Personalise your experience

Get the latest insights relevant to your sector.

Blog · 23 Jun 2021

How to plug the gaps in traditional network detection response

Understanding the gaps in traditional network detection and response, that skilled hackers use to their advantage, is key to robust cybersecurity posture.

Vincent Berk
CTO and Chief Security Architect, Riverbed

For some people, it takes less time to hack into a computer network than it does to make a sandwich.

In fact, compromising a network really isn’t very hard. And we’ve inadvertently made it even easier to stay hidden once you’re in. In fact, we’ve created an environment where, by adding feature upon feature to increasingly complex software – we’ve now effectively created a huge attack surface. Thankfully security teams are well aware of how this makes organisations vulnerable and, as a result, most are now well protected and prepared for the straightforward types of attack the average cybercriminal will launch at them. The real danger comes from the minority of hackers who have advanced skills and the time and money they need to support a more complex attack where stealth and cunning are key to their success.

These skilled attacks or ‘advanced persistent threats’ (APTs) are far more sophisticated and are capable of the most serious damage. Their knowledge allows them to circumvent your firewall, avoid tripping your detectors and know how to stay hidden from most traditional security tools in the Network Security Operations Centre (NSOC). They will steal business critical information, take over user accounts or encrypt your servers and demand a ransom. There are many ways a skilled attacker can penetrate your systems, and it can be hard for organisations to detect this activity until damage has already been done.

Traditional Network Detection Response (NDR) therefore isn’t enough, so how can organisations get in-depth defence and protect themselves against more advanced attacks?

Moving beyond traditional NDR to behaviour analysis

NDR is a game that’s been around for a while where, when a new piece of malware is discovered, a signature is created to identify it the next time it shows up. However, with APTs it can be hard to predict today how they are going to act tomorrow, because conventional firewalls such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) force APTs to change tactics and take different routes to stay hidden from detection. In fact, it’s much easier for a skilled attacker to change the way they work than it is for malware detection to stay updated and find them. Automatically spotting these changing patterns is challenging. But what we do know is that by using traditional defences, we can force a change in attacker behaviour so that the behaviour might become visible. This interplay between traditional defences and behaviour based analysis creates a worthwhile opportunity for the defender.

By using behavioural analysis software, you can analyse the flows and patterns of large volumes of data moving through a network and begin to detect changes and anomalies in the normal, everyday behaviour. Although skilled attackers may realise the network is being watched and tread carefully, their actions will still likely trip up the behavioural detectors which should, in turn, trigger an incident response investigation… if you’re paying attention.

Assume breach and keep forensic records

Forensics technology is arguably even more important than behavioural analysis, as it can keep a historically accurate record of everything that happens on your network, so you can look back on activity and understand the scope, reach, and impact of a compromise. A Zero Trust approach means you must assume that the bad guys have already got into your network. Typical NSOC operations focus on log collection, but unfortunately logs are generally 1) self-reported, meaning many activities are not properly logged, and 2) can be disabled. However, the attacker is there and creating network traffic. By recording everything going on over your network, a forensic record is created at a flow and packet level that can later be used for an incident investigation, or even pro-actively to hunt for the bad guys.

Netflow data is by far the most underutilised source for security information out there. Typically only used by the Network Operations Center (NOC), the security team are missing out on a lot of value. For instance, when a hacker tries to exfiltrate stolen data, it’s going to have volume and be very visible on the wire. With a NetFlow traffic analyser, it’s also very easy to trace who might have talked to a particular adversarial IP address in the last six months and create a report indicating what other systems might have been affected. Additionally, NetFlow is very compact so it can be used to keep months of records - which is important, because often attackers can be on your network for months at a time. 

Advanced protection for advanced threats

At Riverbed, we realise that areas of signature detection and firewalls are well-covered and instead focus on the APT and the attacks that have the potential to do the most damage. Highly skilled attackers can spend a lot of time on your network, use crafty encrypted communications, or new techniques that have never been seen before. Delivered as a managed service by our partner BT, Connect Intelligence VaaS (Visibility-as-a-Service), our Riverbed Netflow traffic analyser and Packet solution can capture and store all network flow and packet data across your organisation, delivering the crucial insights to detect and investigate APTs that bypass typical preventative measures.

Our joint managed services combine BT’s long standing global experience and expertise with Riverbed’s powerful cybersecurity technology to offer customers the most advanced protection.

To find out more, please get in touch and discover how we can give your business the security and visibility you need to overcome sophisticated threats.

Contact