The Key to Next-Gen Cyber Security is: Complete Threat Visibility!

 

The Key to Next-Gen Cyber Security is: Complete Threat Visibility

Despite many advances in smart firewall and endpoint cyber security protection, security breaches continue to plague the IT landscape. In 2019, over 100 major breaches have occurred, according to Identity Force, according to Risk Based Security and as reported by TechRepublic, they further state that, “more than 3,800 data breaches have hit organizations, representing an increase of 54% in 2019" - so far.

Despite endpoint technology innovations, cyber attackers have found new ways to exploit network and endpoint weaknesses. They've also developed new methods, such as ransomware, to extort money without having to exfiltrate data. But there are indicators available on the wire to detect these attacks!

Endpoint security is much like placing a deadbolt, chain lock, and steel bars on your home door to prevent burglars from breaking in. It blocks attackers from gaining direct access to you IT environment. Instead, what attackers do is to find another way in. It's like a burglar that, instead of trying to breach your heavily secured doors, enters you house through an unsecured window.

New IT security threats require a new approach!

Home security firms have come to realize that the way to provide the highest level of security is by complementing deadbolts with video cams to continuously monitor a domicile. This enables an immediate response to attempted breaches as soon as they’re detected.

IT security requires a similar approach.

Firewalls are like door locks. They work effectively when an intrusion is attempted directly at them. Endpoint agents can be effective if properly implemented and no weak links are offered to the attacker. Also, many endpoints are not able to be instrumented by an agent such as IoT, ICS and BYOD

Cyber security attackers are also adept at covering their tracks for how they got through the endpoint or even that they did. IT environments always have a number of vulnerable entry points that ultimately become forgotten and then become part of the shadow IT inventory.

Cyber security attackers are very innovative in finding ways, such as credential phishing, etc., to obtain legitimate or legitimate-looking ways to get through endpoints. Once they’re inside a network, it’s frequently too late to prevent them from inflicting serious damage.

It’s apparent that endpoint security alone isn’t sufficient to stop security threats. Once the attacker is inside the network. The only source of for detect threats then is full network traffic analysis and analytics using machine learning and AI. This makes it possible to observe and defend against the intrusion and to conduct forensics investigations

Splunk and Accedian - Next Generation Tactics..etc

Accedian is partnering with Splunk to provide next-generation Tactics, Techniques, and Procedures (TTP) threat protection. At the heart of the initiative is the Skylight security application for Splunk, which is based upon Skylight’s extremely precise network traffic capture sensors that turn all that traffic into an extremely efficient metadata stream. The metadata stream is less than .5% of the overall traffic, which enables long-tail data retention. This is used to fuel advanced security analytics and forensics and is retained in the Splunk data lake.

The Skylight security app with Splunk capabilities are analogous to detecting a burglar stealing your silverware from cupboard, analyzing the situation to make sure it isn’t just a family member taking a spoon to eat their dessert, and then notifying you in real-time so that you can implement measures to stop the intrusion and theft.

To learn more about what you can do to fortify your security posture, read our blog: "Infrastructure-based Security Solutions – What to Consider."

To learn more about Accedian’s partnership with Splunk to provide advanced TTP threat detection, read our blog: “Where were you when your cyber security was breached?”.

Also, to learn about the Skylight security app for Splunk, visit its Splunk base landing page.

Author – Tom Fisher is a Senior Product Marketing Manager for Accedian’s network and application performance management and security solutions. He has more than two decades of experience in performance management as a ‘speed guru’ for NPM, and APM. Tom has also been a design engineer, product manager, and product marketing for security technology. He holds a BSEE in Computer Design from the University of Wisconsin, Madison and a graduate CM in Marketing and Finance from Harvard University.

Accedian is the leader in performance and security analytics and end user experience solutions. They are committed to empowering customers with the ability to see far and wide across their IT and network infrastructure and a microscopic ability to dive deep and understand the experience of every user.

Know your Network - with Traceroute/Tracert !

 Know Your Network! (Cont.)

