The network security threat landscape is ever evolving. But always at the cutting edge are custom-written, stealthy threats that evade traditional security perimeter defenses. These threats infiltrate the interior of the network - the core, the distribution layer, and the user access edge - where threat defenses and visibility are minimal. From there they quietly target specific assets, and even specific people, within an organization. The goal of these advanced cyber threats is not notoriety and fame, or even setting up a for-profit botnet; it's to gather and exfiltrate intellectual property or state/trade secrets for competitive advantage in industry, economy, and sociopolitical ends.
This document explains:
• What's at stake and key challenges in gaining visibility to customized threats
• Cisco® Cyber Threat Defense Solution, which provides greater visibility into these threats by identifying suspicious network traffic patterns within the network interior, thus giving security analysts the contextual information necessary to discern the level of threat that these suspicious patterns represent
Well-understood and known security threats are effectively combated by a well-designed and mature security infrastructure that includes components like intrusion prevention, antivirus, content security, and firewall. But custom-written threats designed for specific targets with specific intent represent a tougher challenge. Customized threats are designed based on specific knowledge of a target, often based on reconnaissance of the network or people at the organization, or both. Once the custom threat has breached the perimeter defenses of the network, it typically spreads laterally in the interior of the network where threat defense devices are not generally pervasively deployed. By remaining quiet and hidden in the noise of normal network traffic, the threats can spread under the radar among specific targets. Perimeter defenses do not have visibility into these threats. Many times these threats are actually introduced inside the perimeter via social engineering, spear phishing, or external media like USB drives. And while prevention is important, even the most diligent patching will not completely guard against these threats.
The risk and damage caused by advanced cyber threats varies by source. Victims of these types of security breaches are not motivated to disclose their impacts, but primary research into advanced cyber threats indicates that this is a quickly growing problem with significant impact. Some key statistics to consider:
• 63% of threats are customized for their target environment - a three-fold increase since 20061
• A five-fold increase in attacks against the U.S. government from 2006 to 20092
• 59% of organizations in the United States believe that they have been targets of cyber threats3
Once these threats have penetrated the network perimeter, the only place left to identify them is where they live: the network interior. One must look for "fingerprints" of the threat by analyzing traffic patterns across the switches and routers that comprise the network interior. From this analysis, one can gain insight into patterns that are indicative of advanced cyber threat traffic. Whether it is an internal client trying to set up peer-to-peer connections with other clients on its subnet or clients communicating with unusual regions of the world, analysis of traffic patterns provides visibility into potential cyber threats.
Figure 1. Advanced Cyber Threats Evade Perimeters, Must Be Detected in the Network Interior
Overview of the Cisco Cyber Threat Defense Solution
The Cisco Cyber Threat Defense Solution combines the following elements to provide visibility into the most evasive and dangerous cyber threats:
• Unique interior network traffic telemetry utilizing scalable unsampled NetFlow capabilities of Cisco Catalyst® switches, Cisco routers, and NetFlow Generation Appliances (NGA), as well as NetFlow Security Event Logging (NSEL) from Cisco ASA 5500 Series Adaptive Security Appliances
• Network traffic analysis capabilities provided by the Lancope StealthWatch System. Cisco has partnered with Lancope to jointly develop and offer the Cisco Cyber Threat Defense Solution
• Identity, firewall, and application-type contextual information for discerning the nature and severity of a threat. These context points are delivered by the Cisco Identity Services Engine, ASA firewalls, and Cisco routers, respectively
Figure 2. Components of the Cisco Cyber Threat Defense Solution
With this telemetry and contextual information, a network security analyst can, from a single pane of glass, identify suspicious activity, gather pertinent user information, identify the application, and look up other relevant security context. This enables assessment of the nature and the potential danger of the suspicious activity. With this information, the analyst can decipher the correct next steps for advanced cyber threats such as:
• Network reconnaissance - The act of probing the network looking for attack vectors that can be exploited by custom-crafted cyber threats
• Network interior malware propagation - Spreading malware across hosts for the purpose of gathering security reconnaissance data, exfiltrating data, or creating back doors to the network
• Command and control traffic - Communications between the attacker and the compromised internal hosts
• Data theft - Exporting sensitive information back to the attacker, generally via command and control communications
Benefits of the Cisco Cyber Threat Defense Solution
The Cisco Cyber Threat Defense Solution focuses on the most complex and dangerous information security threats - threats that lurk in networks for months or years at a time stealing vital information and disrupting operations. Cisco provides visibility into these threats and context to decipher their potential damage.
