internal host-reputation-webinar

©2013 Lancope , Inc. All Rights Reserved

Internal Host Reputation

For Combating

Advanced Cyber Threats

Matthew McKinley

[email protected]


Agenda

Background

– What is IP reputation?

– Why is it important?

– How is it used today?

What is the Concern Index?

– Basic definition

– How it relates to reputation

The two sides of IP reputation

– External

– Internal

Combating Advanced Cyber Threats

– Internal Host Reputation as a function of the Concern Index

– The benefits of IHR

– How IHR can help with attacks that are not easily categorized


Background

IP reputation is a measure of how trustworthy (or more commonly untrustworthy) an IP is

– Based on association with SPAM, botnets, and other malicious activity

– Knowing the reputation of IP addresses gives administrators an idea of what to watch for, e.g. is someone on my network talking to a known botnet??

Today, External Host Reputation is used for a variety of purposes, but mostly as a way to identify when

– A known bad address has communicated with you, or…

– When someone on your network has communicated with a known bad address


The Concern Index

The Concern Index is a measure of, literally, how concerned one should be about a given host

– Concern Index Points are accumulated based on:

Behavior, e.g. deviation from norms, scanning activity, communication patterns, etc.

Communication with particular outside hosts

Movement of unexpectedly large amounts of data

Communication with unexpected parts of the network, e.g. a desktop talking to a server in a PCI environment

– The CI is calculated network-wide because of

Visibility provided by NetFlow data

– The CI can be leveraged for actions such as alarming, trending, reporting and...

– You guessed it: Reputation!


The Concern Index

Here is what the Concern Index looks like in use:


Reputation

Now wait a minute, I already know what reputation is! True. But there are 2 sides to the coin:

– External

– Internal

External is very useful and many, many security pros make use of one of the many reputation services.

– This is good for knowing what to block, what to look out for, etc.

The internal side is also just as important, but harder to do.

– External services cannot see the interior of your network

– Even if they could, the understanding and visibility required would be complicated

Hosts on the inside of the network misbehave, too.

– Data exfiltration

– Users hogging bandwidth

– Communication with command and control servers

– Attempted communication to forbidden parts of the network


Reputation

Internal Host Reputation is a more personal form of reputation service that is unique to your environment

– Issues can be spotted before they become problems

– Because of ISE integration, users can be tied to IP addresses

– Reputation can extend to virtual hosts

– Events leading to degraded reputation are easily accessible


Tying it all together

What does the Concern Index have to do with Reputation?

– The CI is a measure of how “out-of-bounds” a host on the network has become

– As we’ve discussed, there can be many reasons for that

– The more CI points a host accumulates, the more incorrectly it’s behaving

Dashboards are close friends of the Admin. The Reputation dashboard ranks hosts based on:

– Concern Index, with the worst offenders being at the top

Running a host snapshot for the top offender gives you an idea of:

– Its Reputation! How has this host been acting historically on my network?



Perimeter defenses lack signatures for Advanced Cyber Threats

– Phishing

– Social Engineering

– Well engineered email attachments

– Insiders

Because the end result is similar, .i.e. the endpoints behaving in ways they might not normally, this accumulates CI points and puts those hosts on the CI dashboard.

Worm propagation can be tracked in this way, too.

If a user brings in an infected laptop that attempts to call a C&C server, it will accumulate CI points.

Hosts that are behaving the worst, particularly in the case of data exfiltration, are clearly visible.



If a host is infected, it is possible to see an internal pivot to attack or infect other machines

Internal Host Reputation is a form of Data Analytics which can spot behaviors that signature-based systems would completely miss.

Attackers are well aware of the current counter measures, but countering analytics is much harder to do

Remember that StealthWatch provides IHR and links it to a user.

The battle against Advanced Cyber Threats is a battle against sophisticated behaviors, and it takes a behavioral solution to combat them.


Cyber Threats Dashboard


Conclusions

As the size of internal networks grows, internal reputation will become as important as external reputation

Perimeter devices cannot provide this level of information, only an internal visibility solution leveraging network telemetry such as NetFlow can accomplish this

Advanced Cyber Threats are not easily categorized and can only be identified with an analytical approach

– http://www.emc.com/collateral/industry-overview/h11240-advanced-threats-summit-2012-io.pdf

The Concern Index (and IHR) is a valuable tool for tracking potential threats, both internally and externally


Lancope at RSA 2013

Return of the famous Lancope Ninja Sword!

Visit booth #1653

Presentations by Tom Cross, Director of Security Research:

- Tuesday @ 4:30 pm

- Wednesday @ 2 pp

Email [email protected] to request a private demo at the event.

mailto:[email protected]


Get Engaged with Lancope!

@Lancope @NetFlowNinjas

Subscribe Join Discussion Download

@stealth_labs

Access StealthLabs Intelligence Center

(SLIC) Reports

Security Research


Thank you!

internal host-reputation-webinar

Technology