Traceroute/Tracert – More "Know your Network"

What is ‘Tracert’?  (Trace Route or Traceroute)

If you are trying to send or receive information to a particular host on the internet, and it is not connecting, it is possible that one of the servers or computers that is in the route to that host is having a problem. Tracert is a great way to find out where in the routing to the host, the problem is occurring by identifying the problem server or computer.

When communicating with a host on the Internet, it seems that because the communication is instantaneous, there is a direct connection between your device and the host, but that isn’t true, there can be many intermediate connections between your device and the host device.

 

The Tracert diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, Tracert uses varying IP Time-To-Live (TTL) values.

Because each router along the path is required to decrement the packet's TTL by at least 1 before forwarding the packet, the TTL is effectively a hop counter. When the TTL on a packet reaches zero (0), the router sends an ICMP "Time Exceeded" message back to the source computer.

Tracert sends the first echo packet with a TTL of 1 and increments the TTL by 1 on each subsequent transmission, until the destination responds or until the maximum TTL is reached. The ICMP "Time Exceeded" messages that intermediate routers send back show the route. Note however that some routers silently drop packets that have expired TTLs, and these packets are invisible to Tracert.

What is a Tracert Test?

The Tracert Test service attempts to trace the route to an internet host by launching probe packets with a small "TTL" (Time To Live) then listening for an ICMP "time exceeded" reply from a gateway.

The first probes starts with a "time-to-live" value of one, the next probe has a "TTL" value of 2 and continue to increase by one until we get an ICMP "port unreachable" (indicating the "host" has been reached) or the max has been reached, which defaults to 30 hops. Three probes are sent at each "TTL" value setting and a line is displayed showing the address of the gateway and round trip time of each probe. If the probe answers come from different gateways, the address of each responding system will be displayed. If there is no response within a 3 sec. timeout interval, a "*" is displayed for that probe.

A trace route procedure allows you to find the path from your device to the host device identifying the device of each hop and the time it took to access each device.

Essentially, the traceroute compiles a list of the computers on the network that are involved with a specific Internet activity.

The trace route identifies each computer/server on that list and the amount of time it took the data to get from one computer to the next. If there was a hiccup or interruption in the transfer of data, the traceroute will show where along the route the problem occurred.

Aside from being somewhat interesting, performing a traceroute also has a very practical use: If someone is having difficulty accessing a particular website or computer, performing a traceroute can help find out where the problem is occurring along the network.

How data travels.

Each computer on the trace route is identified by its IP address, which is the nine-digit number separated by periods that identifies that computer's unique network connection. The trip to one computer or server is called a HOP. The time it takes to make a HOP is measured in milliseconds and the information that travels on each HOP is called a packet

A trace route readout typically will display three separate columns for the hop time, as each traceroute sends out three separate packets of information to each computer. At the very top of the list, the traceroute will give the limit of how many lines of hops it will display—30 hops is often the default number of Hops.

When a traceroute has difficulty accessing a computer, it will display the message "Request timed out." Each of the hop columns will display an asterisk instead of a millisecond count.

How to run a traceroute.

On a PC using Windows, you can perform a traceroute using the traceroute utility on the Windows operating system (as long as you are not attempting to tap into heavily secured networks). You'll need to know the domain name, IP address or name of the specific computer you're trying to reach.

Using the traceroute utility, you would type "tracert x"—where "x" stands for the IP address, the domain name or the computer name.

If using Macintosh OS X or any subsequent versions, you may use either the Terminal program or the network utility to generate a traceroute. The utility will display the traceroute on your screen.

How to Use TRACERT Options

There are several command-line options that you can use with TRACERT, although the options are not usually necessary for standard troubleshooting.

The following example of command syntax shows all of the possible options:

tracert [-d] [-h] maximum_hops [-j] host-list [-w] timeout target_host [-R] [-S] srcaddr [-4] [-6].

What the options do:

-d - Specifies to not resolve addresses to host names.

-h maximum_hops - Specifies the maximum number of hops to search for the target. If the target is not found by 30 hops tracert will stop looking (default setting)

-j host-list - Specifies loose source route along the host- list.

