Scan for threats using network traffic flows

The goal of enterprise threat research is to give organizations an opportunity to find potential attacks and take corrective actions before the attacks cause harm and become a security crisis. But there is a lot of network data to scan, a set number of hours per day, and just too many analysts to do the work.

Enter NetworkSage, a cloud platform from SeclarityIO that aims to analyze the flow of network traffic, focus triage alerts, and provide analysts with insights into potential issues that need to be addressed. With NetworkSage, managed service providers, security operations centers and threat researchers can offload their entire triage workflow and get “expert analysis at machine speed,” says David Pearson, co-founder and CEO of SeclarityIO.

Network data can be an “exceptionally powerful source of truth,” Pearson wrote in a blog post describing how threat hunters can use NetworkSage to identify phishing attacks. Threat hunters can look for traffic that might indicate a phishing attack, such as a user visiting sites and entering information near an active email session. Or there may be sessions and communications that may indicate command and control activity.

In network security, the detection of anomalies relies on identifying “bad” activity in the network, but doing so requires establishing a meaningful baseline of “good” behavior. This is difficult in an enterprise environment because users do all kinds of different things and communicate with different people and systems on a daily basis. All of this contributes to an increase in the volume of security alerts, because analysts have to track every deviation from what is called normal activity. The problem is compounded by the fact that organizations operate with multiple security tools, says Pearson.

Alert fatigue is a major problem for organizations as security practitioners receive hundreds of non-priority alerts every day. Understanding which alerts are actually indicators of a problem is critical to security defense, but it can be tedious and time-consuming. In a recent Orca Security study, 59% of participants said they receive more than 500 public cloud security alerts per day. In the same survey, 55% said important alerts were missed, often on a weekly and even daily basis.

By using NetworkSage to automate correlation and analysis, an analyst is less likely to miss something or not get to the real issues in time because less important alerts are distracting them.

Find bad patterns

Pearson refers to NetworkSage as “Network Translator Technology,” which analyzes network traffic to identify attack vectors, not specific payloads or individual URLs. Network flow is categorized across different categories. Analysts can find commonalities to identify which traffic is part of a malicious pattern. For example, the platform classifies connections to any port on any site, which helps identify malicious activity associated with command and control servers, Pearson says.

Security analysts can upload enterprise network streams to NetworkSage using an application programming interface (API) and visualize who is communicating with whom on the network, how a user interacted with a malicious site, and the number of packets sent and received, among other metrics. The platform also analyzes the flows and informs analysts if the interaction is really a problem and requires remediation.

For example, security tools might issue an alert if a user (or multiple users) accessed a known phishing site, but they wouldn’t say whether or not the user actually entered the credentials. Without this knowledge, the analyst has to investigate and follow up with each user to find the people who got caught in the phishing attack. NetworkSage looks at the organization’s network data, so it can see how the user interacted with the site and identify the user who entered the credentials. The analyst now knows which of the potential issues led to an actual compromise and can respond accordingly.

In the past, security analysts had to look at alerts and search the network logs associated with them to see if a user had accidentally entered the wrong credentials on a site, or if it was a malicious login attempt. NetworkSage automates this analysis to determine that a user has already placed their credentials on a phishing site or opened a malicious executable.

Common Use Cases

Analysts can use NetworkSage in a number of ways, including as a tool to automatically sort alerts, review results from threat-hunting exercises, and search for threats using crowdsourcing information, Pearson says. Automated sorting is perhaps the most common. In this scenario, the platform captures the network activity that triggered an alert as well as the activity right before and after it. NetworkSage provides a high-level overview of what happened and whether it was of interest, as well as associated details that may be required during the investigation.

Uploading results from threat searches to NetworkSage gives teams an understanding of whether the activity requires processing. This could be useful if a threat hunt reveals activity that could indicate a widespread phishing attack, for example.

There is also a societal aspect, Pearson says. NetworkSage can display classified information to all users without revealing the sensitive details of each organization. This makes mass threat scanning possible because everyone can see different parts of the threat landscape, not just their personal network view. Analysts can add details about what they see and the platform displays metadata such as how long a particular stream has been to a particular destination in the NetworkSage dataset. The broader perspective of threat search teams provides more information about where they should look for potential attacker activity.

Pearson says NetworkSage is trying to do with its Threat Lookup data and network traffic, which is what GreyNoiseIO does to analyze Internet traffic to identify malicious traffic.

Leave a Reply

%d bloggers like this: