Known vs Unknown

Lately my focus has been on looking at traffic. Whether it’s the traffic visiting the AsTech website, traffic at a client site that seems to indicate they are under attack, or traffic on a LAN segment, traffic is flowing all the time. So, I started to wonder, what is all this traffic?

In my pursuits to pull open the traffic against web applications I have learned quite a bit about user behavior, types of user-agents, types of “good traffic” and the various nuances of “bad traffic”. I have been working with Stealth Security on understanding why so much traffic against a given site is “bad”. For highly transactional sites like PayPal or Ebay, the traffic volume of attackers can be as much as 60% of the traffic hitting the login page. This means that almost 2 out of every 3 login attempts, is some attacker running a tool like Sentry and using a credential list dumped to Pastebin.

So it is exceptionally important to be able to identify, is this a known user attempting to access their legitimate profile to transact business? If you look at the flip side of that, it’s important to keep the unknown user, with illegitimate credentials, off your infrastructure. Web apps prove to have plenty of attacks because of their availability to such a broad audience.

But what about your LAN? Do you have unknown users on your LAN? Is anyone using your infrastructure to host malware? Is there anyone walking around on your Intellectual Property? The truth is, you probably don’t know. The average “Time on Target” for an attacker to exist in your network is around 200 days. Usually the victim organization is notified by someone else and it takes around 70 days to remove the attacker completely. This means, it’s quite possible there is someone running around on your network right now.

So, what can be done about this? Well, you can deploy IDS sensors everywhere. You can have agents running on machines looking for Indicators of Compromise and hope that your IDS and IOC sensors aren’t throwing false positives and causing doubt. Or, you can have an access control solution inline and watching for those unknown transactions and have the solution simply stop the attack and quarantine the transaction, before any further trouble occurs.

In the case of Milton’s NAC-as-a-service, you also have someone that can watch for other indications that you are under attack from any vector. Using a solution, provided by the manufacturer, curated by the manufacturer and monitored by the manufacturer means you have experts in your corner and they learn what your known traffic is supposed to be and they know how to manage the unknown to keep your organization safe.