There are certain things you can always trust—your best friend, your grandmother, and your encryption, right?
Cyber-criminals are using encryption to steal sensitive data. They’re not changing the way they enter your network (phishing remains a staple), but they are being careful about how they leave.
Once in your network, the goal of any hacker is to gain access to data they can monetize or exploit. Sometimes, this happens quickly—attacks on financial institutions are often “smash-and-grab,” where a hacker enters, gathers as much information as possible in a short period, and leaves. But, some attacks require a longer-term strategy, and they leave intruders residing in your network for upwards of 100 days.
The amount of time a hacker stays in your network is referred to as “dwell time,” and it can vary depending on industry. In its M-Trends 2018 report, Mandiant reported a median dwell time of 101 days.
Hackers who have experience with extended dwell time understand their biggest risk isn’t always getting into your network, but rather getting the information they want out of your network.
To do this covertly, they use encryption to transmit the information—which is a problem for security professionals.
As more and more Internet communication uses encryption by default, it’s become easier for malicious users to blend in with normal ones.
So, how do you identify malicious traffic attempting to enter your network?
Here are 3 potential solutions.
1. Traffic Analysis.
In this solution, you’re not decrypting any information, but you are looking at patterns of communication, i.e. which computers on the Internet are your internal computers talking to?
Many hacking rings are based in Russia, so if you have an internal computer communicating with a computer in Russia—for no known business reason—that’s a cause for concern.
LBMC Information Security’s Threat Intelligence maintains a record of the “bad guys” on the Internet. So, if you decide to run your monitoring through us, we’ll be able to identify malicious traffic based on known criminal pathways.
Beyond looking at the path of the communication, you can also examine the type of communication occurring. SSL certificates alone can provide valuable information about whether or not suspicious activity is occurring.
2. Deep Packet SSL Inspection.
This strategy puts a “middleman” between the computers in your network and computers on the Internet. This “middleman” is generally a server or a proxy that decrypts, inspects, then re-encrypts traffic before sending it on its way.
This level of inspection provides greater assurance that traffic entering and exiting your network is not malicious. However, decrypting traffic in the middle of a session breaks the chain of trust and adds a layer of potential complication.
While it can provide greater security, this strategy can be processor-intensive, so some companies purchase dedicated servers to enable it.
3. Monitor Web Server Logs
One simple method to identify malicious traffic entering your network is to monitor web server or proxy logs. This will give you visibility of the IP addresses, user agents, and URL and URI information communicated. If you know what to look for, you’ll be able to identify and address potential risks to your network’s security.
If you use this strategy, security information and event management (SIEM) will allow you to define potential indicators of malicious activity, which the SIEM system can then look for and alert you of, should they occur.
Here’s the good news:
These are all solutions you can implement on your own with the right skills and technology. But, if you want to save some time and get assurance that traffic entering your network is monitored the right way, LBMC Information Security can help.
Our Managed IDS/IPS service can analyze the traffic entering and exiting your network to ensure malicious traffic stays out, and we can walk you through the entire process of installing deep packet SSL inspection on your network.
Our Managed SIEM service can monitor your web server logs 24/7/365 to ensure you’ll get security alerts in real-time. Plus, you’ll be able to get help from our Security Operations Center.