Uncategorized / May 3, 2016

Cast Visibility Telemetry Deep and Wide, Catch the Most Dangerous Bad Guys

Spotting the most dangerous bad guys on your network takes a deliberate decision to commit resources to catching them.  These resources reflect an investment in visibility, detection, and skilled operators.

For example, when an adversary has infiltrated your network, they will commonly leave backdoors behind in the compromised systems for re-entry at a later time, or as a spring board when working to compromise additional systems in your network.  These backdoors are network services that should not normally be operating on your network.  FlowTraq is designed to detect these new services and alert you to them — but only when there is sufficient visibility.

Networks that only collect telemetry such as NetFlow or sFlow at their border points, and nowhere else, can be blindsided once the adversary is inside.  Also, keep in mind that the most skilled threat is a trusted insider already knowledgeable about your network and its assets.  To detect this kind of lateral movement, deploying visibility telemetry deep and wide across subnets is absolutely critical.  As networks grow, the management of this visibility infrastructure can be tedious.  Gigamon greatly reduces this burden, allowing your analysts to focus on finding bad guys instead.

Incidentally, the most dangerous type of bad guy is also the one who is hardest to find.  Adversaries that have both time and skill, who specifically target your organization, will be cautious not to reveal themselves.  Their motives — espionage or sabotage — drive their actions, and they will carefully move laterally through your network.  This may involve connecting to local databases or files shares from compromised systems, or moving data over subnets using any number of protocols.  Again, FlowTraq can only spot this behavior if you’re feeding the telemetry collected from locations inside your network.  Visibility is prerequisite to detection.

The art of actively seeking and eliminating intelligent and motivated adversaries on your network is called “cyber hunting”.  A skilled cyber hunter will seek to first understand the adversary completely before shutting him/her down.  This is very important: a skilled bad guy will assume he/she is being watched, so shutting them down at the first sign of malicious activity simply tips them off, allowing them to change tactics.

Always assume the adversary already has gained a wide foothold in your network, even before you’ve discovered the first piece of evidence.  To make sure they are gone, and stay gone, the advanced skilled adversary must be shut down across the board, with every foothold eliminated.  Having broad and deep visibility is critical here.  It allows the cyber hunter to quickly map out how far the bad guy has managed to come.  Remember that time is of the essence once the bad guys are in!

FlowTraq and Gigamon have enabled many cyber hunters by offering powerful detection and forensics through widespread visibility.  Don’t be blindsided.

Back to top