Thursday, April 14, 2011


Team Cymru defines a darknet as "a portion of routed, allocated IP space in which no active services or servers reside" ( Darknets, as it turns out, are an analytical goldmine. Why is this you ask? The answer has to do with signal-to-noise ratio.

Since there are no legitimate services or servers on "dark" portions of the network, all the traffic destined for the darknet becomes suspect and therefore analytically interesting. For example, consider an aggregate analytic that looks at the top destination ports for inbound TCP traffic by number of sessions. If we were to look at traffic across the whole network, we would probably get something like this after running our analytic:

Port | Session Count
80 | #######
53 | #######
25 | #######

Not surprisingly, we see that our routine web, DNS (yes, even DNS over TCP), and SMTP traffic (all necessary and expected for normal business operations) would top the list. In this case, standard business traffic is the noise that hides the signal of the suspicious/malicious traffic. Could we somehow lower the noise to make the signal jump out at us? Yes -- through the power of darknet!

What happens, however, if we look at the same aggregate analytic, but now restrict it to look only at traffic destined for our darknet? That's where we might get a more interesting result:

Port | Session Count
5678 | #####

Why would we have traffic inbound to TCP port 5678 (which I chose purely for illustrative purposes)? I don't know why, but I do know that what we now have is a jumping off point. Is someone attempting reconnaissance of our network? If they are, what are they looking for? Do we have other systems communicating with the outside world on that port that we never noticed before? These questions and others would need to be answered by network traffic analysis via deep-diving into the data with the end result of determining the true nature of the traffic.

So, this is just a quick example of traffic analysis triggered via a darknet provided jumping off point. Hopefully it has helped to illustrate the broader power of the darknet. Darknets are truly an analytical goldmine.

Thursday, April 7, 2011

Analytical Platform

Network traffic analysis plays an important role both in a successful network monitoring program and in an organization's overall information security posture. So why isn't it practiced more widely within the cyber security profession? It's newness and relative obscurity (until recently) is one reason for sure, but I'd argue that there is also another reason. As previously discussed (reference the post entitled "Making Analysis About Analysis"), analysis is often just too hard. Data is diverse, complex, and voluminous, and most of us have a hard time getting any kind of a useful handle on it. When we do have ideas of how to make sense of the data, the amount of data munging and custom coding required to move our ideas from conception to implementation is discouraging at best.

So how can we best enable analysts to create new analytical techniques? I believe that analysts need to be provided with an analytical platform that allows them the freedom to quickly and easily develop, test, and implement new analytical techniques without the hassles of data munging and data manipulation. In other words, the analytical platform should abstract the data, providing the analyst with an intuitive way to interact with the data. Additionally, the analytical platform should allow the analysts to seamlessly interact with the results of their analytical queries as they conduct their investigation.

For many years, I have dreamed of such a capability. The good news is that there are now products and technologies coming onto the market that begin to address this need. Here, here!

Wednesday, April 6, 2011


As the world awakens to the need for network monitoring, training will be an area we'll need to take a look at and put some effort into. The threat against us and the operational challenges confronting us are real. The network traffic analysis skill set, once an obscure, niche skill set, will need to be something we can rapidly imbue cyber security professionals with. There are a few challenges here:
  1. There isn't a great deal of literature/background reading on the topic
  2. There aren't specialized training classes that a cyber security professional can enroll in to gain this skill set per se
  3. It turns out that it's often quite hard to do analysis for a number of reasons (reference an earlier post entitled "Making Analysis About Analysis").
For point 1, I'm looking to my recent ISSA Journal article, along with articles (past, present, and future) from others in the field to form the beginnings of a knowledge base for the industry. I envision this knowledge base growing over time to provide the necessary background material for those new to the network monitoring field.

Regarding point 2, I'm hoping that the various different cyber security training institutions/organizations that exist will begin to form curricula around the topic of network monitoring/network traffic analysis. I see this as necessary, since those organizations have trained and will continue to train a large number of professionals in the field.

On point 3, I'm looking to technology to help address this point. There are emerging products and technologies that will help address this point by providing an analytical platform upon which network monitoring/network traffic analysis techniques can be developed without all the frustrations of "fighting with the data" that are commonplace today.

There is some work that we as a community need to do here. I am optimistic that we will together rise to the challenge. The time has come to get to work.

Friday, April 1, 2011

ISSA Journal Article

I was fortunate enough to have an article I wrote on a methodology for network traffic analysis published in the April ISSA Journal. The article lays out the jumping off points approach and gives some practical techniques for monitoring an enterprise network. Here is the abstract from the article:

"This article describes practical techniques for the cyber security professional to efficiently sift through the voluminous amounts of network data. These techniques leverage different views of the data to discern between patterns of normal and abnormal behavior and provide tangible jumping off points for deeper investigation."

If you are interested, give it a read and share your thoughts!