ABCs of UEBA: N is for NETWORK

When it comes to detecting and responding to cyber threats, the network is the first line of defense. Cyber criminals use network communications to establish command and control, distribute malware, exfiltrate data and more. That is why the network is one of the most important entities to be monitored with User and Entity Behavior Analytics (UEBA). It’s so important that many vendors, like Gurucul, have created a separate product to monitor network traffic. In Gurucul’s case, that product is Network Traffic Analysis. Whatever happens on the network stays on the network and the evidence in the network traffic logs is irrefutable. The network doesn’t lie. That’s what any network administrator will tell you. Network traffic patterns are invaluable in delivering the intelligence required to identify insider and external threats.

Detect Network Threats with Behavior Analytics

Behavior analytics provides machine learning driven insights powered by big data to root out network threats in real-time. The network will behave differently when something criminal is happening. There will be bursts of traffic, larger than normal payloads, unusual sender or receiver IP address and more. Different behavior, however, is not always an indication of criminal activity. Sometimes it’s just a software developer testing new code, or a marketing director uploading collateral to a cloud storage site. The key to determining whether unusual network behavior is criminal is behavior analytics. Behavior analytics uses entity models to create behavior baselines for every device and machine on the network based on network flow data such as: source and destination IPs/machines, protocol, bytes in/out, etc. Analytics also supports leveraging DHCP logs to correlate IP specific data to machines and users. Pre-packaged machine learning models pre-configured and tuned to run on high frequency network data streams can then detect real-time anomalies and risk rank threats. This is the value of behavior analytics.

Link Disparate Sources to a Single Identity

Traditional or legacy network analytics tools depend on rules and signatures, which cannot detect unknown network threats. They don’t link together data from disparate sources so they cannot tie individual users or machines, MAC addresses, or IP addresses to anomalous activity. An advanced network traffic analysis product will pull all that information together and tie it back to a single source, one unified identity – a machine, an IP address, any type of entity that you define. It should then create a single unified risk score linking back to that identity to create a holistic view of risk.

You need to be able to define unique identities, link data to those identities and build rich context by ingesting logs, security alerts, vulnerability assessment reports, threat intelligence and access control data. A mature network traffic analysis product identifies unknown network threats using machine learning on network flows and packet data. It combines identity and network-based alerting to provide an end-to-end picture of incidents, so you know exactly what is happening on your network in real-time. It should support multiple data formats out-of-the-box, including NetFlow, firewall, Packet Capture, IDS/IPS, DHCP, DNS, formats like CEF, csv, TSV, syslog, JSON and XML.  And, since the product is using existing data the NetOps team already collects, it should be relatively low overhead to deploy.

Get Answers to Critical Questions About Network Threats

Network Traffic Analysis answers critical questions about network threats. It builds a baseline of clean, normal network activity and then compares that in real-time to operational traffic at line speed. Linking network traffic to users, however, is unique to Gurucul. We pull in the users’ access as well as their activity, along with the devices and network traffic associated with them to see a holistic picture of risk for any user or machine on your network. This enables our platform to answer the following critical questions:

  • Which device triggered the incident?
  • What actions were performed?
  • How much data was transferred?
  • Who was using the device?
  • What else did the user access?
  • Is behavior normal relative to peers?
  • What is the risk score of the entity?

Choose A Comprehensive Solution

Key elements of a comprehensive enterprise network traffic analysis solution include:

  • Scalable Architecture: Built to ingest and analyze a high volume of transactional data — structured and unstructured, on open choice Big Data. This not only allows for quicker searching, but also faster analytics and longer data retention for e-discovery and forensics.
  • Data Ingestion and Linking: Maps to any data source — online or offline, internal or external, on-premise or in the cloud — to pull information into a data lake, regardless of the format of the data.  The more data sources and the more data ingested, the better, as this broadens the view of the activities and behaviors by putting them in context and increases the learning ability of the machine learning engine.  Linkage is on the basis of an identity like IP address or a specific user. Every record is associated to a specific identity to build baseline of behavior.
  • Data Analytics: Uses machine learning rather than rules which allows the system to perform network traffic anomaly detection without having to anticipate and define parameters for them in advance. Customers should be able to create their own models specific to their use cases.
  • Comparison to Peer Groups: Evaluate risk by comparing user or entity behavior to peer group behavior to identify anomalous activities.

Gurucul offers a comprehensive network traffic analysis solution. Our platform provides an enterprise management console for SOCs, analysts, and Incident Response personnel. We use both supervised and unsupervised machine learning techniques for anomaly detection and categorization of network threats. This approach allows you to see results quickly and provides critical tuning information back to the supervised models for an even higher level of efficacy. This means your results get better over time. The platform supports complex network topologies, including Software Defined-Wide Area Network. We also provide you the ability to deconstruct and examine application layer traffic such as DNS, email, web applications, and more. We also have the built-in capability to use sandboxes, either on-premises or in vendor infrastructure, for detonation and analysis of suspicious code. And, we integrate with cyber threat intelligence feeds using industry standards like STIX, TAXII or other out-of-the-box integrations with commercial threat intelligence feeds.

