BGP Monitoring Protects Against Hijacking

Calendar icon 09-23-2020

Keep agency staff safe as they communicate across the internet


When you turn on the faucet to dispense water, unless the water is cloudy or discolored, you likely are not thinking about the route the water took to get to your sink during the 20 seconds you’re washing your hands.

The same can be said of user behavior on the open internet; most users go from one site to another without paying attention to where their data goes or what lurks underneath the data flow, leaving themselves vulnerable to attack from malicious actors.

“The moment you go to any website like Google or LinkedIn, you’re in the open internet and you’re vulnerable,” said Nancy Grady, Ph.D., SAIC chief data scientist.

To mitigate these malicious cyberattacks threatening government users, SAIC developed the Global Cyber Intelligence (GCI) service, which delivers the internet’s Border Gateway Protocol (BGP) data in near-real-time and augments it with analytics to identify when adversaries are attempting to attack. BGP is the routing protocol of the internet and directs the flow of internet traffic from one IP address to another as efficiently as possible. GCI alerts users to malicious or suspicious activity and provides timely bulletins, reports, and summary data for customers to monitor their BGP data and protect themselves from cyberattacks.

“You have absolutely no idea what happens to your data and information once it leaves your network. This tells you how your data routes across the internet,” Grady said.

Prioritizing protection

BGP attacks are increasing in frequency as attackers can easily disrupt data packets and interrupt communications. Adversaries use man-in-the-middle (MitM) tactics and other attack vectors to exploit BGP routing, impersonating trusted sources to obtain certificates, stealing data, adding malicious code to normal web traffic, and analyzing traffic to plan future attacks. They can even detour traffic through malicious networks or hijack traffic away from legitimate hosts to ones they control.

As these attacks proliferate, SAIC sees an opportunity to proactively defend forward. GCI collects data from enough peering points to cover the globe, making it the most holistic solution to deliver the entire internet’s BGP data. Government agencies that use CGI can see as much of the global network as they want with a delay of no more than 90 seconds. They can access our analytics apps on our hosted Splunk platform or port them into their host platforms.

Gray space muddles connections

Adversaries execute BGP attacks in what is called “gray space,” since it’s supposed to be neutral. When a typical internet user goes from one site to another — like Facebook to YouTube — the path from those two sites goes through gray space — space that is, in fact, proliferated with both benign and malicious cyberspace users.

“When we try to reach a website or send an email, we hand our communications off to our internet service providers. But they’re not managing your communications for security, they’re doing it for low cost,” Grady said. “It may cost less to route your traffic through an adversarial nation than through neutral service providers — and that’s how these attacks start.”

In fact, in 2020, SAIC conducted a proof-of-concept with a customer, demonstrating the value of GCI to provide the ability to see and defend the enterprise by identifying suspicious actions in gray space. SAIC identified multiple instances of malicious attacks against subnets, including the use of MitM attacks, prefix hijacking, and thousands of cases of data routing from a blacklisted country. Without SAIC’s visibility into the internet’s BGP data, these incidents may have gone undetected.

Machine learning identifies attackers

Attacks happen in split-seconds, so GCI uses machine learning (ML) to do what humans can’t and flag potentially malicious routes in microseconds.

“We can use machine learning to analyze broad internet-scale attacks involving many routes,” Grady said.

SAIC can also identify where attackers have inserted themselves into the routing metadata to influence which routes are used.

Through the insight that ML provides, cyber operators can rapidly counter attacks and disrupt our adversaries in a non-attributable way.


Global Cyber Intelligence Feature_body 1
Just like a plumber wants to know how water is flowing, SAIC makes sure government agencies know where their data is routing across the internet.

Critical privacy intelligence

With SAIC data visualization tools integrated into GCI, agencies can see how their data moves across the internet, which is vital for high-priority missions and holding internet service providers accountable for service agreements.

“This data gives you visibility,” Grady said. “If you find an attack attempt, you can mitigate the effects and hold your provider accountable and say, ‘Hey, stop routing our traffic through China.’”

GCI provides crucial intelligence for our customers to understand what adversaries are trying to do to their mission-critical data. GCI does not look at internal traffic, which is what most security efforts focus on for concerns like data loss prevention. But it does provide visibility into where customers are externally vulnerable to data loss and what is hitting them on the perimeter.

“When a plumber checks the pipes, they’re not looking at the water flow,” Grady said, “they’re looking at where the water is being routed. We want to make sure no one has an opportunity to slip something into that water.”


View our fact sheet to learn more about Global Cyber Intelligence and how it can improve your cybersecurity.


Request more information about GCI