In order to detect serious security incidents, it is important to understand, characterize, and analyze information about normal network functioning. Networks, servers, and hosts all exhibit typical behaviour for a given point in time. Network and device understanding network profiling in cybersecurity
Care must be taken when capturing baseline data so that all normal network operations are included in the baseline. In addition, it is important that the baseline is current. It should not include network performance data that is no longer part of normal functioning. For example, rises in-network utilization during periodic server backup operations is part of normal network functioning and should be part of the baseline data. However, measurement of traffic that corresponds to outside access to an internal server that has been moved to the cloud would not be. A means of capturing just the right period for baseline measurement is known as sliding window anomaly detection. It defines a window that is most representative of network operation and deletes data that is out of date. This process continues with repeated baseline measurements to ensure that baseline measurement statistics depict network operation with maximum accuracy.
Increased utilization of WAN links at unusual times can indicate a network breach and exfiltration of data. Hosts that begin to access obscure internet servers, resolve domains that are obtained through dynamic DNS, or use protocols or services that are not needed by the system user can also indicate compromise. Deviations in network behavior are difficult to detect if normal behavior is not known.
Tools like NetFlow and Wireshark can be used to characterize normal network traffic characteristics. Because organizations can make different demands on there networks depending on the time of day or day of the year, network baselining should be carried out over an extended period. The figure displays some questions to ask when establishing a network baseline.
Image is a cloud. At the top, left corner of the image is a textbox connected to the cloud that is labelled Session Duration. The textbox contains the question: What is the average time between the establishment of a data flow and it’s termination? At the top right corner of the image is a textbox connected to the cloud that is labelled Total Throughput. The textbox contains the question: What is the average amount of data passing from a given source to a given destination in a given period of time? At the bottom left corner of the image is a textbox connected to the cloud that is labelled Port used. The textbox contains the question: What is the list of acceptable TCP or UDP processes that are available to accept data? At the bottom right corner of the image is a textbox connected to the cloud that is labelled Critical asset address space. The textbox contains the question: What is the IP address space of critical assets owned by the organization?
Elements of a Network Profile
The table lists important elements of the network profile.
|Network Profile Element||Description|
|Session duration||This is the time between the establishment of a data flow and it’s termination.|
|Total throughput||This is the amount of data passing from a given source to a given destination in a given period of time.|
|Ports used||This is a list of TCP or UDP processes that are available to accept data.|
|Critical asset address space||These are the IP addresses or the logical location of essential systems or data.|
In addition, a profile of the types of traffic that typically enter and leave the network is an important tool in understanding network behavior. Malware can use unusual ports that may not be typically seen during normal network operation. Host-to-host traffic is another important metric. Most network clients communicate directly with servers, so an increase of traffic between clients can indicate that malware is spreading laterally through the network.
Finally, changes in user behavior, as revealed by AAA, server logs, or a user profiling system like Cisco Identity Services Engine (ISE) is another valuable indicator. Knowing how individual users typically use the network leads to detection of potential compromise of user accounts. A user who suddenly begins logging in to the network at strange times from a remote location should raise alarms if this behavior is a deviation from a known norm.
Server profiling is used to establish the accepted operating state of servers. A server profile is a security baseline for a given server. It establishes the network, user, and application parameters that are accepted for a specific server.
In order to establish a server profile, it is important to understand the function that a server is intended to perform in a network. From there, various operating and usage parameters can be defined and documented.
The table lists elements of a server profile.
|Server Profile Element||Description|
|Listening ports||These are the TCP and UDP daemons and ports that are normally allowed to be open on the server.|
|Logged in users and accounts||These are the parameters defining user access and behaviour.|
|Service accounts||These are the definitions of the type of service that an application is allowed to run.|
|Software environment||These are the tasks, processes, and applications that are permitted to run on the server.|
Network Anomaly Detection
Network behaviour is described by a large amount of diverse data such as the features of a packet flow, features of the packets themselves, and telemetry from multiple sources. One approach to the detection of network attacks is the analysis of this diverse, unstructured data using Big Data analytics techniques. This is known as network behaviour analysis (NBA).
This entails the use of sophisticated statistical and machine learning techniques to compare normal performance baselines with network performance at a given time. Significant deviations can be indicators of compromise. In addition, network behavior can be analyzed for known network behaviors that indicate compromise.
Anomaly detection can recognize network traffic caused by worm activity that exhibits scanning behavior. Anomaly detection also can identify infected hosts on the network that are scanning for other vulnerable hosts.
The figure illustrates a simplified version of an algorithm designed to detect an unusual condition at the border routers of an enterprise.
For example, the cybersecurity analyst could provide the following values:
- X = 5
- Y = 100
- Z = 30
- N = 500
Now, the algorithm can be interpreted as: Every 5th minute, get a sampling of 1/100th of the flows during second 30. If the number of flows is greater than 500, generate an alarm. If the number of flows is less than 500, do nothing. This is a simple example of using a traffic profile to identify the potential for data loss.
In addition to statistical and behavioural approaches to anomaly detection is rule-based anomaly detection. Rule-based detection analyzes decoded packets for attacks based on pre-defined patterns.
Network Vulnerability Testing
Most organizations connect to public networks in some way due to the need to access the internet. These organizations must also provide internet-facing services of various types to the public. Because of the vast number of potential vulnerabilities, and the fact that new vulnerabilities can be created within an organization network and it’s internet-facing services, periodic security testing is essential.
The table lists various types of tests that can be performed.
The table lists examples of activities and tools that are used in vulnerability testing.
|Risk analysis||Individuals conduct a comprehensive analysis of the impacts of attacks on core company assets and functioning||Internal or external consultants, risk management frameworks|
|Vulnerability Assessment||Patch management, host scans, port scanning, other vulnerability scans and services||OpenVas, Microsoft Baseline Analyzer, Nessus, Qualys, Nmap|
|Penetration Testing||Use of hacking techniques and tools to penetrate network defences and identify the depth of potential penetration||Metasploit, CORE Impact, ethical hackers|
I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.
Download Our App.
CEHNigeria On Google Playstore
Download Our Blog App On Google Playstore.
GET SEOPOZ. OUTSMART YOUR BLOG COMPETITORS
Have a deeper understanding of Google Search Console. Joint SEOPOZ for free.
Joint Our Whatsapp Group Here
Joint Our Whatsapp Group
Follow Us On Twitter and I will Follow Back
Follow Us On Twitter
Kindly follow me on Twitter and I promise I will follow back. Aside you will get updated when we post new articles.