Deep visibility is the ultimate network view

Today’s Communications Service Providers (CSPs) face mounting pressure to understand the traffic passing across their networks. It’s a deep visibility challenge with many dimensions, including the unceasing pressure to maintain availability and performance. 

A more recent and mounting concern is ‘network detection and response’ – the need to successfully identify and block cyberattacks. These have surged in ways nobody anticipated a decade ago, driven by a mixture of forces. Commercial cyberattacks continue their upward trajectory. But these are now accompanied by a rising spate of nation state attacks, piggybacking on the cybercrime industry’s innovations to become an everyday but dangerous part of the threat landscape.

ACHIEVING HIGH-RATE NETWORK VISIBILITY

The implications of this change have now reached CSPs. If in the past this sector was viewed as the provider of communication enablers, transporting packets from one end to the other, life is no longer this simple. At every point on today’s networks, from the edge to the core, CSPs are expected to be more active in detecting attacks, not only on the critical infrastructure their customer networks support, but on themselves. 

Learn more about the biggest cyber security trends for 2021

Achieving this level of deep visibility is a huge challenge. Large networks support billions of connections at a time, a volume that is expanding dramatically as new technologies such as 5G mobile and Industrial Internet of Things (IIoT) become more popular. Within this environment, only a statistically tiny number might count as malicious. In theory, packet analysis is a solution to the visibility problem, but this introduces latency worries and can quickly overwhelm defenders with large amounts of data, compounded by the need to store it somewhere for future forensic analysis. 

On top, there’s the practical fact that many security teams find it difficult to peer into the corners of large networks. These might have been created over many years, often built by bolting together several networks during M&A activity. Visibility is partly about the techniques used to ‘look’, but the ability to impose ‘control’ can be limited by a patchwork of different, incompatible tools.

UNSAMPLED FLOW RECORDS AT 400GBPS

Telesoft’s solution is to extract packet metadata in real time from each network flow using an unsampled technique. This doesn’t degrade network traffic and performance, enabling comprehensive analysis for digital investigations.  A flow is an abstract understanding of the vast number of connections extracted to monitor where each entered the network (ingress) and where it either leaves or terminates (egress). This deeper picture is assembled using analysis of the protocols used (Telnet, SMTP, IRC, POP, FTP, Bitcoin, etc.) on any port opened, plus source and destination IP address, DNS and HTTP/TLS requests/responses, and hostnames. IP addresses are also correlated to their higher-level BGP routing and AS path records. 

Every attribute of a flow is considered, including for encapsulated traffic (GRE, GTP, MPLS, IPinIP), giving deep visibility. Likewise, encrypted flows using protocols such as TLS are analysed up to layer 7, using non-invasive techniques such as JA3 fingerprinting to detect malicious connections attempting to conceal themselves within ordinary traffic.

Implemented using the 400G (4x100Gbps) FlowProbe traffic monitoring system, the advantage of this passive approach is that once captured, flow records can be exported for separate analysis. This is where the Telesoft Data Analytics Capability (TDAC) comes into play, a scalable data lake and analytics platform providing full digital forensics. Here, suspicious flows can also be correlated with data on IP reputation, threat classification, and geo-location to start forming a more detailed picture of the intention behind each. Petabytes of data can be retained for up to 12 months.

FPGA ACCELERATION WITH INTEL STRATIX 10

The task is to isolate the small number of flows from within this vast data set that need further inspection. But no amount of clever analysis will work if it can’t keep up with the volume of data being thrown at it. Doing this at line rate, in real time, on a multi-Tbps bandwidth network requires the ability to process hundreds of millions of packets per second. It’s a challenge that is impossible to solve using commodity hardware, which might stretch to 10Gbps at best. It’s why the Telesoft FlowProbe is built for speed, overcoming such limitations using a high-throughput design based on a new generation of higher performance Field Programmable Gate Array (FPGA) – Intel’s Stratix 10. 

Discover how Telesoft accelerates network detection and response with FPGA technology

This performs extraction on the metadata points, passing the processing work to multiple threads where it is combined into flows. Where de-tunneling of encapsulated protocols is needed, the metadata associated with both the outer protocol and the traffic within is detected separately. Data processing happens using multiple Direct Memory Access (DMA) queues in a way that ensures that all individual packets associated with a flow are processed through the same threads.

A good example of the type of malicious flow that can be rendered visible is cryptojacking, a common criminal tactic used to hijack computing cycles to run currency mining malware. For the attacker, this can happen on any networked computing device, be that a cloud-based server, a laptop, smartphone, or unmanaged Internet of Things (IoT) device. Consequently, every network today will have a small but steady volume of cryptomining traffic traversing it as crypto-hashes are sent back to a control server. 

DEEP VISIBILITY STRENGTHENS CYBER POSTURE

Such short communications aren’t easy to spot, but they often display anomalous patterns using known software ports where, for example, more data is consistently uploaded than downloaded. In addition, each cryptojacking malware type behaves differently. Nevertheless, using flow analysis, a security team that is able to narrow down a given pattern to a set of IPs can build a picture of this communication in real time, watching for its evolution and spread.

Hitherto, attackers have been able to hide in plain sight, buried behind a mountain of innocent traffic. So powerful has this principle become that it enables almost all of today’s cyberattacks to some degree, making possible the widespread distribution of malware, the opening of remote shells, and command and control. 

This can only be countered with deep visibility beyond the traditional analysis that is based on monitoring protocols and application layer traffic. Defenders must be able to understand packets at the lowest level without impeding their movement. Metadata extracted from flow records is the optimal way to do this which can also scale to meet the growth in traffic projected over the next decade. 

Telesoft designs and manufactures the world’s highest rate network visibility platform, enabling large network operators to accelerate their ability to provide superior network detection and response.