7th September, 2020
Spotting malicious connections or ‘flows’ in the background noise of legitimate traffic is the cybersecurity equivalent of a detective hunt where the crime scene is unknown.
Defenders might suspect that malicious traffic is operating on their network at any moment in time, but the important measure is the ability to locate and neutralise that connection before any damage is done. Even when detected, understanding the full intention of these connections, and their relation to other flows, presents a major analytical headache.
Exploiting these limitations, attackers rely on being able to hide themselves in network noise. With emerging technologies such as 5G, the Internet of Things (IoT), and smart cities set to cause a large surge in traffic volumes over the coming years, it’s a problem that threatens to overwhelm unprepared defenders.
THE BENEFITS OF A TELESOFT DEMO
A personal video demonstration of the Telesoft Cyber Platform can be set up to show how this system has been designed to arm defenders with the information they need to contain these problems in real time on high-throughput networks. Using traffic generated by Telesoft’s Triton Cyber Warfare Simulation (CWS) system, the demo can accurately model a range of threat scenarios, including botnets, malware C2, DNS exfiltration, external password spraying and different types of DDoS attack.
To combat these threats, the Telesoft Cyber Portfolio can be configured to work together or independently with third-party systems and is comprised of the following:
- The FlowProbe 400Gbps network traffic monitoring system, a 4x100GbE 1U appliance which forms the core of the anomaly-detection platform, including passive monitoring visibility of Layer 4-7 protocols (HTTP, SSL, SIP, DNS and TCP session timing), and de-tunnelling of encapsulated traffic (GRE, GTP, MPLS and IP-in-IP).
- The complementary CERNE intrusion detection system (IDS), designed to make possible both real-time and historical threat investigation using captured IDS alerts, including traffic up to 2.5 seconds prior to an event. By identifying only relevant traffic, the CERNE hugely reduces the storage requirements associated with this type of device, making the job of post-event forensics easier.
Telesoft Data Analytics Capability (TDAC), an on-premise monitoring and forensics platform which ingests network flow and alerts data from the FlowProbe and CERNE systems, correlating this to threat intelligence from open source and proprietary sources to quickly isolate malicious connections.
An example of a challenging scenario might be that of a connection using DNS exfiltration to hide its C2 inside apparently innocuous traffic, using a separate DDoS attack to distract defenders while this happens. However, as the Telesoft demo shows, deploying the FlowProbe, CERNE and TDAC together can quickly isolate anomalous flows and understand their relationship to other events and one another.
DETECTION AND ALERTS
“This scenario highlights the ability of the FlowProbe to be able to detect and alert on a single malicious flow, amongst the millions of ongoing flows, or noise, that exist within real networks,” says Telesoft Field Application Engineer, Robert FitzSimons.
“It also shows how intuitive and user-friendly the GUI is, with the TDAC ensuring that the SOC and IR teams are receiving the data they need to operate effectively, and quickly, in high rate networks.”
Because the analytical platform is designed to operate using metadata extraction, the volume of data that must be stored is a fraction of what might normally be required. “This enables digital forensics teams to rapidly query historical data for up to 12 months, without taking up valuable server space.”
To see for yourself how FlowProbe, CERNE and TDAC work together to deliver unparalleled network visibility at scale, BOOK A TELESOFT DEMO TODAY.