-w timeout - Waits the number of milliseconds specified by timeout for each reply.

target_host - Specifies the name or IP address of the target host

-R - Trace round-trip path (IPv6-only)

-S srcaddr - Source address to use (IPv6-only)

-4 - Force using IPv4.

-6 - Force using IPv6.

The tracert command is a Command Prompt command that's used to show several details about the path that a packet takes from the computer or device you're on to whatever destination you specify.

You might also sometimes see the tracert command referred to as the trace route command or traceroute command.

To analyze tracert traffic: Tracert –d 8.8.8.8

1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.

2. Select the first ICMP packet, labeled Echo (ping) request.

3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.

4. Expand Internet Protocol Version 4 to view IPv4 details.

5. Observe the Time to live. Notice that the time to live is set to 1.

6. Expand Internet Control Message Protocol to view ICMP details.

7. Observe the Type. Notice that the type is 8 (Echo (ping) request). Tracert is performed through a series of ICMP Echo requests, varying the Time-To-Live (TTL) until the destination is found.

8. In the top Wireshark packet list pane, select the second ICMP packet, labeled Time-to-live exceeded.

9. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II /Internet Protocol Version 4 / Internet Control Message Protocol frame.

10. Expand Internet Protocol Version 4 to view IPv4 details.

11. Observe the Source. This is the IP address of the router where the time was exceeded.

12. Expand Internet Control Message Protocol to view ICMP details.

13. Observe the Type. Notice that the type is 11 (Time-to-live exceeded).

14. Observe the Code. Notice that the code is 0 (Time to live exceeded in transit).

15. Observe the fields that follow. Notice that the contents of the request packet are returned with the time exceeded error.

16. Continue selecting alternate ICMP Echo Request and ICMP Time-To-Live Exceeded packets. Notice that the request is repeated three times for each time-to-live count, and each reply indicates the IP address of the router where the time to live was exceeded.

Wireshark Trace with filtering -

 Author - George Bouchard - George is a Technology Writer and Evangelist for ProfiTAP, a worldwide leader in providing unique and the highest quality visibility and access solutions for Network Visibility and Testing.“It All Starts with Visibility!”

George has been in associated with many network analysis and testing companies in his many years in the networking industry, Network General makers of the original network “Sniffer”, Netcom (now Spirent), NetIQ (now part of Micro Focus) and ClearSight.

The technology industry has always amazed me because the technology of my youth was the Monroe Calculator and the IBM Electric Typewriter (before Selectric) I am always in awe on how far the industry has advanced in my lifetime.

**Note from the Editor - I have known George for many decades and not only is he a super friend but an awesome and very experienced technologist and that is why he is writing the "Know Your Network" series with others for ProfiTAP!.

State-sponsored entities targeting Airline Industry (Part 1)

 Executive Summary

Airlines and the airport industry in general are highly lucrative targets for APT groups; they are rife with information that other countries would find useful.

NETSCOUT data from 2019 shows airport and airline targeting remains strong and steady, with Russian, Chinese, and Iranian APT groups attempting access.

Not only do we see state-sponsored threats targeting the industry, we also see a large amount of DDoS attacks, which we’ll cover in a follow-up blog (Part 2).

Read the whole article - Free - Click Here

Key Findings:

• Airlines and airports are targeted by APT actors regularly as they possess a wealth of information on people, logistics, business, and intellectual property.

• Airlines and airports are critical infrastructure entities with security concerns that extend far beyond physical security of passengers.

• Substantial theft by APT groups has already occurred; the information now in the hands of adversarial states is concerning.

Airline Industry Targeting

Airlines and airports are targeted by APT actors regularly, although it’s usually the intellectual property theft from airplane manufacturers that gets the most attention.

There are many reasons why the airline industry or airports themselves would be targets of APT:

1. Logistics of Things

2. Logistics of Passengers

3. The Information of Passengers

4. Business Information

5. Intellectual Property

6. Smuggling

7. Sabotage, Destruction, & Terrorism

Read the entire article - Free - Click here

Want more information on Threat Intelligence, Attack modalities...etc - Click Here

Author - ATLAS Security Engineering & Response Team (ASERT)

#TheOldcommguy #Knowyournetwork #APTthreats #Airlinessecurity