Analytics HDRs in a Network Flow

Published on July 7th, 2016 | by Tony Thompson

WTHeck is an HDR?

High-Definition Records (HDRs) are SS8’s answer to the lack of total network visibility in today’s enterprise. As both networks and attacks on those networks have become more sophisticated, you simply can’t rely on basic flow information from NetFlow or its equivalents to tell you if your network has been breached.

The HDRs generated by SS8 BreachDetect offer an unprecedented level of detail about network sessions because they represent what’s happening on the network at the transaction, flow and session levels, not just the flow level. HDRs improve on basic network and flow statistics by adding an application metadata layer, supplementing network data and flow stats with rich layer 7 information that greatly increases an enterprise’s visibility into network traffic.

But why is it so important to have access to layer 7 information instead of just layer 3 or 4?

Let’s take a look at an email session: a single flow can carry multiple messages, each making up a transaction between the client and the server. NetFlow can’t distinguish between these multiple transactions, and at best will provide a summary of the entire flow. This means you would miss out on valuable information that HDRs generate, such as To, Cc, From, and Subject fields, as well as information about any attachments.

HDRs Carry More Insight

Now, imagine these emails are being sent through your corporate network. On the server is an email waiting to be downloaded. This particular email is a spear phishing attack containing a malicious attachment. An HDR would be able to flag it as a threat, after analyzing the attachment’s MD5 hash value and finding that it matched an Indicator of Compromise (IoC) reported by a threat feed. With a NetFlow record, all you’d be able to see is that an email was downloaded, and 243 days later, you’ll realize you’ve been breached.

HDRs can also be used to detect and report obfuscated protocols like Tor, which is designed to be difficult to detect on a network. HDRs are enriched with application metadata, even for difficult-to-detect protocols like Tor. Combined with flow statistics such as byte counts, it is possible to determine how much data is entering or exiting a network. For instance, large amounts of outbound Tor traffic could indicate that the protocol is being used as a data transport to exfiltrate confidential files.

Beyond what’s discoverable from the flow itself, HDRs are also enriched with user, device and host identity, as well as geolocation. Because IP addresses are often dynamically assigned, identity mapping makes it possible to associate a network session with a specific user and device to follow that user’s activity on the network. And the ability to identify connections to IP addresses in countries not ordinarily found in the network may warrant attention, especially if the protocol classified by the HDR is suspicious.

Learn more about HDRs and how they can offer you better visibility into detecting and forecasting breaches on your network, by downloading our free whitepaper.

Tags: ,

One Response to WTHeck is an HDR?

  1. Pingback: Evasion and Exfiltration Techniques Exposed - SS8 Threat Rewind Report

Leave a Reply

Back to Top ↑

Show Buttons
Hide Buttons