At Motorola Solutions, we’re always looking for and developing new and innovative ways to find and respond to cyber threats to protect mission-critical systems. One of the core functions of our ActiveEye cybersecurity platform is network detection and response (NDR), combined with advanced security orchestration, automation, and response (SOAR) capabilities to streamline and automate response options and remediate threats detected faster.
Internal Versus External Attack Surfaces
Cybersecurity incidents often begin with an attacker identifying and exploiting an organizational weakness. Opportunities for attackers are broad and varied, and can be internal or external. External opportunities could be anything from a software vulnerability on a public web server, an unprotected database on a cloud-hosted platform, a gullible employee who is tricked into providing access to sensitive data or a carefully placed USB drive that someone picks up in a hallway and plugs into their laptop out of curiosity. These “outside” weaknesses collectively represent the public attack surface of an organization.
After the attacker finds a foothold within your environment, they typically try to expand to other systems or privilege levels. Without strict controls in place, it’s relatively easy for attackers to escalate privileges once they’re in the network due to the often much larger internal attack surface created by the interconnectivity and trust between organizational computing resources.
Both types of attack surfaces have weaknesses that can be exploited over the network. Network detection, a type of threat intelligence, seeks to identify such vulnerabilities to prevent infection, identify existing compromises and stop the spread of an attack.
Network detection, also referred to as network traffic analysis (NTA), does this by analyzing all of the traffic between computers on a network. It then uses behavioral analytics to identify communication patterns that can indicate a vulnerability that’s being exploited, risky or anomalous behavior or any activity involving known bad actors. For example, this could include domain names registered by unauthorized entities to set up look-alike websites that can fool people into thinking they’re legitimate, a practice also known as typo-squatting. Providing security analysts with visibility into this traffic is a major part of threat detection, opening up a rich investigative landscape and providing operational insight.
How Does Network Detection Work?
There are many different monitoring technologies that provide enterprise network detection using various methods. Most techniques, powered by machine learning and artificial intelligence, involve the deployment of a dedicated device, often referred to as a “sensor,” to collect, process and analyze network traffic patterns to detect malicious or anomalous activity. Tracking and analyzing traffic patterns can reflect when unusual changes are occurring and mitigate or prevent a possible attack.
A robust network monitoring solution should provide detection coverage in three primary areas: signature-based detection, protocol analysis and flow analysis. The specifics of how each monitoring solution accomplishes detection in these three areas are unique to every platform. Each of these pieces is important to creating a complete picture of everything occurring within your network. These areas provide different benefits that overlap, like the shingles of a house, to provide comprehensive protection.
Signature detections rely on rulesets that are designed to find explicit characteristics in a network’s traffic pattern. When network connections are observed, each packet is analyzed individually. If the characteristics that are defined in each rule are observed, an alert will be generated to be investigated. These rules can be designed to detect anything from a corporate software policy violation, such as a user installing and using peer-to-peer file-sharing software, to a server response message unique to a known trojan or malware variety.
Signature-based detections are the bread and butter of most network monitoring platforms, but can fall short for finding threat actors or malware that haven’t had rules created to detect them. This is a key reason why protocol and flow analysis are also necessary. A network intruder may not have a documented “signature”, but their activity will almost always result in an anomaly. We’ll cover protocol and flow analysis more in the next section.
For signature detection to be most effective, the tell-tale signs of threat actors need to be rigorously kept up to date to spot changing attack patterns or new attacks. The frequency of these updates can mean the difference between staying secure and a full-blown compromise, as attackers often leverage emerging threats. In the case of recent vulnerabilities like Log4Shell, attackers began scanning networks for weak hosts within hours of the vulnerability becoming public.
Network flows describe “conversations” that occur between systems, a summary of who connected, the port used and how much data was transferred. These few details may seem simple, but can help you to find even the most stealthy of threat actors in a network if you ask the right questions, such as:
- What internal systems are connecting over new ports?
- What devices are communicating to external devices on unusual ports?
- Why did your printing server suddenly make hundreds of connections to other internal systems on random ports?
- Why did a device in Human Resources transfer 10GB of data to an external server at 2:00 AM?
- Why is your file server creating a 1KB connection every 30 seconds to an unusual IP address in Moscow?
