Archives

Posts Tagged ‘ToR’

How to counter-punch botnets, viruses, ToR & more with Netflow [Pt 1]

You can’t secure what you can’t see and you don’t know what you don’t know.

Many network and security professionals assume that they can simply analyze data captured using their standard security devices like firewalls and intrusion detection systems, however they quickly discover their limitations as these devices are not designed for and cannot record and report on every transaction due to lack of granularity, scalability and historic data retention. Network devices like routers, switches, Wi-Fi or VMware servers also typically lack any sophisticated anti-virus software.

Presenting information in a manner that quickly enables security teams to act with simple views with deep contextual data supporting the summaries is the mark of a well constructed traffic analyzer ensuring teams are not bogged down by the detail unless required and even then allowing elegant means to extract forensics with simple but powerful visuals to enable quick contextual grasp and impact of a security event.

Using NetFlow Correlation to Detect intrusions  

Host Reputation is one of the best detection methods that can be used against Advanced Persistent Threats. There are many data sources to choose from and some are more comprehensive than others.

Today these blacklists are mostly IPv4 and Domain orientated designed to be used primarily by firewalls, network intrusion systems and antivirus software.

They can also be used in NetFlow systems very successfully as long as the selected flow technology can scale to support the thousands of known compromised end-points, the ability to frequently update the threat data and the ability to record the full detail of every compromised flow and subsequent conversations that communicate with the compromised systems to discover other related breaches that may have occurred or are occurring.

According to Mike Schiffman at Cisco,

“If a given IP address is known to be that of a spammer or a part of a botnet army it can be flagged in one of the ill repute databases … Since these databases are all keyed on IP address, NetFlow data can be correlated against them and subsequent malicious traffic patterns can be observed, blocked, or flagged for further action. This is NetFlow Correlation.“

The kind of data can we expect to find in the reputation databases are IP addresses that have known to be acting in some malicious or negative manner such as being seen by multiple global honeypots. Some have been identified to be part of a well-known botnet such as Palevo or Zeus whilst other IP’s are known to have been distributing Malware or Trojans. Many kinds of lists can be useful to correlate such as known ToR end points or Relays that have become particularly risky of late being a common means to introduce RansomWare and should certainly not be seen conversing to any host within a corporate, government or other sensitive environment.

Using a tool like CySight’s advanced End-Point Threat Detection allows NetFlow data to be correlated against hundreds of thousands of IP addresses of questionable reputation including ToR exits and relays in real-time with comprehensive historical forensics that can be deployed in a massively parallel architecture.

As a trusted source of deep network insights built on big data analysis capabilities, Netflow provides NOCs with an end-to-end security and performance monitoring and management solution. For more information on Netflow as a performance and security solution for large-scale environments, download our free Guide to Understanding Netflow.

Cutting-edge and innovative technologies like CySight delivers the deep end-to-end network visibility and security context required assisting in speedily impeding harmful attacks.

Performance Monitoring & Security Forensics: The 1-2 Punch for Network and IT Infrastructure Visibility

Identifying ToR threats without De-Anonymizing

Part 3 in our series on How to counter-punch botnets, viruses, ToR and more with Netflow focuses on ToR threats to the enterprise.

ToR (aka Onion routing) and anonymized p2p relay services such as Freenet is where we can expect to see many more attacks as well as malevolent actors who are out to deny your service or steal your valuable data. Its useful to recognize that flow Predictive AI Baselining analytics provides the best and cheapest means of de-anonymizing or profiling this traffic.

“The biggest threat to the Tor network, which exists by design, is its vulnerability to traffic confirmation or correlation attacks. This means that if an attacker gains control over many entry and exit relays, they can perform statistical traffic analysis to determine which users visited which websites.” (source)

According to a paper entitled “On the Effectiveness of Traffic Analysis Against Anonymity Networks Using Flow Records” by Sambuddho Chakravarty, Marco V. Barbera,, Georgios Portokalidis, Michalis Polychronakis, and Angelos D. Keromytis they point out that in the lab they can qualify that “81 Percent of Tor Users Can Be Hacked with Traffic Analysis Attack”.

