Analecta Cyber Company Blog: The Importance of Understanding Your Company’s Network Traffic Flow

2018-05-08

The Importance of Understanding Your Company’s Network Traffic Flow

Understanding network traffic flow - early warning system - Analecta LLC Graphic Network Intrusion Detection Systems (IDS) provide data about your company’s system traffic, specifically, its origin, destination, timestamp and volume. Implementing these types of network devices offers a good return on investment by providing a way to aggregate, chart and monitor information about your network in order to improve the speed in which deviations from a network baseline can be detected. 

How monitoring network traffic improves your security posture


Many approaches to cybersecurity focus heavily on knowing the cyber threat, whether it be malicious logons, unauthorized access to your systems, malware, ransomware, trojans—the list is exhaustive! Instead, the NIST Cybersecurity Framework emphasizes knowing your network in intimate detail rather than knowing every possible threat that exists. 

Overall understanding of your network runs the gamut of knowing which systems are providing well-known services like web servers (http, https), remote access (telnet, ssh), Windows domain and DNS services, DHCP servers, and so on. You should also be aware of what typical daily ingress/egress traffic volume looks like, as well as which computers should be communicating with each other and more importantly, which should not. All of these combine together to tell the story of repeatable patterns, being able to detect anomalies and events, and helping your IT staff identify potential problems and malicious activity early.

Determining your network’s cyclical usage patterns


Normal and expected email, Internet usage and internal traffic between company machines shows a very well-defined network pattern. From your network’s perspective, normal operational patterns-of-life for U.S.-based small and medium-sized businesses (SMBs) working a standard M/F 9-5 work week look very similar from a variety of vantage points.

Take for example one such facet: employee Internet usage. Throughout the course of the workday, employee Internet traffic will shift more towards external websites early in the morning, around lunch time and as the work-day ends. Rarely will you see heavy Internet-destined activity on a small business network after hours.

The same general concept applies if your business operates back office networks, a point-of-sale or a customer relationship management (CRM) system. These, too, have predictable cyclical patterns. Based on the industry, you may also have weekend work, busier times of the month, seasonal peaks, and so on. There may be a few special cases that occur, for example operating system updates during non-peak hours. These can also become part of a weekly or monthly baseline of activity.

Daily network life cycle events observed by Analecta's EarlyWarning anomaly detection platform.
Copyright 2018 Analecta LLC, MD, USA

Analyzing this traffic and averaging it over time can be used as a standard baseline for your business. The traffic baseline pictured above shows the peaks and flows of a typical work week for a U.S.-based SMB. In comparing daily, weekly and monthly traffic to established network performance baselines, anomalies in traffic flow (both volume and direction) can be easily identified with alerts stating that “out of the norm” events are occurring. Monitoring these anomalies will give your security team an advantage over potentially harmful impacts to your system.

Internal network observations


Taking the discussion one level deeper, let’s consider internal network traffic flow. Volume and direction of traffic between systems on your network are just as important to understand in the context of traffic flow. Once inside a system, malicious attackers often move laterally to other machines within the network in search of valuable data. Based on baseline metrics, instances of unexpectedly high network volume passing through an internal connection that usually has a low volume of traffic would be cause for concern and should be picked up by detection software. Here are several damaging accounts of unmonitored internal network traffic:
  • In a public hack on the “internet of things" (IOT) devices, hackers gained access to a North American casino computer network in 2017 through an Internet-connected fish tank thermometer. Presumably, the traffic to and from the fish tank would have been relatively small packets used to manage the tank remotely. Instead, several gigabytes of data from accounting servers within the casino passed through the node, up to the cloud and to a device in Finland. Although there was no direct financial loss due to the incident, a high-roller database of people who had high financial gains while patronizing the casino was posted to the Internet.
  • In 2015, cyber criminals launched a trojan and botnet attack that took remote control
    of computers at 100 different banking institutions in 30 countries. After gaining access to
    the network of banking computers through a phishing email attack sent to employees, the attackers wired just under $10 million from each of the banks to fraudulent accounts and ultimately into their pockets. These attacks lasted over a two-year time period, in which time the hackers accumulated over $1 billion. Had bank security systems understood the importance of traffic baselines, they would have identified the consistent increase in outgoing traffic patterns and noticed that there was a problem.
  • The Target compromise of 2013 also illustrates the importance of understanding internal network flow. Hackers used stolen credentials from a HVAC company to eventually upload credit card-stealing malware on point-of-sale devices. Like the fish tank, HVAC temperature and energy consumption and monitoring traffic would ordinarily be low volume and should not be communicating with business-critical network systems. The network traffic involved with installing the malware would have likely caused an alert if it had been compared to an accurate baseline, potentially preventing the loss of personal information of nearly 70 million “targeted” customers. 

And now a word from our sponsor: Analecta’s EarlyWarning system


Understanding your network baseline can take some time, but with quality network management software, you should have enough data and visualizations to put together a good network traffic baseline. Here we present an IDS that takes much of the guesswork out of the equation.

Analecta-LLC early warning device

Analecta’s EarlyWarning Network Intrusion Detection System is designed to identify atypical network events and alert IT security staff of possible intrusion activity. The EarlyWarning system is a pairing of an on-site sensor and a cloud-based event collection platform. It integrates easily into nearly any small or medium-size business network.

Following a 30-day acclimation period, false-positive alerts from your network are analyzed and resolved, and the software reconfigured to create a baseline tailored for your specific network. After the training window, active alerts are configured to send event information to your company’s IT or security staff.

Threatening actions within your company’s internal network will be detected and alerts will be sent instantly via text message or email to your designated technical points of contact. During a potential attack, Analecta’s intrusion analysts and system engineers are able to support your efforts to contain and eradicate a cyber attack, and can assist you in recovery to normal business operations. 

If you are looking for expert advice on implementing a cybersecurity program for your company,  implementing your network baseline strategy or would like to learn more about the EarlyWarning anomaly detection system, email us at info@analecta-llc.com or visit the Cyber Security page on our website. We are here to help!

Further Resources