In June of 2019, the NASA Office of Inspector General released a report revealing that in April of 2018, a cyberattack occurred that resulted in the compromise of data related to Mars missions.

A hacker accessed the Jet Propulsion Laboratory (JPL) network in Pasadena, CA by targeting a Raspberry Pi device that was not authorized to be attached to the JPL network. Going undetected for 10 months, the attacker exfiltrated approximately 500 megabytes of data from 23 files, 2 of which contained International Traffic in Arms Regulations information related to the Mars Science Laboratory mission.

JPL uses its Information Technology Security Database (ITSDB) to track and manage physical assets and applications on its network; however, in this case the Raspberry Pi was attached to the network without the required OCIO review and approval. It seems somewhat ironic that an organization that works with some of the most advanced technology in the world was foiled by a simple credit card-sized piece of consumer hardware.

Simple technology can have a powerful impact when used the wrong way.

This event illustrates one way that an attacker and security threat can go undetected – patience. It also emphasizes the need to capture information on connectivity and communication for any and all devices, not just a select few. Moving 500 megabytes over the course of 10 months certainly isn’t going to result in a device appearing on a Top-N report. But the fact is the same technology that has been used for over two decades to produce Top-N reports has the potential to tell you:

  • You have an unauthorized device on your network
  • Where it’s connected
  • Who it’s communicating with

What is that technology? Flow data. That’s right, our tried and true friend that has been around since Cisco introduced NetFlow in 1996. But wait, you may be saying, flow data is used for “counts and amounts” for my top conversations and protocols, not to provide in-depth details on connectivity and communication for insignificant amounts of traffic.

While that may have been true in the past, like many technologies, flow data has evolved as a data source and can now serve as the foundation for providing so much more including threat and security insight. For example, flow records can be augmented to include MAC Addresses and physical connectivity information.

Flow Records Augmented with MAC Addresses and Physical Connectivity Information

With proper collection, storage, reporting, and visualization techniques, flow data can be used to show you every conversation that every device is having on your network, even if it is a tiny device generating a tiny amount of traffic.

Visualize Every Conversation from Every Device

The key is enriching this data set, not pruning and summarizing it until all forensic value is lost.

Simple technology can have a powerful impact when used the right way.

While your mission may not be Viking or Voyager, it should be visibility. If you’re just using flow data for Top-N reporting and hoping that will help you uncover suspicious or malicious behavior, that is Not A Solid Approach.

Learn more about how to leverage your infrastructure to create enriched flow records for security and threat insight.

About The Author

Ward Cobleigh, Sr Product Manager for VIAVI Solutions, understands the balancing act between network ops and security that IT pros are facing today along with the challenges they have in solving issues due to limited visibility and complexity. His experience in engineering, product management plus design and marketing give him a unique ability to cut to the heart of the problem and demonstrate solutions that give engineers a sigh of relief. He brings a refreshing bit of humor to the dry, technical topic of network performance management and security threat hunting.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

VIAVI Perspectives