This post is the tenth and last of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. In this final post, we’ll see a security solution capable of separating normal well-formed traffic from abnormal attacker traffic by looking at network data only. And we’ll see why that is useful. Joe: Hey Bob, 10.217.145.233 is sending a lot of traffic on port 80.Bob: So…web traffic. Why did that…
Advanced Methods to Detect Advanced Cyber Attacks: Two Degrees of Separation
This post is the ninth of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. Today we’re going to look at how to start playing Six Degrees of Kevin Bacon with network traffic for the purpose of efficiently executing a network security investigation. In the Computer Network Defense version of Six Degrees, we’re looking to link network hosts together based on who they’ve exchanged traffic with (vs. starring in…
Why SIEMs with Advanced Network-traffic Analytics is a Powerful Combination
Security Information and Event Management solutions – SIEMs – have become quite commonplace within cyber security operations today, and because of this, there is a lot of confusion as to exactly what a SIEM is versus an advanced network-traffic analytics solution. The short answer is that SIEMs aggregate, correlate and analyze events, logs and alerts produced by machines, while an advanced network traffic analytics solution enables the rapid analysis of raw network-traffic by security analysts. The longer answer is, of course, much more complex than this, while cyber security shops that use both have a powerful combination on their hands….
Advanced Methods to Detect Advanced Cyber Attacks: Suspicious Admin Toolkits
This post is the eighth of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. Today we’ll look at a particular class of software tools used by attackers called Administration Toolkits. Oftentimes these toolkits enable remote system administration, and are called Remote Admin Toolkits. Sometimes, however, they are used more locally by attackers, so we’ll generally refer to these tools as Suspicious Admin Toolkits, or just admin…
Why the DoD Uses Advanced Network-traffic Analytics to Secure its Network: Current Security Solutions are Limited
This multi-part blog series explores how advanced network-traffic analytics changed how the Department of Defense approaches its overall cyber security operations, creating a far more effective methodology for protecting many of our nation’s most sensitive networks. Today we’ll cover the limitations associated with today’s best, mostly automated tools such as SIEMs, security analytics and perimeter defenses. The problems encountered by the DoD before they began to use advanced network-traffic analytics are identical to the problems enterprises encounter today with securing their own networks. As most everyone in cyber security realizes by now, a determined attacker will almost always find a way…
Advanced Methods to Detect Advanced Cyber Attacks: Relay Finder
This post is the seventh of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. Today we’ll review a network traffic search technique that takes full advantage of the historic visibility and rapid querying capability of an advanced network traffic analysis system. This analytic is most relevant for large enterprises and law enforcement agencies that routinely search through large and potentially disparate volumes of network traffic during investigations,…
Enhance Your Security Threat Assessment
On-Demand Webinar | Recorded on June, 3, 2015
Discover how Hortonworks HDP and Novetta Entity Analytics can help Oil and Gas companies construct complete, integrated, and clear global profiles of suspicious individuals, terrorists and criminal threats.
70% of a Security Analyst’s Day is a Waste of Time
Last week I posted a blog about how in a past life I had spent 30 days doing excruciating, tedious, data fusion work to piece together an answer to a basic question around how our company had done at a trade show, and how this experience is directly relevant to the life of a security analyst. I was not a marketing analyst, so this was not my day-to-day job, and I was really curious as to how much time someone who does do analysis day-in and day-out, a security analyst, spends wrangling data from multiple systems in a similar multi-database…
Can Marketing Analysis Possibly be Similar to Cyber Security Analysis?
As a marketing professional, it’s my job to understand and communicate to my customers and potential customers. In the highly technical world of cyber security, this can often be difficult, not because I don’t or can’t understand the technology (I am a former engineer and coder), but because almost instantly when a cyber professional hears the word marketing in my title, they often assume I know nothing (or worse, but I won’t go into that here). So, I thought I’d take the opportunity to relate a story from my marketing life that is directly related to the job of a cyber…
Advanced Methods to Detect Advanced Cyber Attacks: RDP Keyboard Layout
This post is the sixth of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. Today we cover the detection of anomalous Remote Desktop Protocol sessions. Remote Desktop Connection (RDC), formerly known as Terminal Services Client, is a Microsoft user application that enables a user to remotely log into a networked computer and interactively use the desktop interface as if they were sitting in front of the local machine….
