BlogNote: The ExtraHop Discovery Edition is no longer under active development or maintenance, but current license-holders may continue to use all features described in this post.
If you are responsible for secure web-based services, it is likely that you are scrambling to identify servers using OpenSSL versions 1.0.1 through 1.0.1f, trying to patch those servers, and reissuing certificates.
ExtraHop can detect the heartbeats that are used in the Heartbleed exploit, revealing potential attacks against your SSL servers. This capability is available in the ExtraHop Discovery Edition, a free-forever virtual appliance.
The free ExtraHop Discovery Edition shows potential Heartbleed exploits.
How ExtraHop Detects Potential Heartbleed Attacks
ExtraHop performs detailed SSL transaction analysis: certificates used, session details, cipher suites, connections over time, record sizes, and other metrics for every SSL transaction. We also break down SSL records by content type, including application data, change cipher, handshakes, and alerts. There was one other content type that we did not list out by name in the user interface because it was an extension and not part of TLS core … You guessed it, the last content type we record is heartbeat, which is the message used in the Heartbleed exploit. In the ExtraHop user interface, heartbeat messages currently appear as "Other."
ExtraHop breaks out SSL transactions by content type. View the TLS content type registry, including the now-infamous heartbeat.
The heartbeat content type was previously obscure and rarely used, which means that any SSL traffic using heartbeats is worth investigating. Investigating heartbeats is a simple drill-down in ExtraHop. First, you navigate to the SSL Server activity group.
From the SSL Server activity group, we can see records by content type. Clicking on "Other" will show server devices that have received heartbeat records.
From there, you can drill-down investigate each SSL server to see which clients are sending heartbeat messages. If you don't recognize a device and it is sending many heartbeats, then that is a potential active exploit. (Note: Device-level L4-L7 views are not available in the Discovery Edition, which is a great reason to upgrade to the full version at this point!)
But there is more that ExtraHop reveals about potential Heartbleed attacks. With the ExtraHop geomap capability (available in the Discovery Edition) you can see the geographic origin of requests for a particular protocol with geomaps. The screenshot below comes from a retailer using ExtraHop to do just that. They quickly saw that heartbeat messages were originating from St. Petersburg, Kiev, Chengdu, Wuhan, and other places that are highly suspicious.
Don't delay. Request your own ExtraHop Discovery Edition now and discover the power of wire data analytics!
ExtraHop geomaps reveal the geographic origin of requests. This geomap is from an IT organization that uses ExtraHop and shows six heartbeat messages originated in Kiev, Ukraine.
Related blog posts: DevOps Hearts Race While CISO Looks for Heartbleed How ExtraHop's IT Team Performed a Heartbleed Audit Going Back Years Detecting Malware Such as BlackPOS with ExtraHop
