Cyber Threat Intelligence: 3 Pillars of Strength

Old 1 Comment on Cyber Threat Intelligence: 3 Pillars of Strength 103

Targeted Cyber Threats are evading many of our best security defenses. We’ve put setup firewalls, enforced password rotation, installed an IDS, verified that antivirus is up to date and even educated employees on common sense practices when using the web.

Despite all of these investments in cyber threat defense, evidence of these types of insurgencies can still be found in the network traffic. How can digital forensics be practiced in a way that improves the corporate position on cyber threat intelligence and incident response system?

First of all, we should all be assuming that the company is already infected.  What does your security team have at its disposal to identify contagions?  The answer in many cases is flow technologies.  NetFlow and IPFIX are the only protocols available today that can provide visibility into all corners of the network without deploying costly packet probes.  Threat detection with flow data establishes three pillars of strength that when combined provide a more complete and holistic incident response system.

  1. Application awareness: In the early days of NetFlow, applications were identified by examining the source and destination ports, comparing the lowest port to a table of applications and labeling the port accordingly.  For example, a flow with a source port of 80 and a destination port of 50554 would be labeled as HTTP (port 80). This strategy was failing almost as soon as it hit the market because many applications use random port numbers.  Then, along came Deep Packet Inspection (DPI).  This technology is generally implemented on a router, firewall or probe and is used to more accurately identify applications.  It does this by observing a series of packets, looking for bit signatures and then making a decision on what application it is based on communication behaviors.  DPI was also short lived due to the introduction of SSL which encrypts traffic at the end systems and ultimately prevents the router from performing DPI.  SSL is now becoming a prevailing technology for many websites such as Google and Facebook. Since DPI can’t see past port 443, traffic to these sites is often combined into a label of ‘HTTPS’. Some vendors recognized this short coming and have implemented SSL DPI.  When implementing SSL DPI, the router or firewall acts as a proxy for connections headed to sites with secure connections. The certificate is extracted and used to un-encrypt the SSL connections whereby DPI can take place and identify the true application.  However, the overhead involved with SSL DPI has prevented wide spread adoption.
  2. End user contextual details: When a problem is isolated down to an IP address, context is king.  Who authenticated that device onto the network?  What was the username, the MAC address, the IP group that the host belonged to or the country it’s from and what type of device (e.g. Dell laptop, iPhone, Android, etc.) is it? To gain access to these details, the system needs access to authentication logs.  Sometimes they are located in Microsoft active directory, in Cisco ISE or in some other type of radius authentication server.  Marrying the IP address or mac address found in flows to the contextual details found in these authentication logs often accelerates awareness exploration.
  3.   Cyber Threat Intelligence

  4. Behavior monitoring: By caching flows and then scanning for patterns indicative of suspicious behavior, flow data can be used to uncover malware.  Additional intelligence is then leveraged to dismiss the potential false positives.  For example, if a machine starts scanning ranges of IP addresses, targeting specific hosts or starts communicating in ways that are not typical of its normal behavior, the security admin still can’t definitively deduce that the device is hosting malware. Reacting to any single odd behavior often leads to tail chasing because normal communications can leverage an occasional odd connection.  To be more effective at keeping the network clean of sophisticated intrusions such as Advanced Persistent Threats (APT) security administrators must consider the collective value of odd behavior episodes from every machine on the network.  This is done through the process of building Threat Indexes (TI).  In the above screen capture, The TI is a single number that represents the collective value of all occurrences of the different algorithms the host may have violated.

Combined, the above three areas provide the details necessary to react quickly to targeted cyber threats.  They also improve a corporations overall cyber threat intelligence posture for three reasons:

  1. They shorten the length of time when investigating internal network attacks which leads to more decisive action. The application awareness explained above provides visibility into the plethora of applications which share the same ports.  At the same time, applications which utilize more than one port are grouped into the same application.
  2. End user contextual details provide the evidence necessary to ascertain the specific employee who may have authenticated the device onto the network.
  3. And behavior monitoring is key because it helps uncover reconnaissance efforts and other internally operating contagion such as command & control botnets.

Many security teams responsible for their company’s incident response system are making sure their solution includes the above three pillars.


Michael Patterson

Michael Patterson is the Founder and CEO of Plixer International. Prior to starting the company in 1998, he worked for Cabletron Systems in Support, Training and Professional Services. He is an experienced leader with strong insight into the industry and the needs of his customers. He has an aptitude for delivering high performing, value added, systems and service solutions to meet challenging business demands. He started the company as a one man shop and has grown it into a multi-million dollar organization. All this done without the assistance of venture capital. Michael is passionate about how the company grows, the technologies it pursues and continues to participate at many levels of the organization. By taking a hands on approach with the hardware and software, he works with the software developers and in quality assurance testing to help ensure that the products behave in a format that continually supports the collective vision of the company. He has a Bachelor’s Degree from the University of Maine and a Masters in Computer Information Systems from Southern New Hampshire University.

Related Articles

1 Comment

  1. Christopher Mckinstry July 5, 2014 at 6:42 am

    Great article, I do like the amount of detail put into cyber threat intelligence and what to look at.

Leave a comment

Back to Top