the first device hit. This is a slightly gimmicky piece of information, but I gotta tell you it was cool -- and I wanted it!
Lately, I’ve been playing with and building different netflow analysis methods using individual clients. It turns out that collecting the data isn’t the hard part -- it's that you’ll quickly end up with far more data than you can manually inspect and categorize. StealthWatch has the logic you would have to otherwise build manually over months.
What's missing? I wish StealthWatch could detect intranetwork traffic, but it requires that traffic be moved through a managed network device. Although it is unlikely these days, there's a chance that badness could work in such a way that it could go undetected across a local, unmanaged segment. Plus, StealthWatch is for enterprise customers, though Lancope says it's thinking about branching out into small businesses.
One other recommendation: It’s easy to end up with hundreds or even thousands of areas of concern marked by yellow or red. I’d recommend configuring StealthWatch or any other netflow tool conservatively at first, so you have time to investigate all the alerts you’re getting. Flag too many areas of concern -- such as anomalies in your firewall logs -- and you'll miss one of the best reasons to collect netflow traffic: to detect and respond quickly.
That said, StealthWatch is an awesome tool and I recommend it for everyone. There may be direct competitors that can do what StealthWatch does, but if so, I haven’t found them yet.