Security Use Case: When Normal Is Dangerous
It is generally accepted in the information security community that a good way to identify threats is to look for “anomalous behavior”. That’s all well and good, but we have recently discovered that seemingly normal behavior has led to successful security breaches and massive data loss for many companies out there. How do you know what to look for? How does one actually pinpoint potentially dangerous activity in your systems, even if it appears normal? I’d like to share some interesting findings from a recent beta testing scenario while preparing for the next release of our security monitoring solution.
What We Found
During recent beta testing of our Advanced Threat & Log Analysis Service (ATLAS), we discovered several of our customers who had VoIP systems manufactured by the same company in China were at particularly vulnerable and subject to significant attack risk. Our new technology allows us to monitor and detect outbound anomalous traffic across well-known ports. In this case we were monitoring outbound connections over port 21 or 22 that were assumed “safe”. While engaged, we observed Port 22 (SSH) traffic going out to China. This immediately go our attention because we identified several different companies communicating to the same IP address. Upon further investigation, we also noted that these companies all had the same VOIP-based phone systems that were built by the same manufacturer in China. The phone manufacturer had installed a secret “back door” into the computer system, which allowed unauthorized remote entry into the system.
If this customer had been set up to allow all traffic outbound (which is quite prevalent in many customer environments), the backdoor would have allowed this unauthorized access and potential for being a “landing pad” for further surveillance, and data breach. To make matters worse, the phone system manufacturer required the phone system have domain admin account credentials in order to function, so essentially, the Chinese company had full domain admin rights to the network.
With the powerful new features of our service, we are able to define baselines for normal traffic that are behavior based. We knew it was not normal for this customer to be sending traffic to China. Because of our service, this potentially major vulnerability was identified and corrected before critical data was compromised.
It has long been known that certain manufacturers have been building in backdoors on their products. This presents a challenge to any company using these products because the traffic patterns will not be easily detected by conventional SEIM technology. Using current approaches, the customer would see this phone system communications as “normal” and was assume that this was trusted communications. These types of security incidents and many other newer kinds of attacks (APT’s, and Zero-Day threats) can more easily be detected through a new class of technology capabilities, known as Security Analytics.