21 Jump Street was a TV show that aired starting in 1987. Its plot revolved around a set of undercover police who were embedded in local high schools to track down and arrest criminals. The officers chosen for this program shared a few characteristics: first, they all looked young for their age. In fact, one of the officers, Tom Hanson, was assigned to 21 Jump Street specifically because he was having trouble being taken seriously as a cop due to his youthful appearance. Second, the officers all had some form of unresolved family issues that resulted in stunted mental growth. In particular, officer Doug Penhall was known throughout the series for his childish antics.
The series depends on the characters’ looks and behaviors blending into what's expected of an average teenager. When the series was remade into a movie in 2012, the script called out some of the suspicious characteristics: “Jenko” clearly looks older than fellow teenagers, and his behaviors reflect that of a high schooler a decade prior. “Schmidt” doesn’t understand how to use current technology and consistently commits social faux pas, like calling his love interest on the phone and refusing to kiss her after she expresses her feelings for him. Highlighting these quirks turns the movie into a comedy (whereas the series was a drama), but it also emphasizes that taking time to notice actual versus anticipated behavior and outward appearance can reveal a lot.
Actual vs. anticipated—distinguishing “good” from “bad,” “normal” from “anomalous,” “permitted” from “unauthorized”— is the premise of advanced Network Traffic Analysis (NTA): visibility into network entities (devices, users, domains, processes, software) and their behavior patterns can reveal quite a lot about the state of your networks. Network analysis is one of the most important things security teams can do; more than ever, the network—whether it’s on premises, in the cloud, or virtual—is the central point of business. With all the changes we see in IT, traffic and entities on networks still show what’s happening—if you’re looking in the right places and for the right things. This is what NTA company Awake Security is looking to accomplish for its customers.
Rudolph Araujo, VP of Marketing at Awake, recently explained to Ed and me the problem their solution addresses. “First-generation NTA solutions primarily processed layer 3 and 4 meta like protocol headers and NetFlow information. But that data doesn’t give you a complete picture,” he said. Awake, he continued, “is advanced NTA that analyzes communications, whether those are traditional TCP/IP style packets, virtual network traffic crossing a Vswitch, traffic from and within cloud workloads, and API calls to SaaS applications or serverless computing instances. We look at layers 2-7 in the OSI stack because it gives us signals you wouldn’t see from layers 3 and 4 only.”
Awake mainly focuses on four use cases: Visibility, insider threat detection, threat hunting, and compliance and investigations:
The platform is comprised of three components:
In practical terms, Awake is built on the idea of full packet capture but goes deeper, analyzing not just what’s on the network, but how it’s communicating and the behaviors it’s exhibiting. The entire process happens autonomously and automatically. By increasing data collection and analysis to include layers 2-7, Awake provides context for network activity and, said Araujo, “improves detection fidelity, tracks entities and actually helps the solution scale to large and complex networks.”
Based on our brief call with Araujo, the company seems to have the seeds of a solid solution. One of the limitations of network traffic analysis, though, is the fact that more and more network traffic is encrypted, leaving it unavailable for inspection. Awake counters this problem by extracting intelligence from attributes of the encrypted session such as key exchanges and meta data from TLS session, but there is opportunity to improve—and it will become necessary as greater numbers of organizations adopt zero trust models that require encryption as a component.
Wherever your company is in its cyber security maturity, one thing is true: network traffic always reveals good from bad, normal from anomalous if you’re looking in the right places and at the right things, i.e., connections between entities and their behaviors. To accomplish this, visibility is the first step. Next comes clustering and modeling. Tying in adversary profiling seems like a good addition to traditional network modeling, so if you’re in the market to get a better grasp on your network traffic and prevent threat actors from blending into normal operations, give the team at Awake a call.