Referring back to my initial post, I said:
“I believe that the network itself (remembering my specific interpretation of the word “network”) is a great and often untapped source of security information”
Why do I think this, and what does it all boil down to at the end of the day?
Well, the “why” is based on the following rash assumptions:
- Rash assumption #1 – “Badness” exists on the Internet (by “Badness” I’m talking about threats including viruses, trojans, bots and other such malware)
- Rash assumption #2 – If the Badness reaches your computer, the most likely (but far from only) means by which it got there is via the network. It could have come in via an email, or a drive-by download, or via a peer-to-peer filesharing application – at this point in the discussion, the precise infection vector is unimportant. I just want to stress the fact that having a network connection provides a potential way in for Badness
- Rash assumption #3 – Once present on your computer, the Badness will use the network in some way, either to receive a list of Evil Tasks from the Baddies, or to send the Baddies your banking credentials, or to perpetrate some other naughtiness.
Hopefully none of these assumptions can be reasonably refuted!
The common theme amongst these assumptions is the network itself. By connecting yourself to the Internet, you’re tapping into a vast pool of Badness, all of which wants to make its way onto your computer. Once there, the byproducts of the Badness will leave your computer via the same route – the network. It therefore follows that it ought to be productive to monitor the traffic crossing the network, and look out for signs of Badness.
Still with me?
Given the existence of the Badness, and the potential route it has to get onto your computer, what can we do about it? We clearly need some defences here. A three-layered approach might be to strive to achieve the following:
- Stop the Badness in its tracks. This is the ideal situation, and can be addressed with preventative measures such as:
- Network- and host-based firewalls
- Network Intrusion Prevention Sensors (IPS, actually a specialised class of firewall)
- Email firewalls that scan messages for Badness well before the message actually reaches your computer
- Network-based URL filters or proxies that intercept your web requests and stop you from fetching anything that is known to be Bad
- Anti-virus software
- Keeping the software on your computer patched in a timely fashion
However, sooner or later, one or more of these will let you down and the Badness will get to your computer. So, at some point or another, we’ll need to fall back to the second line, which is to:
- Detect the Badness in a timely fashion. If we can’t stop the Badness, at least give us a chance to detect the Badness so that we can act before something really catastrophic goes down. We have to watch the network like a hawk, not just for the alerts raised by the preventative measures listed above, but for much more subtle things. We’re interested in anything anomalous, like:
- Traffic at strange times of the day
- Traffic on strange ports
- Traffic to or from strange destinations
- Unexpected traffic volumes or per-flow packet counts
Your preventative measures are unlikely to report on indicators like this. Given the vagueness of what actually defines “anomalous” in your own context, it is pretty much a given that it is a person (not a machine) that makes this determination.
Finally, we have to cover the case where Badness has got in undetected, and has wrought whatever carnage and mayhem its creator had in mind. In short, we need to:
- Gather enough forensic information to work out exactly what has happened, after you’ve found out about your own security breach in either the popular press or the legal papers that have just been served upon you. Take the relatively benign example where some rogue anti-virus software is popping up on your computer, telling you there are zillions of problems, and that it can fix them all (for a price!). We need to be able to determine:
- Where the Badness came from
- If anything else got downloaded along with the rogue anti-virus software
- If there have been any unexpected network connections from the suspect machine
Now, we can’t readily ask these questions of the infected machine. If the infection has been thorough enough, your computer will lie to you. It will tell you everything is OK, that there are no strange processes running, and that there is definitely no unusual network activity.
The only way to provide for all of this is to make use of the network itself. We need to be able to extract information from strategic points that will tell us what is going on now and also what happened at half past four last Tuesday afternoon. We need to be able to mine this information for usable snippets of intelligence, expressed in terms of low-level things like IP addresses and ports all the way through to higher-level things like URLs visited and emails sent and received. With this information at our fingertips, it becomes feasible to attempt to “Detect the Badness in a timely fashion” and to “Gather enough forensic information to work out exactly what has happened”.
So, how do we do all of this? That’s a topic for next time – stay tuned.
Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk