Vol 13 No 3 Summer 2010
who are frequently running some formof reputable anti-virus or intrusiondetection software.Information fusion among openand closed sources occurs now, withoutthe cost of complex information sharing methodologies or large teams in fortied24/7 operations centers. These aremostly unfunded systems using
or improvised tools, frequently withincarrier operations centers—the last lineof defense against cyber attacks. These
tools and processes are effectivefor their stakeholders by providing aprimordial form of UI, by applying openand closed-source threat intelligence within network elements, such asswitches and routers. The discussion tofollow will seek to build up from theseinitial approaches for UI creation.
Cooking from Scratch
Rather than harvesting a bulk list of suspect IPs, domains and autonomoussystem numbers (ASNs) from open andclosed-sources, seed intelligence can be“cooked from scratch” through forensicprocesses where a degraded device isdiagnosed and traced to externalsources. Scratch sources often start witha single device exposing an externalmalicious entity, which underobservation at the enterprise oroptimally, the carrier-level, exposes itsrelationships with other malicious orcompromised entities. The typicalapproach would begin with theidentication of the device suspectedof compromise. The network communication patterns and protocolsof these devices are closely observed forrelatively simple criteria, such asoutbound destination, port andprotocols, and especially the timing andtrafc characteristics. Some of the mostpopularized UI investigations havestarted from scratch sources, such asthe recent GhostNet research. 
Open-source, closed-source, andscratch seed information needs to beaggregated, correlated, and combined with observations from various network elements to form UI and tools like “heatmaps” of compromised internal andexternal devices, as revealed by whatthey are doing on the Internet atlarge—not through signature basedle inspection. At a minimum, four majorinformation sources can be combined with seed information within carrierand service provider networks. Thisprocess generates much richerinformation about the activities,intentions, and operating modes of thecompromised devices and threat agents.These information sources are: trafcows, DNSs, messaging infrastructureand peer-to-peer (P2P) infrastructure.
Most, if not all, large carriers and serviceprovider networks will employ systemsfor monitoring the ow of trafc throughthe network junction points, bothinternally and at borders with otherproviders. A typical means of doing thisis with a proprietary, but widely supported protocol from Cisco calledNetFlow.  NetFlow allows providers tomaintain a picture of trafc ows andvolumes—basic tools for managing network quality and assurance. Thisinformation is also useful forunderstanding the threats posed by entities using the network for illicit andmalicious purposes. Basic informationsupported by NetFlow includes sourceIP address, destination IP address,source port, destination port, IPprotocol, ingress interface to thenetwork, and some information aboutthe type or quality of service associated with the trafc. NetFlow does notcapture packets or payloads, and is not acontent/media interception technology. Analysis on large carrier trafc ow statistics (
NetFlow) is like a satelliteview of road conditions—taking in anentire region or country at once with theability to zoom down to very granularactivities. Trafc ows can show ambiguous devices talking to suspiciousdestinations, and devices being scannedand probed from suspicious locations.However, trafc ow alone can beinconclusive because the Internet is