Information flowing over modern networks is like an onion with many superimposed, opaque layers of encapsulation, encoding, and compression. Today’s targeted threats are hidden deep within the application and content ‘onion’, where they are invisible to traditional network security systems. “Peeling back the onion” can expose deeply embedded threats in real-time, across all ports and protocols.
A network security system’s ability to see the application level content (information contained in the bodies and metadata of documents, files, etc.) flowing over the network is the first step in peeling back the onion. The second step includes your ability to find a piece of target content no matter where it is in the content stream. You won’t know exactly how an attacker will package and deliver a threat, so you need to be able to find content no matter how it’s packaged or embedded.
The third step involves your network’s ability to take some kind of action when it sees suspicious activity, or a network ‘session’, that contains target content. Some examples of actions that can be taken include generating an alert, or selectively recording or blocking a network session. As an example, you might want to generate an alert and record a session when you see an obfuscated JavaScript object embedded in a PDF file.
Defending against these types of threats should be thought of as a process, not a response to an individual event. The process includes a discovery phase, an investigation phase, and a remediation phase.
The objective of a network security organization must be to move through the phases of the threat management cycle as quickly, efficiently, and cost-effectively as possible. This objective is difficult to achieve using traditional forensic toolsets and techniques. However, tools with tightly integrated visualization, analysis and control capabilities can help accelerate the threat management cycle.
In addition to being highly polymorphic and therefore immune to signature-based security technologies, today's threats are hidden deep within the content that's handled by client applications, and are often not visible in the packets that are used to transport that content over the network. Virtually all intrusion prevention systems, next-generation firewalls, and network forensics systems claim to be “content-aware” but in reality, they aren’t.
Modern threats live in the content, but these systems are only packet aware. Packets and content are not the same thing; if the content you are looking for is not actually visible in the packets, these systems will not be able to see it. Examples include malicious executable files that have been embedded in PDF documents, malicious media objects embedded in Microsoft Office documents, and malicious executable files embedded in compressed archives.
Virtually all network forensics products available today are ‘full packet capture’ systems that receive a copy of all the packets that traverse the network (typically from a network TAP or switch SPAN port) and record those packets to disk. Although some such systems are simple packet recording systems with little or no ability to search through or analyze the recorded packets, the more advanced systems have a record-then-analyze architecture that enables them to:
- Record all (or virtually all) network packets to disk; and
- Extract descriptive information (“metadata”) about the sessions containing the packets and “index” the metadata so that an analyst can search, query, browse or drill-down into the metadata to identify and analyze sessions of interest.
Along with several inhibiting technical limitations, traditional network forensics products give rise to a number of business limitations that are expensive, not only in terms of the capital and maintenance costs of the equipment (sensors and storage) needed to capture and store all packets but also, and perhaps even more importantly, in terms of the ongoing operational costs associated with paying highly skilled forensic analysts to search, recover, extract, decode, and analyze the stored packet data. The overall result is a high total cost-of-ownership.
They are also slow, specifically in terms of the time required to find, recover, extract, decode, and analyze information in a real-world, large-scale network deployment. This limitation, combined with their lack of unilateral prevention/containment capabilities, makes traditional network forensics products unsuitable for real-time situational awareness and rapid incident response.
On the other hand, products with better forensic capabilities than traditional network forensics systems are available at a much lower total cost of ownership. They automate and accelerate the forensic analysis process by enabling security analysts to find, extract, and analyze forensic artifacts much more quickly – and much less expensively – than would be possible using traditional network forensics tools and techniques. They also improve the security posture of organizations by enabling real-time situational awareness, rapid incident response, and integrated containment/remediation capabilities. These types of products record rich session metadata, reassembled session content and/or raw packets associated with network sessions of interest. They provide automated recovery of forensic objects, at any level of the encoding/decoding path (at any layer of the content ‘onion’).
If you take anything away from reading this article, I hope it includes the following key points:
- Packets and content are not the same thing.
- Most modern threats occur at the content level, not the packet level.
- Most network security systems are not content aware, they are packet aware.
Being able to successfully peel back the onion gives organizations the ability to discover, analyze, and remediate advanced threats more quickly, efficiently, and cost-effectively than traditional network forensic approaches have in the past.
Kurt Bertone brings more than two decades of security industry experience to his role as vice president and security strategist at Fidelis Security Systems. Bertone was most recently vice president of product management at Covergence, where he was a founder and responsible for ensuring that session management solutions provided comprehensive security. His previous experience includes serving as CTO EMEA at Nortel and Bay Networks, and vice president of business development at Crossbeam Systems. Bertone has worked closely with world-class security companies such as Check Point Technologies, Internet Security Systems (ISS), Trend Micro, Websense, Secure Computing and others. He holds a bachelor’s degree in electrical engineering from Brown University and a master’s of science in computer, information & control engineering from the University of Michigan.