Boosting Suricata With Next-Gen Deep Packet Inspection
Intrusion detection/intrusion prevention systems (IDS/IPS) play an essential role in cybersecurity by detecting and blocking threats that have penetrated endpoint and perimeter defenses. Open source Suricata is one of the most widely deployed IDS/IPS components commercial cybersecurity products. However, it tends to generate many false positive alerts, has limited protocol and application coverage and is blind to certain types of advanced threats–especially those using encryption to evade detection. Next-generation deep packet inspection (NG DPI) software can fill these gaps and significantly improve Suricata performance.
That’s why leading cybersecurity vendors have started to combine Suricata with NG DPI to enhance products such as cloud firewalls (FWaaS), secure web gateways (SWG), next-generation firewalls (NGFW), network detection and response (NDR) and extended threat detection and response (XDR) platforms.
In these products, embedded NG DPI enhances Suricata by:
- Enabling rapid development of whitelists and blacklists that leverage NG DPI’s expanded protocol coverage (particularly for Cloud, SaaS, IoT and OT applications and protocols plus custom and legacy applications)
- Significantly improving Suricata’s ability to detect anomalous and evasive traffic
- Extending Suricata’s ability to detect threats to cover fully encrypted environments
- Significantly reducing the high number of false-positive alerts generated by Suricata through increased network visibility and more accurate traffic identification
- Making threat analysis and forensics faster and easier through high-value contextual metadata (while simultaneously reducing the need for full packet capture)
Architecture Overview
Understanding How NG DPI Can Enhance Suricata Rules
When combined with NG DPI, Suricata rules and alerts are more precise and can be tailored to specific customer environments. At the simplest level, NG DPI’s greatly expanded protocol and application coverage has a huge impact on producing effective rules and alerts. Below, for example, is a look at two rules with and without this expanded protocol coverage.
At a deeper level, NG DPI’s unique security metadata provides valuable insights for rule development, including detection of:
- MITM interception
- Complex tunneling
- Anonymizers
- Non-corp VPNs
- DGA
- Domain fronting
- File type mismatches
- Non-standard use of communication channels
The last method is a popular tactic for enabling advanced persistent threats, so let’s take a look at how integrated NG DPI improves Suricata’s ability to identify and respond to attacks using this method.
Detecting Command and Control Attacks Hiding Behind Common Protocols
To remain under the radar of IDS/IPS systems like Suricata, some C2C attacks encapsulate commands inside common protocols communicating via standard assigned ports. This way, they blend in with normal traffic. This is one of the tactics identified in the MITRE ATT&CK framework of known adversary techniques (Technique ID T1071, application layer protocol). The framework suggests several means of detecting such a covert C2C attack. In each instance, Suricata complemented by NG DPI is far more effective at detecting this type of attack. Specifically, it improves Suricata’s ability to detect and respond to the three indicators of potential malware associated with C2C attacks, as detailed in the chart below.
Summary
NG DPI can add significant value for cybersecurity vendors and operators of critical networks looking to extend and adapt their Suricata IDS/IPS to new network environments and an evolving threat landscape. Integrating NG DPI technology with Suricata improves general threat detection capabilities and makes it more effective in specific network environments.