Many security monitoring solutions collect network flow data, but few succeed in analyzing network flow data and use it to produce tangible network detections. Defenders need flow data to be easily searchable and they also rely on it to raise an alert when anomalies occur.
Network protocol analysis can be used to understand the key details of connections made by devices. These go beyond the high-level “conversations” that network flows provide and can reveal the unique details of how a connection is occurring. These types of details are specific to the protocols being observed in each connection.
Protocol data can be analyzed by itself or used to supplement ongoing investigations. If a signature-based detection claims a connection is the result of a malware infection, protocol information can be used to quickly understand the important details of the connection and determine if the device is in fact infected with malware.
When viewing protocol data by itself, you can answer deeper questions about your threat intelligence strategy and network security with ease, such as:
- What commands are being issued to your database server?
- What files are being downloaded by your end-users?
- What devices have a high number of authentication failures to internal servers?
- Are any devices connecting to external web servers with invalid certificates?
These are simple questions to ask your security team, but many monitoring solutions actually struggle to present the required data to answer these questions in an intuitive manner. Protocol analysis captures and represents the most relevant information, enabling even inexperienced security teams to quickly get answers and understand what’s occurring in their network.
Rapid detection of bad or risky network behavior enables security operations teams to respond quickly to threats within their environment, often before the success of the attack is guaranteed. Because these detections include information about the network endpoints involved, defenders can isolate and remediate those endpoints prior to spread. Additionally, NDR solutions can inform structural remediations within the network, such as firewall rule changes, network segmentation or traffic filtering.
Who Needs Network Detection?
The short answer for who needs network detection is anyone who operates an IT environment. Unless your organization operates nothing but air-gapped systems in complete isolation, your IT environment is interconnected in a way that attackers are eager to exploit. Attackers think in graphs — and your network is a perfect canvas for them to plan an attack that can compromise all of your resources. Cybersecurity NDR solutions provide defenders with critical network visibility into the avenues between your computing resources, enabling security staff to detect and contain attacks before they get out of hand.
What Is the Difference Between Network Detection and Endpoint Protection?
IT environments are fundamentally made up of computers and networks. It can be tempting to think that by protecting the computers with technologies like next-generation Endpoint Detection and Response (EDR) and next-generation antivirus (NGAV) that your network is also protected. However, this can leave large blind spots that increase the attack surface.
Here are a few scenarios where network detection offers a significant improvement to other security solutions and provides stronger response capabilities over endpoint protection measures:
- Many devices can’t have EDR deployed and managed on them. Historically, this has included a lot of networking gear, which tends to be deployed as custom hardware rather than commercial off-the-shelf (COTS) products. More recently, the rise of the Internet of Things (IOT) has added many new devices onto the enterprise network that go unmanaged. An attacker with a foothold in a device like a smart doorbell may go undetected for quite some time!
- With the rise of bring-your-own-device (BYOD) policies, many enterprise networks have segments with devices that come and go. These devices may have different levels of security applied, and may not be managed or updated to the standard of the organization’s security team.
- Though it’s less common, attackers may deploy a rogue device onto networks to create a foothold without needing to exploit an existing resource. This has become easier with the rise of wide-ranging Wifi networks with unmanaged devices.
- Savvy attackers can spread within a network by leveraging existing, legitimate software and exploiting trust relationships instead. As an example, attackers commonly move laterally through trusted file shares. While behavioral EDR controls may be able to detect some of this activity, these security tools are not perfect. Legitimate-seeming movement may go unnoticed at the endpoint.
- More generally, no one technique is infallible. Combining endpoint protection and network detection offers much better protection than either in isolation: broader, better network visibility and security tools for remediating threats detected.
The interconnection of modern IT environments, along with the rise of trends like IoT and BYOD, have created new weaknesses for attackers to exploit. By providing visibility into the communication between computing resources, network detection can empower defenders to identify, isolate, and remediate attacks that evade traditional endpoint protections before they expand and become full-blown disasters.
If you’re interested in network detection and response tools for your cybersecurity team, Motorola Solutions can help. Our ActiveEye platform combines sophisticated network detection with endpoint protection and other security controls to create a single pane of glass for our expert SOC analysts to identify and remediate even the most advanced threats.