Andrej Vnuk
Behaviour Analysis and Anomaly Detection
Andrej.Vnuk@alef.com
Regional Coordinator for Network and Security solutions
Conference HEK.SI, 6th – 7th April 2017, Ljubljana
Technology Approaches
Network Visibility
& Security
Perimeter Security
Endpoint Security
• Firewalls
• IPS/IDS
• Mail Filtering
• AntiMalware + AntiSpyware
• Web Gateway
• Web Application Firewall
• Application Delivery Controllers
• APT
• Vulnerability management
• SIEM
Traditional solutions
• SNMP based tools (Nagios, Cacti, Zabix, ...)
• Agent based tools (PRTG)
• Packet capturing (Wire Shark)
• Full blown network monitoring (OpenView, ...)
• SIEM
• Still missing real insight into network traffic:
Statistical collection of all traffic with automatic network behavior analysis in (near) real time !
Network monitoring
NBA Recommendation
Neil MacDonald
VP Distinguished Analyst
Gartner Security & Risk Management Summit
• Detection and response are more important than blocking and prevention.
• Monitoring and analysis should be at the core of all next-generation security platforms.
Importance of Flow Analysis
Flowmon: „Flow + L7 covers 95% of issues“
Teaser
• Experience from PoC in internal network to test the solution on customer data
• The Customer
• Significant financial institution
• Separate infrastructure, operations and security departments
• Firewall, IPS, Antivirus
• Results of the testing
• Two thirds of data traffic was generated by infected devices
Teaser
• Covers security gap between end-points and perimeter
• Automatically identifies threats, attacks, incidents and
configuration issues
• Complements traditional security tools based on signatures
• Alerts proactively on unexpected behavior in the network
NBA
• How is NBA different from other tools?
Anomaly Detection
Common tools use statistical methods to detect traffic
spikes and deviations
NBA analyzes each flow and goes beyond the traditional
statistical algorithms
Ne tflow Base d NB A Machine Learning Adaptive
Baselining Heuristics
Behavior Patterns Reputation
Databases
NBA Principles
• Network behavior patterns
• Behavior patterns for SIP traffic
• Advanced (long term) network behavior patterns
• Derived behavior patterns for
characteristics of individual devices
• Behavior changes of network statistics
• Aggregated methods
Detection Methods
• Attacks on network services
• Infected devices and communication botnet C&C, attackers, …
• Anomalies of DNS or DHCP traffic
• Port scanning and similar symptoms of infected devices
• Applications like P2P networks or on-line messengers
• PROXY bypass, TOR
• Outages of network services or improper configurations
• Potential data leakage and usage of data sharing on internet
• Attacks against VoIP, PBX, …
• Unexpected mail traffic and SPAM
Detection Capabilities
• IP and host-based reputation feeds
• Detection of C&C domains, P2P botnets, phishing
IP addresses
HTTP host names
Domain names
Threat Intelligence
Examples from real traffic
Path traversal attack (full visibility)
Example attack
Use-case: path traversal attack
Example attack
• Use-case: path traversal attack
Collect and analyse Flows
Automatic detection of anomaly/attack
Detailed insight thanks to application monitoring
Full forensics based on content
Flow ADS APM Packet
capture
Netflow
• Obvious anomaly in data traffic
Netflow
• Obvious anomaly in data traffic
Netflow
• Obvious anomaly in data traffic
Anomaly detection
• Automatic detection and interpretation
Application monitoring
• Full visibility into the application traffic
Full URL, UserAgent, …
Packet analysis
• Automated trigger of packet capture for further
forensic analysis
Use Case: Anomaly Detection in Enterprise
Advanced malware
• Malware infected device in the internal network
78 port scans?
DNS anomalies?
Advanced malware
Let’s see the scans first
Ok, users cannot access web Are the DNS anomalies related?
Advanced malware
Ok, which DNS is being used?
192.168.0.53? This is notebook!
How did this happen?
Advanced malware
Let’s look for the details…
Laptop 192.168.0.53 is doing DHCP server in the network
Advanced malware
Malware infected device
Trying to redirect and bridge traffic Probably to get sensitive data
Use Case: Advanced Malware Activity
Traffic overview, anomalies detected
Attacker activity (port scan, SSH authentication attack)
Victim of the attack, source of anomalies
Attacker is looking for potential victims
And starts SSH attack
That turns out to be successful
Few minutes after that breached device starts to communicate with botnet C&C
Botnet identification using Flowmon Threat Intelligence
Flow data on L2/L3/L4
Including L7 visibility
Full packet capture and packet trace
(PCAP file)
Analysis of PCAP file with botnet C&C communication in
Wireshark
Data exfiltration command via ICMP
Command to discover RDP servers
ICMP anomaly traffic with payload present
PCAP available, what is the ICMP payload?
Linux /etc/passwd file with user accounts and hash of passwords
Looking for Windows servers with RDP
Attack against RDP services
Network Analysis + Forensics
Flow monitoring including L7 Network Behavior Analysis
Full packet capture Triggered by detection
• Configuration wizard for initial setup
• Configuration templates for various environments
• False positives adjustment for tuning
Configuration
• Perspectives to setup event priorities
• E-mail reports
Based on perspectives
Various formats
• PDF reports
Predefined and user-defined
• SIEM/log management
Syslog (native CEF format)
SNMPv2 traps
• Triggered capture or script
Alerting and Integration
Identity source – syslog export
User Identity Awareness (1)
authentication
Time, login, IP address
NetFlow (Time, IP, …)
• Detected events are related to users
• User identity is part of event details
User Identity Awareness (2)
Flowmon Architecture
Network traffic monitoring
Collection of traffic statistics
Visualization and detection of
anomalies
Flowmon Probes
• Passive source of network statistics - NetFlow / IPFIX data
Flowmon Collectors
• NetFlow evidence, reporting, analysis Flowmon Modules
• Anomaly detection + behavior analysis
• Application performance monitoring
• DDoS detection and mitigation
• Full packet capture
• Versatile and flexible network appliance
Monitoring ports convert packets to flows
Un-sampled export in NetFlow v5/v9 or IPFIX
Wire-speed, L2-L7 visibility, PCAPs when needed
Flowmon Probe
L2
• MAC
• VLAN
• MPLS
• GRE tunnel
L3/L4
• Standard items
• NPM metrics
• RTT, SRT, …
• TTL, SYN size, …
• ASN
• Geolocation
L7
• NBAR2
• HTTP
• DNS
• DHCP
• SMB/CIFS
• VoIP (SIP)
Toolset to consider
Next Generation Network Security -
Behavior Analysis & Anomaly Detection
Detects and alerts on abnormal behaviors
Reports anomalies and advanced persistent threats
Detect intrusions and attacks not visible by standard signature based tools
Value Proposition – Security
Paul E. Proctor, VP at Gartner: “NBA is about higher visibility in the behavior of your network to cover gaps left by signature based
mechanism.”
Andrej Vnuk
ALEF distribucija SI, d.o.o.
www.alef.com
Andrej.vnuk@alef.com
DEMO ???
Visit us at our booth in the lobby !