Most administrators rarely understand their FTP traffic profile until it's too late. The following are some basic questions every administrator should know when trying to secure their data:
- How many systems are running the FTP service?
- What are the most active FTP nodes?
- Who are the most active users?
- How much throughput does FTP consume?
- What are the most requested files?
Knowing what to collect is one thing, actually collecting it is another. In the past it would take multiple tools, probing, and knowing of what to look for to answer these questions. The power of wire data is that it has these answers! The ExtraHop wire data analytics platform indiscriminately analyzes all data over the wire in real time. FTP requests and responses are correlated with IP addresses to identify servers and clients. Real-time L7 analysis can identify the files being requested and who's requesting those files. Bytes are accumulated to accurately display throughput metrics. These metrics are readily accessible out-of-the-box with the ExtraHop platform; however, what was missing was a centralized dashboard that provided a comprehensive view.
My kneejerk reaction was to turn to the ExtraHop community. It's a burgeoning ecosystem of users collaborating and sharing to solve similar problems. I found a number of users with similar needs but no published solution, so I thought, "OK, let's do it!"
Identifying FTP Nodes
The first step in tracking rogue FTP traffic is identifying active nodes. FTP is one of the oldest and most commonly used protocols in IT ecosystems today. It's a protocol that sneaks into your environment, whether it's utilized by third-party tools or a one-off setup to accomplish something quick. Regardless, it's there. Unless you know when and where to look, identifying FTP nodes can be a difficult task; however, with wire data anything that traverses the network is characterized.
The Most Active FTP widget shown below tracks internal and external FTP requests and responders in real time. This provides a simple interface that quickly recognizes FTP talkers and list them by volume. If you see unusual communication with an unauthorized node you can promptly take action. If you believe there is a data leak this would be a great starting point to investigate further.
Identifying FTP Users
The next step in detecting rogue FTP traffic is to identify FTP user accounts. This is difficult to track if not controlled by a centralized authentication server. Unfortunately, that's rarely the case, especially when individual systems are setup for temporary solutions. Again, this is a situation where you have to know what you are looking for before you look. Not so with wire data. Rogue FTP services with anonymous user accounts are identified the moment the request hits the wire. If you see a spike in anonymous logins (see below) to an unsanctioned FTP service that's something that needs to be investigated. If there is an unknown account, that is another red flag worth inquiry.
Identifying Files Sent Over FTP
After investigating the "who" and "where," the "what" is the third critical element when monitoring rogue FTP traffic. Identifying requested files and how often they are accessed can be a monumental task, let alone aggregating all the sources. The FTP Requests by File widget shown below does just this. It displays the most actively requested files, both internally and externally in real-time. Administrators can quickly reference this list identifying anything that could potentially contain sensitive information or malware.
FTP Server Resources
Data leaks and rogue nodes can correlate with unusual resource utilization. A spike in round-trip time indicates congestion on the network and potentially large transfer of data. An unusual increase in server processing time is either an overburden or misconfigured system. Either situation needs to be investigated and verified for potential data leaks. The Round-Trip Time vs. Processing Time widget shown below compares max network latency against max server processing time over a user determined interval. This allows historical trend monitoring and quick isolation between contended resources.
FTP Status Codes
The FTP Status Codes widget allows for historical tracking of all status codes over a user-defined period of time. It provides a clean visual representation of your FTP environment and any changes in the environment. An anomaly in the data does not solely identify a data leak, but a spike in 226 codes does indicate an increase of successful file transfers. This widget can be customized to match specific codes for your environment.
Detecting and mitigating data leakage is an endless battle for network engineers and systems administrators. Without the proper data in a holistic view it's an unfeasible effort. This is a great example of the power of wire data and the flexibility of the ExtraHop platform. IT departments can quickly become proactive by utilizing real-time data in a customizable dashboard, saving time and protecting against data leaks. This dashboard is a great jumping off point for anyone interested in customizing an FTP solution for their environment. Triggers and alerts can be added and chart types modified to fit your specific needs.