Metadata gathered from your network can be a powerful ally in the battle against cyberattacks. In fact, you can do seemingly impossible things with the right metadata. In Part 1, we explored how metadata can help you spot phishing emails, find man-in-the-middle attacks, locate weak encryption and more. In Part 2, we take a look at five more seemingly impossible tasks.
If these examples sound interesting, watch the webinar I recently did with Hardik Modi, our VP of Threat Research: 3 Ways to Reduce Detection Time from Months to Minutes.
Impossible Task #6. See lateral movement within the network.
If there ever was an asymmetric fight, it’s between cyber bad actors and security pros. Not only does the attacker have to succeed only once at getting a foot in the door, but they also have all the time in the world to establish a foothold and move laterally throughout your network. They can be in your environment days, weeks or even months before you know you’ve been compromised.
Meanwhile, you’re left playing whack-a-mole with way too many alerts. When you do get time to hunt for threats, you’re left to rely on high-level Netflow information, which lacks context and is often hampered by encryption. At best, you can make an inference about lateral movement activities. You have a better chance of finding Dory.
What you need is the granular visibility into what’s happening on the network and the endpoint. With rich metadata, you can track attackers through the network, reconstruct their activities and remediate the intrusion.
Impossible Task #7. Contextualize and prioritize an alert.
Question: What’s worse than getting an alert that your network is under attack?
Answer: Jumping into action without the necessary context about the alert and its severity.
It’s human nature to want to take action when you get an alert. But without context, how do you know what action to take?
Discovering the root-cause of an alert is critically important to prioritizing actions so you can take a proactive defense posture. Without understanding the “why” of an alert — including what occurred before and after — it’s likely that you’ll find yourself detecting the same issue day after day on numerous machines. This increases the time spent on detection and remediation.
How can you get deep visibility into what’s happening and context around the alert? The answer, once again, is metadata. Rich metadata provides a historical view of all network communication – protocols, applications and content – providing the context required to understand events taking place on your network.
Impossible Task #8. See a historical view of remote desktop sessions.
They say it’s impossible to love and hate something at the same time, but with Remote Desktop Protocol (RDP), you might make an exception. While RDP serves a variety of purposes ranging from remote systems management to administrative support, in the wrong hands it becomes a remote-control weapon enabling bad actors to step in and take control of your network. Once hackers locate remote desktop applications on a victim’s computer, brute-force entry becomes a simple matter.
Figuring out who exactly is going through your network using RDP (or Chrome Remote Desktop, TeamViewer or any other remote protocol) can be a tedious task requiring tools, examining multiple logs and reviewing past events. If the server has been re-imaged, you can say goodbye to any record of access.
The hero, yet again, is metadata. More nimble that full packet capture, rich metadata containing details about every network session makes it possible to easily analyze activity and trace threats back to their source.
Impossible Task #9. Know when your applications are lying to you.
It’s Halloween, so here’s a freaky thought. Programs that seem to be legitimate – but aren’t.
Users install software onto endpoints at home and work, but we’re not always verifying the code is doing what’s purported to do. (Remember all the problems with rogue security software?) Now you’ve gotten wind of malicious data capture happening through installed applications. Case in point is the Maxthon web browser, developed by a company in China, which on the sly wraps up your entire browsing history into an encrypted DAT file, zips it up and sends it back to China in real-time.
Here’s a scarier thought: Maxthon was found to be transmitting information about the user’s operating system, installed applications and browsing habits. Essentially, it captured almost everything an attacker needs to know to create a perfectly crafted spearphish campaign or watering hole attack.
Visibility into both the network and endpoints can be a challenge, but you have metadata. Much richer than network packet captures or traditional Netflow data, metadata has the power to reveal the indicators and attributes about transport and protocol applications as well as file objects in transit on the wire. This detailed information contains all the necessary descriptors to quickly identify and react to malicious traffic and objects during an investigation.
Impossible Task #10. Detect credentials in the clear.
If an attacker is going to break into your system and steal your credentials, they should have to work really, really (and we mean really) hard to succeed. That’s why credentials in the clear are so frustrating.
Protocols that transfer credentials in the clear, like POP3, IMAP and telnet, continue to be used. Oblivious to the risks associated with such exposure, users continue to jump on unsecured Wi-Fi — at the coffee shop, airport, business or even on a home ISP — and log in with personal and professional credentials. In many cases, it’s easy pickings for attackers to pluck usernames and passwords in the clear.
Impossible to detect credentials in the clear? Not so with metadata. Visibility is exactly what you get when you capture rich metadata. And with that visibility comes peace of mind that not only do you know what’s happening on your network, but you also have the context to do something about it.
Historically, the only way organizations could come close to capturing high-fidelity data about what’s happening on their network was to invest in a packet capture system.
That’s so yesterday.
Full packet capture systems were never designed to facilitate the detection or investigation of advanced threat actors. Metadata is a game-changer in the security space. Think of it as Netflow on steroids and you’ll begin to understand the power of metadata in making all your impossible tasks possible.
-Fidelis Cybersecurity CMO Michael Evans