Monitoring for Country-Specific Traffic

Heidi Gabrielson
SHARE ON:

As in past years, financially motivated attacks continue to be the most common, likewise, actors categorized as “organized crime” continue to be the top threat vector.1  Most of these attacks come from a handful of countries: China, Russia, Turkey, United States, etc.2

Riverbed Network Performance Management (NPM) solutions can identify and alert on traffic coming from countries where your organization may not normally do business, e.g., North Korea. However, once this traffic is identified, the IT Operations or SecOps team must determine if that traffic is legitimate or suspicious.

CIDRs & Host Groups screen traffic

Here’s how a financial services company recently started to screen traffic coming from the Russian Federation. They use Riverbed AppResponse, packet-based application analysis, and Riverbed NetProfiler, full-fidelity flow monitoring.

The ITOps team, with the help of their Riverbed SE, started by putting together a list of the CIDR blocks for the Russian Federation, then separating them into 12 Host Groups. Host Groups allow you to manage similar objects together. These 12 Host Groups were added to both AppResponse and NetProfiler.

Next, the ITOps team set up monitoring at the port level. Immediately, they started to see traffic from the Russian Federation! Tweaking settings helped determine if the traffic is suspicious and required further investigation by SecOps. Here are some of the features they used:

  1. Network Monitoring – receiving traffic information from any combination of sources. Aggregating, de-duplicating, and processing traffic data to prepare it for network behavior analytics. Behavior analytics builds profiles of typical network behavior for specified times so it can identify unusual changes that indicate performance or security issues.
  2. Event Detection – analyzing compliance with service policies, performance and availability policies, security policies, and user-defined policies. Assigns each security policy violation event a severity rating number based on the likelihood of being a threat to network performance, availability, or security.
  3. Alert Generation – checking the severity of each network event against a set of user-defined tolerance levels or alerting thresholds. When the severity of an event exceeds a tolerance or alerting threshold, NetProfiler alerts users to the existence of the event by indicating an alert condition and displaying information about the event.
  4. Notification – automatically sending email, SMTP, or SMS alert messages to designated security or operations management personnel or systems.
  5. Event Reporting – saving details of all events that triggered alerts. Event detail reports can be viewed on the NetProfiler user interface or retrieved by remote management systems for analysis.

Setting User-Defined Policies

The next step for this company is to leverage user-defined policies. User-Defined Policies is customizable event detection that lets you configure your own alerts based on hosts, ports, interfaces, and response time.

This financial services company is planning to create policies to alert when traffic from any of the 12 Host Groups hits any sensitive servers or on ports associated with mission-critical applications. User-defined policies will simplify the identification of suspect traffic since only internal employees should be accessing these servers.

Fig. 1. This policy example alerts on non-encrypted connections to/from PCI-regulated servers. The alert identifies the source of insecure connections and creates a virtual firewall between nodes without having to deploy inline devices. Note that thresholds can be set on a variety of parameters.
Fig. 1. This policy example alerts on non-encrypted connections to/from PCI-regulated servers. The alert identifies the source of insecure connections and creates a virtual firewall between nodes without having to deploy inline devices. Note that thresholds can be set on a variety of parameters.

If you are interested in leveraging these capabilities, check out this video that explains how to create a user-defined policy to proactively monitor high-risk subnets.

If you’d like the Russian Federation CIDR blocks with instructions on how to import them as Host Groups in AppResponse and NetProfiler, see this Knowledge Base article on Riverbed Support.

 

1  verizon.com/dbir/

2  https://www.govtech.com/security/hacking-top-ten.html

Related Content

selected img