This post is the tenth and last of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. In this final post, we’ll see a security solution capable of separating normal well-formed traffic from abnormal attacker traffic by looking at network data only. And we’ll see why that is useful. Joe: Hey Bob, 10.217.145.233 is sending a lot of traffic on port 80.Bob: So…web traffic. Why did that…
Advanced Methods to Detect Advanced Cyber Attacks: Two Degrees of Separation
This post is the ninth of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. Today we’re going to look at how to start playing Six Degrees of Kevin Bacon with network traffic for the purpose of efficiently executing a network security investigation. In the Computer Network Defense version of Six Degrees, we’re looking to link network hosts together based on who they’ve exchanged traffic with (vs. starring in…
Advanced Methods to Detect Advanced Cyber Attacks: Suspicious Admin Toolkits
This post is the eighth of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. Today we’ll look at a particular class of software tools used by attackers called Administration Toolkits. Oftentimes these toolkits enable remote system administration, and are called Remote Admin Toolkits. Sometimes, however, they are used more locally by attackers, so we’ll generally refer to these tools as Suspicious Admin Toolkits, or just admin…
Why the DoD Uses Advanced Network-traffic Analytics to Secure its Network: Current Security Solutions are Limited
This multi-part blog series explores how advanced network-traffic analytics changed how the Department of Defense approaches its overall cyber security operations, creating a far more effective methodology for protecting many of our nation’s most sensitive networks. Today we’ll cover the limitations associated with today’s best, mostly automated tools such as SIEMs, security analytics and perimeter defenses. The problems encountered by the DoD before they began to use advanced network-traffic analytics are identical to the problems enterprises encounter today with securing their own networks. As most everyone in cyber security realizes by now, a determined attacker will almost always find a way…
Advanced Methods to Detect Advanced Cyber Attacks: Relay Finder
This post is the seventh of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. Today we’ll review a network traffic search technique that takes full advantage of the historic visibility and rapid querying capability of an advanced network traffic analysis system. This analytic is most relevant for large enterprises and law enforcement agencies that routinely search through large and potentially disparate volumes of network traffic during investigations,…
70% of a Security Analyst’s Day is a Waste of Time
Last week I posted a blog about how in a past life I had spent 30 days doing excruciating, tedious, data fusion work to piece together an answer to a basic question around how our company had done at a trade show, and how this experience is directly relevant to the life of a security analyst. I was not a marketing analyst, so this was not my day-to-day job, and I was really curious as to how much time someone who does do analysis day-in and day-out, a security analyst, spends wrangling data from multiple systems in a similar multi-database…
Can Marketing Analysis Possibly be Similar to Cyber Security Analysis?
As a marketing professional, it’s my job to understand and communicate to my customers and potential customers. In the highly technical world of cyber security, this can often be difficult, not because I don’t or can’t understand the technology (I am a former engineer and coder), but because almost instantly when a cyber professional hears the word marketing in my title, they often assume I know nothing (or worse, but I won’t go into that here). So, I thought I’d take the opportunity to relate a story from my marketing life that is directly related to the job of a cyber…
Advanced Methods to Detect Advanced Cyber Attacks: RDP Keyboard Layout
This post is the sixth of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. Today we cover the detection of anomalous Remote Desktop Protocol sessions. Remote Desktop Connection (RDC), formerly known as Terminal Services Client, is a Microsoft user application that enables a user to remotely log into a networked computer and interactively use the desktop interface as if they were sitting in front of the local machine….
‘Can Security Analytics Replace Humans?’
Why do we think that we can eliminate human creativity, insight and inspiration from the process of defending a network from attacking human creativity, insight and inspiration?
Advanced Methods to Detect Advanced Cyber Attacks: Protocol Abuse
This post is the fifth of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. In today’s installment we cover the detection of covert communication channels created in breached networks by advanced attackers. Network intrusions happen – there’s no way around it. If an organization is connected to the internet and has users that read email, view websites, and like to click on things (who doesn’t?) eventually an attacker…
