Network Behavioural Analysis
IT executives and network professionals are bombarded daily with evidence that the traditional network is long gone. In its place is a blended voice-and-data network that offers exciting potential – transporting voice over IP (VoIP) and video applications, IP virtual private network (VPN) services and triple-play broadband services.

While these blended networks afford tremendous opportunity to both enterprises and service providers, they are also extremely vulnerable to blended threats. Over the past several years, blended threats have evolved from simple network-borne worms into multi-faceted “composite” threats that exhibit any number of distinct behaviours, including:

	Multi-vulnerability scanning to identify potential targets
	Targeted exploitation that launches directed attacks against vulnerable hosts
	Remote shells that open arbitrary ports on compromised hosts to connect to at a later time
	Malware drops, in which malicious code is downloaded from an external source to continue propagation.

As attacks become much more intelligent and intuitive, employing allowed ports and protocols to tunnel into networks’ soft underbelly, composite threats are quickly becoming the norm. They are escalating in frequency and sophistication for two reasons: first, these threats create exploitation frameworks in which the master threat and others enable “plug and play” attacks, allowing subordinate threats to launch distinct attacks within the same exploit. Second, composite threats operate on an increased number of attack vectors. These multi-faceted threats can target a range of services on a variety of systems; thus, they can try a multitude of “keys” to attempt to gain access to targeted systems.

Upping the Ante with Zero-Day Attacks
Composite blended threats are increasingly surfacing as “zero-day” attacks, which can be defined as “a virus or other exploit that takes advantage of a newly discovered hole in a program or operating system (OS) before the software developer has made a fix available – or before they’re even aware the hole exists.” On an individual user’s desktop, a zero-day attack can halt personal productivity. Unleashed across the backbone of global networks, zero-day attacks can literally stop all business transactions, directly causing lost time, money and productivity.

Today, information security professionals seek supplemental, authoritative intelligence to help defend their networks from an expanding universe of blended threats that can strike with zero-day immediacy.

It Starts with a Fingerprint
Fingerprints are behavioural-based attack profiles created by ASERT, using a combination of automated data collection methods and interpretive expertise. Fingerprints inspect network traffic flows and classify a series of seemingly unrelated events as a composite threat, helping administrators to instantly identify these types of attacks rather than correlating a series of disparate alerts.

Each fingerprint details the identified threat by including packet-level analyses, a description of the representative traffic the fingerprint looks for, and affected hardware and software platforms.

Fingerprints are delivered for baseline analysis, such as that generated by Cisco Systems’ NetFlow, Juniper Networks’ s-Flow or raw packet data. Our systems compare network traffic against these baselines to identify anomalous traffic. We then employ this information to update Active Threat Feed (ATF) fingerprints to continuously address dynamic security threats, including zero-day attacks that endanger network performance, stability and security. ATF fingerprints can detect, among other things:

	Rapidly propagating multi-facet malware
	Distributed denial of service (DDoS) attacks
	Botnet army participants
	Employee misuse
	Phishing targets
	Network instabilities

With each ATF fingerprint, we include detailed mitigation strategies, which may include host and/or network-based configuration changes, host security updates, or application or OS patching requirements. Leveraging “Show Relationships” feature, administrators can specifically identify affected hosts within the network and generate appropriate rules for security devices protecting the network, such as firewalls, routers or switches.