TCP Fundamentals: Analyzing TCP Resets (RST) (by Chris Greer)
Fresh look: When Do Laptops Start Dropping Packets? (by Chris Greer)

Find Breaches Faster Using Indicators of Compromise! (by Keith Bromley)

Find Breaches Faster Using Indicators of Compromise!

Every network has blind spots. In fact, blind spots have become a serious security issue for enterprises and service providers. According to the 2016 Verizon Data Breach Investigation Report, most victimized companies don’t discover security breach themselves. Approximately 75% have to be informed by law enforcement and 3rd parties (customers, suppliers, business partners, etc.) that they have been breached. To make matters worse, the average time for the breach detection was 168 days, according to the 2016 Trustwave Global Security Report.

Whether you think that security breaches are inevitable or not, you still need to be able to mitigate any damage done by quickly detecting and remediating all breaches. One fast way to do this is to capture application level traffic running on your network and analyze it from a macroscopic point of view—using indicators of compromise (IOC). Security breaches almost always leave behind some indication of the intrusion, whether it is malware, suspicious activity, some sign of other exploit, or the IP addresses of the malware controller.

A visibility architecture that uses application intelligence can be used to capture the IOC needed. The breadcrumbs are there, they just need to be illuminated. What if you could reduce the 168 day average to 168 seconds?

If you are not familiar with application intelligence, this is basically the real-time visualization of application level data. This includes the dynamic identification of known and unknown applications on the network, application traffic and bandwidth utilization, detailed breakdowns of applications in use by application type, and geo-locations of users and devices while accessing applications.

Distinct signatures for known and unknown applications can be identified, captured and passed on to specialized monitoring tools to provide network managers a complete view of their network. The filtered application information is typically sent on to 3rd party monitoring tools (e.g. Plixer, Splunk, etc.) as NetFlow information but could also be consumed through a direct user interface in the network packet broker (NPB). The benefit to sending the information to 3rd party monitoring tools is that it often gives them more granular, detailed application data than they would have otherwise to improve their efficiency.

Indicators of compromise and application intelligence

IT security and analytics tools are only as good as the data they are seeing. To thwart security attacks, you need the ability to detect application signatures and monitor your network so that you know what is, and what is not, happening on your network. This allows you to see rogue users and applications running on your network. When hackers break into your network, they leave a visible footprint as they travel through your systems and networks. Once this is coupled with additional metadata, you have actionable intelligence that can be used to fight back.

For example, let's say you have an internal network with secure data on it that is shared across many geographies. That data may be summarized as an application, like, Perforce or Exchange. Would like to know when someone from a geography where you don't have an office is accessing those applications on your intranet? Alternatively, what if you see a dynamic app called "" show up on your network? This is an example of spoofing. You didn't even know to look for it, which is why spoofing works for the bad guys. Wouldn't you like to be able to rapidly see who all of the users are on the network who have used this application so you can notify them of the breach?

Other examples of IOC include: 

  • Unusual level of outbound traffic
  • Outbound traffic to unusual IP addresses and geographies
  • Unusual increases in application bandwidth flows
  • Increases in read volume size
  • Unusual increases in SAN access volume
  • Applications are using unusual ports
  • Mobile device profile changes
  • Large amounts of data stored in the wrong places

One way to defeat these IOC’s is to look at metadata via enhanced NetFlow records. This enables you to detect and investigate the footprint left behind. With the right NPB, you can generate NetFlow data based upon:  application signature (and granular application actions), email addresses, credit card numbers, DNS traffic, and web traffic (encrypted or not). This enables you to rapidly identify data exfiltration exploits and/or rogue applications that could be carrying malware.

Data exfiltration example

Suppose there is a foreign actor in Eastern Europe (or another area of the world) that has gained access to your network. Using application intelligence and geo-location information, you would easily be able to see that someone in Eastern Europe is transferring files off the network from an FTP server in Dallas, Texas.

First, the FTP application would show up on the dashboard as being in use. Then you could quickly set up a filter in less two minutes that would focus on the signature for the FTP application. Once this was in place, you would then be able to see the geographic flow of data from Dallas to the eastern European country. If you have no known users at that location, you would be able to clearly identify that something suspicious is happening. 

After you have discovered the infiltration, you can then start the remediation process. In this case, NetFlow data (along with additional information like geolocation, device type, DNS information, and browser type) captured from the event can be forwarded to an external data storage device for retention and further analysis. At the same type, you have actionable information (like the destination IP address) that can be used to immediately terminate the data transfer and prevent any further loss of corporate or personally identifiable information (PII).

Once you have the intelligence, you have the possibility of dramatically reducing the 168 day median time of detection.

Compromise keith 10 16Example of a visibility architecture using application intelligence to detect indicators of compromise

If you want additional information on this subject, Ixia has a solution that can extract indicators of compromise from application data and report on it using context aware processing to strengthen your security architecture. The Ixia solution contains additional information including:  geolocation, browser type, device type, DNS, HTTP and other information. The metadata provided helps you to rapidly and uniquely identify suspicious traffic or activity and drill down to see defining characteristics that reveal further insight on the hacker’s footprint. Ixia was the first to market with these metadata capabilities in 2014 and we have continued to enhance these capabilities to deliver actionable intelligence. Visit this webpage and read this free in depth Whitepaper ( Five Ways Application Intelligence Will Supercharge Your Monitoring Tools) for much more information. 


Author:Keith Bromley is a product marketing manager for Ixia, Inc., with more than 20 years of industry experience in marketing and engineering. Keith is responsible for marketing activities for Ixia’s network monitoring switch solutions. As a spokesperson for the industry, Keith is a subject matter expert on network monitoring, management systems, unified communications, IP telephony, SIP, wireless and wireline infrastructure. Keith joined Ixia in 2013 and has written many industry whitepapers covering topics on network monitoring, network visibility, IP telephony drivers, SIP, unified communications, as well as discussions around ROI and TCO for IP solutions. Prior to Ixia, Keith worked for several national and international Hi-Tech companies including NEC, ShoreTel, DSC, Metro-Optix, Cisco Systems and Ericsson, for whom he was industry liaison to several technical standards bodies. He holds a Bachelor of Science in Electrical Engineering. 

Keith has many other popular articles on - and on