Network Traffic Analysis with Adversary TTPs

21 Jump Street was a TV show that aired starting in 1987. Its plot revolved around a set of undercover police who were embedded in local high schools to track down and arrest criminals. The officers chosen for this program shared a few characteristics: first, they all looked young for their age. In fact, one of the officers, Tom Hanson, was assigned to 21 Jump Street specifically because he was having trouble being taken seriously as a cop due to his youthful appearance. Second, the officers all had some form of unresolved family issues that resulted in stunted mental growth. In particular, officer Doug Penhall was known throughout the series for his childish antics.

The series depends on the characters’ looks and behaviors blending into what's expected of an average teenager. When the series was remade into a movie in 2012, the script called out some of the suspicious characteristics: “Jenko” clearly looks older than fellow teenagers, and his behaviors reflect that of a high schooler a decade prior. “Schmidt” doesn’t understand how to use current technology and consistently commits social faux pas, like calling his love interest on the phone and refusing to kiss her after she expresses her feelings for him. Highlighting these quirks turns the movie into a comedy (whereas the series was a drama), but it also emphasizes that taking time to notice actual versus anticipated behavior and outward appearance can reveal a lot.

Actual vs. anticipated—distinguishing “good” from “bad,” “normal” from “anomalous,” “permitted” from “unauthorized”— is the premise of advanced Network Traffic Analysis (NTA): visibility into network entities (devices, users, domains, processes, software) and their behavior patterns can reveal quite a lot about the state of your networks. Network analysis is one of the most important things security teams can do; more than ever, the network—whether it’s on premises, in the cloud, or virtual—is the central point of business. With all the changes we see in IT, traffic and entities on networks still show what’s happening—if you’re looking in the right places and for the right things. This is what NTA company Awake Security is looking to accomplish for its customers.

What is advanced NTA?

Rudolph Araujo, VP of Marketing at Awake, recently explained to Ed and me the problem their solution addresses. “First-generation NTA solutions primarily processed layer 3 and 4 meta like protocol headers and NetFlow information. But that data doesn’t give you a complete picture,” he said. Awake, he continued, “is advanced NTA that analyzes communications, whether those are traditional TCP/IP style packets, virtual network traffic crossing a Vswitch, traffic from and within cloud workloads, and API calls to SaaS applications or serverless computing instances. We look at layers 2-7 in the OSI stack because it gives us signals you wouldn’t see from layers 3 and 4 only.”

Awake mainly focuses on four use cases: Visibility, insider threat detection, threat hunting, and compliance and investigations:

The platform is comprised of three components:

  1. EntityIQ: Sensors are deployed at the point of collection (e.g., at the perimeter/segment, in the data center, on cloud TAPs, and SaaS connectors) and analyze network communication. After collection, the tool builds a security knowledge graph that identifies all entities, tracks connections between them, and monitors behaviors. Importantly, Awake does not rely on traditional baselining of behaviors, but instead compares behaviors across similar devices and the broader set of entities in the organization.
  2. Adversarial modeling: Rather than modeling indicators of compromise, which is typical of many threat intelligence-based tools, Awake models adversary tactics, techniques, and procedures (TTPs). For example, rather than searching for a domain, which an attacker can change easily, Awake might analyze the infrastructure behind the domain: Where is it registered? Where is it being hosted? What is the autonomous system number (ASN) for the host network? How long has the domain existed? Awake researchers continuously add new models into the platform and allows customers to modify those models or build their own so they may more accurately identify threats aimed at their environment.
  3. Ava: This is a virtual security analyst, built on machine learning, which allows customers to autonomously triage and remediate incidents and perform forensic analysis post-incident.

In practical terms, Awake is built on the idea of full packet capture but goes deeper, analyzing not just what’s on the network, but how it’s communicating and the behaviors it’s exhibiting. The entire process happens autonomously and automatically. By increasing data collection and analysis to include layers 2-7, Awake provides context for network activity and, said Araujo, “improves detection fidelity, tracks entities and actually helps the solution scale to large and complex networks.”

The network always reveals the truth

One case study Awake boasts is how it helped a multi-billion dollar oil and gas company prevent major damage from a phishing campaign. After a targeted phishing campaign, Awake automatically identified an underlying set of TTPs, for instance, the JavaScript being used to mask stolen credentials. Based on that, Awake was able to identify additional domains with the same attributes and prevent the attack from progressing.

Based on our brief call with Araujo, the company seems to have the seeds of a solid solution. One of the limitations of network traffic analysis, though, is the fact that more and more network traffic is encrypted, leaving it unavailable for inspection. Awake counters this problem by extracting intelligence from attributes of the encrypted session such as key exchanges and meta data from TLS session, but there is opportunity to improve—and it will become necessary as greater numbers of organizations adopt zero trust models that require encryption as a component.

Wherever your company is in its cyber security maturity, one thing is true: network traffic always reveals good from bad, normal from anomalous if you’re looking in the right places and at the right things, i.e., connections between entities and their behaviors. To accomplish this, visibility is the first step. Next comes clustering and modeling. Tying in adversary profiling seems like a good addition to traditional network modeling, so if you’re in the market to get a better grasp on your network traffic and prevent threat actors from blending into normal operations, give the team at Awake a call.