Last year in the article Looking East and West, we examined how lateral visibility can assist in investigations connected to data theft. In that article, we examined an attack where Beron’s computer had fallen under the control of an external attacker in Ukraine who used it to extract data from a business-critical database server and upload the stolen data to an external FTP server.
Advanced Data Protection in StealthWatch System 6.5
In the year that has passed since we first looked at the Beron compromise, Lancope has improved its security processing model and feature sets and incorporated advanced threat detection algorithms into the StealthWatch System.
The dashboard below provides histograms of traffic moving from the protected data stores, the authorized users and support services. Beron’s computer resides in the “Crown Jewels Authorized” host group. The database server that is exploited resides in “Crown Jewels Data.”
On the alarms tab of the dashboard, abnormal transfer rates and totals trigger relationship alarms between the “Crown Jewels Authorized” and “Crown Jewels Data” host groups.
The abnormal transfer can be observed on the traffic tab of the dashboard.
Segmentation policy allows data to flow between these two security zones. The StealthWatch System inspects the qualities of the transfers to reveal anomalous activity that can indicate insider or advanced threats.
StealthWatch System 6.5 includes a new Custom Security Events feature. This feature allows organizations to create custom detection criteria for a number of purposes including segmentation validation. On the alarm tab of the dashboard, three alarms named “Seg Violation – CJ Auth to Invalid Server” are triggered when Beron’s machine communicates with the unapproved Ukraine server.
These custom events are created through the tools section of the new HTML interface.
Also new in Version 6.5 are advanced data hoarding calculations.
The StealthWatch System observes and baselines how much data a host normally takes and serves to/from other internal hosts. When a host starts “hoarding” too much data, a “Suspect Data Hoarding” alarm is triggered. When a host is serving out too much information to other hosts, a “Target Data Hoarding” alarm is triggered. In the case of the Beron compromise, the MySQL dump between Beron’s machine and the business-critical database server triggered both of these alarms once the acceptable thresholds were crossed.
The final type of alarm in the breach is a “Suspect Data Loss” alarm. This counter-based event triggers when abnormal or prohibited amounts of data are sent out of the network. When Beron’s machine begins the upload of the stolen data out of the network, the alarm is triggered.
The StealthWatch System continues to be a powerful tool in incident response and forensics when security breaches occur. With the new features and capabilities wrapped into the 6.5 release, advanced attacks targeting protected data can be quickly detected.