Quick! What do you do when you think you’ve been compromised?
It’s not a trick question (or the beginning of a bad joke). To investigate, you’d probably look for historical information that you could easily put your hands on. Usually that means pulling logs and NetFlow data to try and understand what’s going on. While these can be helpful, they are simply not enough. You need more contextual information about what was going on before and after event. And that data doesn’t exist in logs and NetFlow. So where can you turn?
The answer? Metadata. Metadata is data that describes other data. And while it may not sound sexy, metadata gathered from your network can be a powerful ally in the battle against cyberattacks. Now, when “metadata” comes up in a security conversation, nine out of ten people will assume you’re talking about NetFlow. But we’re not. We’re talking about rich metadata that’s so rich you can use it to ask – and answer – detailed questions you could never imagine.
In fact, you can do seemingly impossible things with the right metadata. And if these examples sound interesting, consider the webinar I recently did with Hardik Modi, our VP of Threat Research: 3 Ways to Reduce Detection Time from Months to Minutes.
Impossible Task #1. Find everyone who received a phishing email in 2 minutes instead of 2 days.
You’ve received an alert about a phishing email – and where there is one, there are likely many more. You must move fast before users start opening and clicking on emails. But how do you find all the other emails? You could call the mail administrator and get them to search the server for a similar subject line or “from” address. Yet they often lack the tools to easily perform searches and they’re busy. You’re left knowing there’s a problem, but can’t identify which users received the email, clicked on it and may be compromised.
With rich metadata, it’s easy to quickly locate similar messages. With one search, you can understand the full scope of the problem. Now when you reach your mail administrator, you’ll have the contextual details required to resolve the issue.
Impossible Task #2. See if a new vulnerability was exploited in under a minute.
What if a high-profile data breach generates headlines and a new zero-day exploit, campaign or malware is uncovered. Your CEO wants to know, “Can it happen to us? Are we covered?” You can’t help but hear the theme song from Mission Impossible playing in your head as you promise to look into it. Your security team subscribes to myriad threat intelligence feeds that help you detect future events. When you get fresh intel, how do you verify that you haven’t already been compromised by a particular tactic?
Metadata can help. By leveraging stored metadata, it’s easy to do a backward search on specified criteria and get a handle on the events that have already taken place in your environment.
Impossible Task #3. Find “man-in-the-middle” attacks.
Your organization’s data transmissions are confidential. Are you sure? Think again. Just because data is encrypted using SSL and HTTPS doesn’t mean that it can’t be spied on.
Using a man-in-the-middle attack, malicious actors slip between you and the server. You think you’re talking to a secure server, but you’re actually talking to a spy computer that’s intercepting the transmissions. With full access, the malicious actor can capture, send, restrict or alter confidential data meant for someone else.
Metadata can come to the rescue. Leverage metadata to zero-in on these attacks and identify instances where network traffic is being diverted from its intended path.
Impossible Task #4. Find everywhere that weak encryption is used in the network.
Your organization encrypts all network traffic to protect the privacy and confidentiality of data as it travels from the source to its destination. But encryption keys have a shelf life. You know that you’re going to have to change them at some point. If you thought keeping up with the Kardashians was difficult, try keeping up with expired SSL certificates.
Metadata makes it easy. By monitoring every SSL transaction and storing the metadata, you can easily search for SSL headers to locate weak and expired certificates.
Impossible Task #5. Know where all of your sensitive data is going – both inside and outside your organization.
Just like the dog that manages to squeeze under the fence, data seems to have an uncanny ability to sneak past the guards. You have to worry about sensitive data that’s leaving the organization as well as the data travelling across your internal network.
With a quick metadata search, you can find and analyze all sensitive data traveling across the network, including who sent the data, where it went and how it was sent.
Coming up: Ten Impossible Things You Can Do with Metadata, Part 2.
Did you know Fidelis automates the collection, analysis and storage of your network data so it’s ready for you to investigate immediately? The rich metadata that Fidelis Network captures about every session on your network makes it possible to investigate suspected incidents in seconds – and gives you answers to questions that were previously impossible to know.
-Fidelis Cybersecurity CMO Michael Evans