Key benefits of the Cisco Cyber Threat Defense Solution:
• Provides threat defense in the network interior, where the most elusive and dangerous threats target
• Detects threat closer to the source to minimize damage and propagation
• Enables scalable, ubiquitous, and cost-effective security telemetry throughout the network
• Simplifies manual, error-prone, and expensive threat investigation processes
• Uses the Cisco switching, routing, and ASA 5500 network footprint
There are three main functional components to the Cisco Cyber Threat Defense Solution:
• Generating network-wide security telemetry: NetFlow export from Cisco switches, Integrated Service Routers (ISR), Aggregated Service Routers (ASR) 1000 series, NetFlow Generating Appliances, and Cisco ASA 5500
• Aggregating, normalizing, and analyzing NetFlow telemetry data to detect threats and suspicious behavior: Lancope StealthWatch System
• Providing contextual information to decipher nature and severity of threat: User identity, endpoint device profiling, and posture information from the Cisco Identity Services Engine
Figure 3. Products That Comprise the Cisco Cyber Threat Defense Solution
Full Security Telemetry from the Network Interior: Cisco Network Infrastructure
Recent advances in Cisco Catalyst switches enable the industry's first pervasive network traffic telemetry - from the user access edge to distribution to the core of the switching network. The line-rate, non-performance-impacting NetFlow telemetry capabilities of the Cisco Catalyst 3560-X, 3750-X, 4500, and 6500 Series provide insight into traffic patterns characteristic of threats that have bypassed the security perimeter and are attempting to remain below the detection radar. Key to delivering this visibility is Cisco's ability to generate unsampled NetFlow data in scale from these platforms.
NetFlow telemetry comes in two forms:
• Sampled - A small subset of traffic, usually less than 5%, is sampled and used to generate NetFlow telemetry data. This gives a "snapshot" view into network activity, like reading a book by skimming every 100th page
• Unsampled - All traffic is used to generate NetFlow telemetry, providing a comprehensive view into all activity on the network. Using the book analogy, this is reading every word in the book
The customized, stealthy nature of advanced cyber threats requires full visibility into network traffic patterns if they are to be detected. This can only be achieved using full, unsampled NetFlow telemetry. Only a Cisco Catalyst switch can deliver this unsampled NetFlow data at line rate without any impact to network performance.
Figure 4. Catalyst Switches Capable of Line-Rate NetFlow
Detecting Threats and Suspicious Activity: Lancope StealthWatch System
With the Cisco network infrastructure delivering ubiquitous NetFlow telemetry, the next step is to collect and analyze that data. The Lancope StealthWatch System, available from Cisco, is purpose-built to aggregate and normalize massive amounts of NetFlow data, and then apply security analytics to detect malicious and suspicious network traffic patterns as presented through the StealthWatch Management Console.
