Cyber intelligence officials need data mining capabilities to track the malicious activity on global transport networks requires
By Mike Seidler, Product Marketing Manager, NetQuest Corp.
Global optical transport networks have a little-known secret that keeps cybercriminals up at night: It’s called analytics. Every time an attack is launched, whether it is theft of Equifax user data or one of an estimated 4,000 ransomware attacks that occur daily, malicious actors leave a trail of data that could be used to uncover their activities. Analytics derived from the physical transport network can be employed to give cyber threat hunters an advantage in collecting this data.
Cyber intelligence officials often don’t see the data that could identify criminal activity because it is typically obscured by contemporary monitoring methods that strip away and discard information that could be used to locate the malicious activity.
Additionally, rapid technology changes occurring across long-haul transport networks are making it more difficult to search for cyber threats. As transmission speeds accelerate and the volume of traffic expands exponentially, it further impedes efforts to gain real-time visibility across all of the pipes that feed into modern optical transport networks.
That could all change as analytics and orchestration take a large role in network access and monitoring technology. Providing greater information on where and when attacks occur could lead to the type of intelligence that turns the table on cyber terrorists.
Modern cyber intelligence applications hunt down aggressors and malicious activity. Successful solutions should proactively and iteratively search through networks or datasets to discover and react to advanced threats that evade traditional rule or signature-based security solutions.
This search starts with comprehensive traffic visibility because cyber intelligence agents cannot find what they cannot see. Trained cyber analysts will rely on automated tools that correlate information from data collected across multiple platforms to provide actionable intelligence. A combination of skilled professionals and capable tools provides the necessary backdrop for successful threat hunting.
Ignored in most monitoring applications, each signaling protocol layer on the optical network contains information identifying the carrier responsible for transport as well as detailed geographical information that could identify the physical source or destination of the monitored traffic flow. As cyber intelligence agents try to gain an advantage in finding criminals who perpetrate network attacks, they will find that complementing traditional IP flow information with an extra layer of optical network analytics opens new opportunities to enhance threat detection. Here are a few examples of information extracted directly from the optical transport network:
• Telecom carrier ID: AT&T, Vodafone, Verizon, Oi, or other;
• Network fiber ID: for example, “Verizon_seattle_lax_345”;
• Optical wavelength: for example, ITU channel 16 or other;
• Signal type: STM-64, 100GbE, OTU4, other;
• Geolocation and path ID: for example, Russia to Brazil;
• Transport protocol: GFP, POS, Ethernet, etc.;
• Traffic volume – changes in traffic patterns may be an indicator of network misuse.
Discovery starts by analyzing each of these data points across an entire monitored network or unique network segments. These network parameters can be used to characterize the optical network and may be tracked over time to gather historical trends over days, weeks, months or years.
With access to current and historical information, network monitoring applications can identify a baseline for how the network is expected to operate. More importantly, it presents the opportunity to detect abnormal network behavior and provide early warning of a network attack or threat. This visibility is provided through the collection of data across the network by orchestrating the monitoring tools used to access each optical transport layer. The data can be used to expose network trends, unusual events and provide comprehensive, real-time understanding of the monitored network.
By providing continuous visibility through complex multi-layer transport networks, this advanced cyber threat-hunting capability offers automated responses to network provisioning changes and removes the need for costly on-site engineers and additional equipment.
The application of analytics in this situation offers flexible alarm reporting where an end-user can create thresholds based on various network parameters including traffic types, transport overhead information and monitored traffic bandwidth. Each threshold setting can be used to trigger alarms notifying surveillance operations centers of configuration changes to the monitored network. Armed with this information, cyber intelligence agents can then initiate the appropriate response.
Additionally, there is also the option to export analytics data for further analysis. Correlating the metadata extracted from optical network analytics with standard IP flow analysis provides a complete picture of the network across all layers: from the physical network to the application data.
Modern cyber intelligence missions require comprehensive optical network analytics to pair with their current cybersecurity tools to conduct real-time and in post-mortem analysis to best protect networks from future attacks.
Cyberwarfare has clearly become more dangerous as it matures. Enterprises and government agencies are increasingly seeking improved methods for identifying threats by using data from advanced network monitoring applications.
However, cyber intelligence tools focused only on IP traffic analysis often miss valuable information from the physical transport network. Use of progressive optical network analytics can reveal anomalies that can enhance cyber threat hunting tasks. Cyber intelligence missions are pairing these comprehensive optical network analytics with current cybersecurity tools to maximize success.
About the Author
Mike Seidler is a senior product manager for NetQuest Corporation where he directs the development of the company’s automated intercept access and intelligent monitoring solutions.
Prior to his current position, he was a product manager for ARRIS and a principal hardware engineer for Motorola.
Mike can be reached at firstname.lastname@example.org and via NetQuest’s corporate website at http://www.netquestcorp.com/.