Following up on my previous blog on network visibility, I want to distinguish pre-crime, in-crime and post-crime network-based cybercrime.
Pre-crime is like someone visiting you at home with an unexpected knock on your door. You: "Who's there?" Them: "Oh, I'm just here to pick up a package". You: "Not me. I didn't request that". Them: "Sorry, must be the wrong address." (They're thinking: "OK, this house is occupied, better not burgle them".)
Post-crime is coming home and noticing you've been burgled. Place is trashed, and lots of stuff is missing. Police can come and perform some forensics and dust for fingerprints. In-crime is the crime in progress, coming home and seeing the burglar in action. So there are analogs to using network visibility to predict, detect and perform forensics in cybercrime. There are corresponding stages in the classic cyber security kill chain, which has a better definition compared to the pre-, in- and post-crime phrases, but I couldn't resist making a reference to precrime from Philip K. Dick's short-story, "The Minority Report".
A single technology cannot address all of these issues. What do you need at each phase?
- Pre-crime detection is the ideal time to stop crime. Companies like Gigamon's GigaSECURE platform & its partners emphasizes the power of collecting meta data to building context and intent. If one can't examine everything in detail, metadata can give you some approximate indicators of what's going on, and integrating metadata with big data analytics goes a long way towards predicting behavior. It may indicate lateral movement of the intruder, access to command and control servers, etc. Appropriate incident response is activated, and you can close the doors, or maybe examine their activities to get more clues to nab them.
- In-crime, or crime in progress can be also be detected by network visibility. Volumetric analysis is a simple yet effective method of showing exfiltration (stealing of data) in progress (gazillions (a technical term) of outbound packets on a long-weekend, if done outside normal scheduled jobs, is probably not a good thing). Lots of companies do this form of detection. Lancope (acquired by Cisco) StealthWatch does that with NetFlow analysis, as well as GigaSECURE, and many other products perform detection using packet and flow inspection.
- Post-crime, or forensic analysis is necessary even if the infiltrator has finished their job and are already on the lam. Products that can provide a view or log of past events -- products from firms like ProtectWise, Savvius, or Splunk provide a way to look at the past (a network DVR, of sorts)
Some of this can be done with specialized hardware, or in a software defined way (Juniper will talk about that during RSA '16 in their talk on Software Defined Secure Networks at the Expo briefing center.)
Let's not forget about the process involved (the "people/process" part of the golden triangle of people/process/technology). There's a session: "Live Cyber-Exercise: Responding to National Crisis" on Wednesday, March 2nd at 1pm at RSA '16 by speakers from Columbia University and CrowdStrike that shows a simulation of an incident at a large, national scale. Understanding policy actions and responses will promise to be fascinating and probably will scare you.