The primary components of the Lancope StealthWatch System are:
• FlowCollector - A physical or virtual appliance that aggregates and normalizes NetFlow and application-type data collected from up to 2,000 Cisco Catalyst switches, Cisco integrated services routers, or Cisco ASA 5500 adaptive security appliances per FlowCollector
• StealthWatch Management Console - A physical or virtual appliance that aggregates, organizes, and presents analysis from FlowCollectors, the Cisco Identity Services Engine via graphical representations of network traffic, user identity information, customized summary reports, and integrated security and network intelligence for drill-down analysis
The optional components of the Lancope StealthWatch System are:
• FlowSensor - A physical appliance that provides an overlay solution for generating NetFlow data for legacy Cisco network infrastructures not capable of producing line-rate, unsampled NetFlow data. Also for environments where IT security prefers a dedicated overlay architecture separate from the network infrastructure
• FlowSensorVE - A virtual appliance that provides the same function as the FlowSensor, but for virtual machine environments
• FlowReplicator - A physical appliance that provides a single point for forwarding NetFlow data as a single data stream to other consumption devices
In addition to real-time cyber threat detection and analysis, Lancope StealthWatch stores NetFlow data to provide a forensics capability for ongoing and historical incident investigation.
Identifying suspicious traffic patterns is key to threat detection and visibility, but deciphering the danger associated with those threats requires relevant contextual information. The Cisco Cyber Threat Defense Solution presents a unified view of the traffic pattern analysis via NetFlow and relevant contextual information regarding that traffic, such as user identity, user policy, device type, Network Address Translation (NAT) context, and application information.
Key to establishing the potential threat of suspicious traffic is contextual information regarding the user associated with that traffic. Utilizing the Cisco Identity Services Engine, Cisco's flagship network policy engine, user identity, device profile, and posture information can be bound to NetFlow data in the StealthWatch Management Console, thus providing a unified view of suspicious traffic patterns and the user information relevant to establishing if those patterns are malicious. Using the Cisco Identity Services Engine as part of the Cyber Threat Defense Solution provides insight into:
• Who is being targeted? - Associating suspicious traffic flows with users
• Is the user a critical target? - User title and role in the organization (per Active Directory/LDAP)
• What information does the user have access to? - Network authorization group that the user belongs to
• What device is the traffic coming from? - Laptop, smartphone, etc.
• Has the user had security posture failures recently? - Quarantine and posture event status
• Are there other relevant user session events? - Access to all AAA events associated with the user
• How best to execute user-based remediation? - Comprehensive event and status visibility of the user affected by the threat needed to determine and execute the right next steps for remediation
Additionally, the application associated with the suspicious traffic is key to deciphering the nature and severity of the threat. Application information can be discerned utilizing Network-Based Application Recognition (NBAR) information collected from Cisco routers. This information is also collected and reported to the Lancope StealthWatch Management Console.
Finally, when connections pass through a NAT gateway, they can be represented and analyzed as a single flow from the traffic analysis screen within the Lancope StealthWatch Management Console, using Lancope's NAT stitching feature. This allows the security analyst to see internal and external address information for the translated connections in its proper context, facilitating timely analysis and incident response.
Using these points of context, a security analyst can, from a single pane of glass, identify suspicious activity, gather pertinent user information, and then assess and respond to the potential danger of the suspicious activity. Utilizing the comprehensive user visibility capabilities of the Cisco Identity Services Engine, the analyst can formulate and execute remediation for affected users. The Cisco Identity Services Engine provides complete insight to the history and status of the user, policy, posture, and device, as well as quarantine or network disconnect remediation functions. Collectively, these context and remediation capabilities enable the analyst to decipher the correct next steps to take concerning the threat in a timely, efficient, and cost-effective manner.
The Cisco Cyber Threat Defense Solution delivers broad visibility into the most dangerous and stealthy network threats by providing ubiquitous threat detection within the interior of the network. By combining traffic analysis with user, application, and firewall context, Cisco delivers:
• Ubiquitous interior network visibility where little exists today
• A cost-effective approach to this ubiquitous visibility
• Full, unsampled data security telemetry via line-rate NetFlow
• Relevant contextual information for deciphering the nature and severity of the threat via the Cisco Identity Services Engine, Cisco SIO, and application recognition
• Threat remediation for affected users utilizing the Cisco Identity Services Engine
• Proven scalability for the most demanding environments
• Network architecture design and deployment support