It continues to be a cat and mouse game that requires both new innovative approaches to find ToR weaknesses coupled with correlation attacks to identify routing paths. To do this in real life is becoming much simpler but the real challenge is that it requires cooperation and coordination of business, ISPs and governments. The deployment of cheap and easy to deploy micro-taps that can act both as a ToR relay and a flow exporter concurrently combined with a NetFlow toolset that can scale hierarchically to analyze flow data with path analysis at each point in parallel across a multitude of ToR relays can make this task easy and cost effective.

So what can we do about ToR today?

Even without de-anonymizing ToR traffic there is a lot of intelligence that can be gained simply by analyzing ToR Exit and relay behavior. Using a flow tool that can change perspectives between flows, packets, bytes, counts or tcp flag counts allows you to qualify if a ToR node is being used to download masses of data or is trickling out data.

Patterns of data can be very telling as to what is the nature of the data transfer and can be used in conjunction with other information to become a useful indicator of the risk. As for supposedly secured networks I can’t think of any instance where ToR/Onion routing or for that matter any external VPN or Proxy service is needed to be used from within what is supposed to be a locked environment. Once ToR traffic has been identified communicating in a sensitive environment it is essential to immediately investigate and stop the IP addresses engaging in this suspicious behavior.

Using a tool like CySight’s advanced End-Point Threat Detection allows NetFlow data to be correlated against hundreds of thousands of IP addresses of questionable reputation including ToR exits and relays in real-time with comprehensive historical forensics that can be deployed in a massively parallel architecture.

Performance Monitoring & Security Forensics: The 1-2 Punch for Network and IT Infrastructure Visibility

How to counter-punch botnets, viruses, ToR and more with Netflow (Pt. 2)

Data Retention Compliance

End-Point Profiling

Hosts that communicate with more than one known threat type should be designated a high risk and repeated threat breaches with that hosts or dependent hosts can be marked as repeat offenders and provide an early warning system to a breach or an attack.

It would be negligent of me not to mention that the same flow-based End-Point threat detection techniques can be used as part of Data Retention compliance. In my opinion this enables better individual privacy with the ability to focus on profiling known bad end-points and be used to qualify visitors to such known traffic end-points that are used in illicit p2p swap sessions or access to specific kinds of subversive or dangerous sites that have been known to host such traffic in the past.

Extreme examples of end-point profiling could be to identify a host who is frequently visiting known jihadist web sites or pedophiles using p2p to download from peers that have been identified by means of active agents to carry child abuse material. The individual connection could be considered a coincidence but multiple visitations to multiple end-points of a categorized suspicious nature can be proven to be more than mere coincidence and provide cause for investigation.

Like DDoS attack profiles there may be a prolific amount of end-points involved and an individual conversation is difficult to spot but analysis of the IP’s involved in multiple transactions based on the category of the end-point will allow you to uncover the “needles in the haystack” and to enable sufficient evidence to be uncovered.

Profiling Bad traffic

End-Point Threat detection on its own is insufficient to detecting threats and we can’t depend on blacklists when a threat morphs faster than a reputation list can be updated. It is therefore critical to concurrently analyze traffic using a flow behavior anomaly detection engine.

This approach should be able to learn the baselines of your network traffic and should have the flexibility to baseline any internal hosts that your risk management teams deem specifically important or related such as a specific group of servers or high-risk interfaces and so-forth enabling a means to quantify what is normal and to identify baseline breaches and to perform impact analysis.

This is where big-data machine learning comes into play as to fully automate the forensics process of analyzing a baseline breach automating baselines and automatically running diagnostics and serving up the Predictive AI Baselining analytics needed to quickly identify the IP’s that are impacting services to provide extreme visibility and if desired mitigation.

Automated Diagnostics enable security resources to be focused on the critical issues while machine learning processes continue to quantify the KPI’s of ongoing issues bringing them to the foreground quickly taking into account known blacklists, whitelists and repeat offenders.

As a trusted source of deep network insights built on big data analysis capabilities, Netflow provides NOCs with an end-to-end security and performance monitoring and management solution. For more information on Netflow as a performance and security solution for large-scale environments, download our free Guide to Understanding Netflow.

Cutting-edge and innovative technologies like CySight delivers the deep end-to-end network visibility and security context required assisting in speedily impeding harmful attacks.

Performance Monitoring & Security Forensics: The 1-2 Punch for Network and IT Infrastructure Visibility