Below the Waterline

ExtraHop was excited to have sponsored and attended the season finale of The Armed Forces Communications and Electronics Association (AFCEA) Washington DC Chapter's Monthly Breakfast Program. Congratulations to all the AFCEA DC scholarship winners for their fantastic achievements! We were all treated to a terrific cybersecurity panel discussion from security thought leaders across the DOD.

Threats Below the Waterline

While the entire panel discussion was packed with insights, this phrase, "Below the Waterline" was spoken by Ron Ross, Fellow at the National Institutes of Standards and Technology, and stood out as a perfect description of the modern cybersecurity challenge. Traditional cybersecurity efforts are focused on what we can see, detect and address with patching and security scanning. In the modern landscape, the most insidious and deeply embedded adversaries are using techniques that operate below the visibility of these traditional approaches to security.

In order to address these modern security challenges, a modern approach is needed. Patching and security scans are important, but they address the known, not the unknown. Log and SNMP data are useful, but can be compromised, halted, or delayed by an adversary, which often is resident in an enterprise. To find these unknowns, security teams need real-time access to network traffic at protocol-level granularity, and the ability to interactively browse through what is happening on a network in a mission-critical, fluid fashion. In order to detect and catch threat actors before they can do any damage or infiltrate sensitive data you must deploy modern day technology.

This is the realm of the Threat Hunter. This intrepid soul must actively dig broadly and deeply into an enterprise infrastructure and brave terabytes or petabytes of daily network traffic to find the proverbial needle, especially since the haystack is growing at an unprecedented rate. A 40 Gbps network generates 432 terabytes of network traffic per day, and over 1 petabyte per day on a 100 Gbps network. "Below the waterline", sifting through this data, are cyber serpents which can paralyze the defense information technology infrastructure, leaving the warfighters compromised and exposed in ways they have never been before.

How can a Threat Hunter effectively pour through 12 to 28 petabytes of network data each month? How much does it cost to store all of this data? And how can the exquisitely subtle clues of compromise like the following examples be picked out from within such vast quantities of traffic in a timely manner?

• Beaconing behavior
• Unauthorized hosts acting as DNS servers (possibly DNS tunneling)
• Unauthorized DHCP servers
• Users authenticating from multiple clients
• Expired (stolen) or forged SSL/TLS certificates

These are difficult questions when considering traditional solutions, but not so with the ExtraHop platform and its "analysis first" strategy. A threat actor on a network monitored by ExtraHop has nowhere to hide. From the first packet on the wire, new or existing physical, virtual, or containerized assets are automatically discovered and tracked in both the north-south and east-west directions. Over 45 industry standard L2-L7 protocols are analyzed simultaneously down to the transaction level in real time (up to 100 Gbps per instance).

Revealing the Living, Breathing Network

With ExtraHop, the network becomes the data source for threat intelligence, one which is accessible via an intuitive user interface, supporting both interactive threat hunting workflows as well as automated detection of known or suspected malicious behavior. Threat hunters can visually pivot from clients to servers, from layer 2 anomalies to layer 7 transactions, following the path of compromise wherever it leads in real time. There is no waiting for network data to be collected, stored, and retrieved for analysis. The living, breathing network is exposed to these hunters and ExtraHop is able to reveal this in real time.

Security practitioners appreciate this idea of seeking out active threats instead of waiting until notified. In a 2017 survey of 330 cybersecurity professionals, Crowd Research Partners found that respondents spent much more time (43 percent of time) reactively investigating security incidents through activities such as alert triage than they spent proactively seeking out threats (only 22 percent of time). Early threat hunting efforts are paying off. In a separate 2017 survey of 306 respondents, the SANS Institute found that 91 percent of respondents improved the speed and accuracy of their response due to threat hunting, while 88 percent of respondents were able to reduce dwell time (the period from initial infection to detection). ExtraHop reduces the time of triage by giving you real time visibility into "Below the Waterline" attacks.

Stay tuned for more discussion about network security and visibility. The ExtraHop team is proud to be an AFCEA DC sponsor, and we hope to see you at next season's series!

Learn more about the ways federal agencies are leveraging ExtraHop for threat detection and other security requirements.