If you are responsible for secure web-based services, it is likely that you are scrambling to identify servers using OpenSSL versions 1.0.1 through 1.0.1f, trying to patch those servers, and reissuing certificates.
ExtraHop can detect the heartbeats that are used in the Heartbleed exploit, revealing potential attacks against your SSL servers. This capability is available in the ExtraHop Discovery Edition, a free-forever virtual appliance.
Follow these steps to install the Discovery Edition and detect Heartbleed exploits:
- Fill out the form at www.extrahop.com/discovery
- Receive your product key and download the .ova file
- Install the virtual appliance on a machine with a bare-metal hypervisor or in AWS
- Direct traffic to the appliance using our software tap or a port mirror
- Install the Heartbleed solution module (a one-minute process)
Note: If you already have a full version of ExtraHop deployed, you do not need to download anything extra to do the analysis described below, although we have bundles in the forum that provide custom pages and geomaps specifically for Heartbleed activity.
How ExtraHop Detects Potential Heartbleed Attacks
ExtraHop performs detailed SSL transaction analysis: certificates used, session details, cipher suites, connections over time, record sizes, and other metrics for every SSL transaction. We also break down SSL records by content type, including application data, change cipher, handshakes, and alerts. There was one other content type that we did not list out by name in the user interface because it was an extension and not part of TLS core … You guessed it, the last content type we record is heartbeat, which is the message used in the Heartbleed exploit. In the ExtraHop user interface, heartbeat messages currently appear as “Other.”
The heartbeat content type was previously obscure and rarely used, which means that any SSL traffic using heartbeats is worth investigating. Investigating heartbeats is a simple drill-down in ExtraHop. First, you navigate to the SSL Server activity group.
From the SSL Server activity group, we can see records by content type. Clicking on “Other” will show server devices that have received heartbeat records.
From there, you can drill-down investigate each SSL server to see which clients are sending heartbeat messages. If you don’t recognize a device and it is sending many heartbeats, then that is a potential active exploit. (Note: Device-level L4-L7 views are not available in the Discovery Edition, which is a great reason to upgrade to the full version at this point!)
But there is more that ExtraHop reveals about potential Heartbleed attacks. With the ExtraHop geomap capability (available in the Discovery Edition) you can see the geographic origin of requests for a particular protocol with geomaps. The screenshot below comes from a retailer using ExtraHop to do just that. They quickly saw that heartbeat messages were originating from St. Petersburg, Kiev, Chengdu, Wuhan, and other places that are highly suspicious.
Don’t delay. Request your own ExtraHop Discovery Edition now and discover the power of wire data analytics!