Additional features include the ability to analyze raw network packets in real-time or near real-time. This allows our customers to monitor and analyze north/south traffic (as it crosses the perimeter), as well as east/west traffic (as it moves laterally throughout the network). With machine learning, we baseline normal traffic from devices and IP address and that gives us the ability to highlight anomalous and risky traffic behavior patterns. This allows you to dig in and detect network threats as they are happening as well as replay them after-the-fact for forensics.

Address Key Network Traffic Analysis Use Cases

Your network traffic analysis product should address the following key network traffic analysis use cases:

  1. Spot Unknown Malware, Zero-days and Rogue Behavior by Insiders. By leveraging baselines and known patterns of bad behavior, any aberrations can be detected and stopped in their tracks.
  2. Detect Unusual Lateral Movement and Command & Control (C2) Communication. Look for trends in outbound communications and east/west movement that is characteristic of malware and ransomware.
  3. Uncover APT/Stealth Attacks Dormant Between Attack Stages. Uncover hidden patterns in network traffic to unusual geographic locations based on time, frequency and all the enrichment data provided.

Additional general use cases for detecting network attacks include:

  • Unusual DNS queries
  • High or low volume port scanning
  • DNS tunneling and zone transfers
  • Low volume intermittent command & control type traffic
  • Unusual HTTP headers
  • Unknown IoT devices
  • Unusual RDP traffic and remote file execution
  • Network proxy bypass attempts
  • Traffic to and from unusual geographic locations

Detect DNS Tunneling Network Threats

Let’s go into detail on a couple of these use cases to detect network threats. First up is DNS Tunneling. This is essentially DNS “packet stuffing” which involves an internal host and a malicious external host. This tactic hides encoded data in plain sight through DNS, one of the noisiest protocols on the network. DNS is designed to transport binary data with a limited character set which is usually DNS names. DNS is generally unencrypted which makes it much easier to uncover the tracks of this data camouflage technique. DNS Tunneling is used for exfiltration of data that is smaller in size (like passwords, keys, etc.). It is also used for C2 communications and leverages different DNS record types – A, TXT, etc.

Let’s compare standard DNS Tunneling detection mechanisms with Gurucul’s detection capabilities to understand Gurucul’s unique value add:

Standard Detection Mechanisms:Gurucul Threat Detection Differentiators:
Traffic to external DNS ServersTraffic to unusual or unseen DNS Servers
Outbound DNS request rateSurge in outbound DNS queries: volume-based comparison.
DNS request lengthComprehensive DNS packet inspection – not restricted to packet request length. We look at everything that lives in the DNS packet: TTL, authoritative records, name servers, responses, etc.
Context is key. Gurucul links multiple log sources. We trace an IP’s journey from the entrance VPN connection to MAC traversal to DHCP and finally to its newly acquired dynamic IP address.


Detect Network Traffic To/From Unusual Geo Locations

The next use case we’ll look at is network traffic to/from unusual geographic locations. This use case detects anomalies in VPN data, authentication data, and flow data. Gurucul network traffic analysis comes with the ability to enrich geographic data from IP addresses. We provide ISP information, latitude, longitude, city, country and everything else there is to know about a particular IP address. Geographically anomalous network traffic scenarios include:

  • Account sharing – security policy violations
  • Account takeover – login thru compromised credentials
  • VPN usage – circumvention of network controls

Gurucul network traffic analysis extracts context from any log family containing IP address fields. Let’s compare standard geographically anomalous network traffic detection mechanisms with Gurucul’s detection capabilities to understand Gurucul’s unique value add:

Standard Detection Mechanisms:Gurucul Threat Detection Differentiators:
Data is usually enriched at the sourceAll enrichment is done within the application
No user contextUser and device context
No lifecycle trackingDynamic entity lifecycle tracking from the time the entity is created all the way until the lease is released.
Gurucul chains multiple scenarios so you don’t get siloed alerts. What you have is cohesive chained data that you can use by stitching different resources or applications together.


Learn More

When it comes to detecting network threats, you must have the right network tools and techniques in place. With a UEBA solution, cybersecurity professionals can spot malicious network activity before hackers can gain a foothold. The best practice is to combine network behavior with user and entity behavior to deliver rich context for network traffic analysis. Gurucul defines unique identities – users and/or entities – and links all data elements to those identities.

For more information, read our whitepaper, “Network Traffic Analysis is the Next-Generation Defense Against Modern Threats.”

You can also view our webinar on demand, “Detecting Malicious Traffic on Your Network.”


The post ABCs of UEBA: N is for NETWORK appeared first on Gurucul.

*** This is a Security Bloggers Network syndicated blog from Blog – Gurucul authored by Jane Grafton. Read the original post at: