Understand your international web traffic

It is fairly easy to detect many attacks within traffic patterns in a corporate network, but exceptionally difficult to figure out what to do about it. I thought of this when considering the task facing security organizations protecting against industrial theft and government security teams while they exercise various cyber-attack scenarios, particularly with all of the recent rhetoric about state-sponsored efforts. It is good security practice to conduct focused investigations whenever there is a distortion in web-oriented traffic, such as an increase in web site traffic from a nation like China.

The first point is that security teams need to understand what levels of traffic from foreign nations are normal. For instance, according to Alexa’s audience metrics under site info www.IBM.com has almost as many visitors from China (17.7%) as it does from the USA (18.8%) with India grabbing bronze (12.3%). This may be legitimate, depending on insight of IBM’s business and its web site architecture. However, www.websense.cn and www.websense.in sites exist for local users, yet Alexa still shows 20% of www.websense.com visitors are from China and 8.9% are from India. By contrast, www.symantec.com's profile shows India (13.1%) having more visitors than China (3.4%), with similar patterns for www.Pfizer.com (13.3% India; 5.4% China) and others. It is not clear if this traffic is good, bad, or indifferent, but security should know what the normal volume and application usage patterns are to better detect attacks.

With an international market presence, it is completely normal to have web site traffic from all corners of the globe. Security teams should communicate with network and application teams to be aware of deviations from normal, and be prepared to investigate sensitive areas of the infrastructure for signs of intrusion. There are external services that can help, but your best data may already exist in internal systems.

Security may also look at application white list or host intrusion prevention layers to toughen web-facing servers and endpoints against one-of-a-kind custom attacks. While those security technologies cannot tell IT what the attack is, they can make it harder for an attack to burrow into your network by detecting attempts to change system files and settings. Attacks that evade pattern matching filters are inevitable so security should deploy layers of host security technology that make systems more resilient and network security technology that detect command and control messages.

Confidential information provides valuable incentive to attackers across the Internet. Security teams should recognize shifts in usage that may indicate intrusion attempts, and proactively scan and investigate configurations to catch and shut-down an invasion.