Inhalt
When detecting and analyzing potential security incidents within a company, IT security analysts draw on numerous log sources. These usually include information from servers and client systems, as well as anti-virus and firewall products. Another component is analyzing network traffic using an intrusion detection system (IDS) or a network security monitor (NSM).
In the following, different techniques are presented and their advantages and disadvantages are discussed.
What types of network monitoring are possible?
Network analysis tools are placed within the own infrastructure at transitions to the public network or at connections of different internal network areas and process the network traffic in real time. The data for this is usually provided by a network TAP (Test Access Point) or a SPAN (Switch Port ANalyser) port. The duplicated network traffic is thus passively processed and does not affect the active data stream. The tools used for processing can be divided into three categories, with each type of processing offering different advantages and disadvantages.
On the one hand, it is possible to record and analyze the entire network traffic with the help of full packet capture solutions, such as those provided by a network TAP. In doing so, all information is available to cyber defense analysts without loss and can accurately reflect what is happening on the network. However, this type of monitoring requires manual analysis and can be very time-consuming due to the mass of information. Furthermore, it must be taken into account that the volume of data to be recorded as well as the desired storage time of the information is limited due to the required capacity.
In contrast, network intrusion detection systems (IDS) can detect suspicious network communication with the help of previously defined rule sets. To do this, the tools compare the data stream in real time with the implemented rules and issue an alarm message if necessary. The message can then be further processed by a SIEM system. It should be noted that IDSs are usually focused on a signature-based detection approach and can only detect known attack paths. Furthermore, after the initial alert, a SIEM analyst has only limited information about the network connections at his disposal, which makes a qualified assessment of the alert difficult.
Another option is to use a network security monitor such as Zeek (formerly known as Bro) to monitor the internal network. This tool extracts numerous connection- and protocol-specific information from the incoming data stream and displays it in a structured way. Both through the protocol parsers and analysis scripts implemented in Zeek and through further processing of the data within a SIEM system, it is possible to detect potential attacks. In addition, the information collected makes it much easier for analysts to investigate alerts. In this respect, the information provided can be seen as a middle ground between a full-packet capture and the information content of an IDS alert. Also, extracting the information from the data stream provides for a manageable storage requirement, which allows the data to be preserved over a long period of time.
Where can network information help?
The network information provided gives cyber defense analysts deep insights into the traffic of their own infrastructure and can detect suspicious activity that would go undetected on client systems. Especially in the areas of command & control communication, data exfiltration or lateral movement, the data generated offers significant added value for initial detection of an attack as well as for subsequent analysis within the incident response process. But the possibilities of using the available network information for threat hunting or for checking one’s own infrastructure for known IoCs should not be ignored either.
Recent examples such as Sunburst (SolarWinds backdoor) or Log4Shell, a vulnerability in the Java logging framework Log4j, showed how important it is to collect network information of one’s own infrastructure. Detailed information, such as that provided by Zeek, can be used after such an IT security vulnerability has become known to check with just a few queries whether there have been any accesses to one’s own infrastructure in the past. It does not matter whether the available indicators are an IP address, domain, HTTP information, file hashes or similar. If the IoCs are not found in the network data during the analysis, it can be assumed with a high degree of probability that the company has not been affected by the cyberattacks in question. On the other hand, once found, the data provides a good starting point and numerous clues for an in-depth investigation of the incident.
Fig. 1: Due to the increasing networking of industrial control systems potential attackers
are increasingly able to penetrate industrial networks.
Another example of the use of a network monitor is in the area of operational technology (OT). Due to the increasing networking of industrial control systems as well as the integration of these into ERP systems or the possibility of remote access, potential attackers can also penetrate industrial networks with increasing frequency. An analysis of the network traffic helps to maintain visibility in these segments of the network. At the same time, control systems are not affected by passive analysis of the data stream. Protocol parsers for SCADA* specific protocols such as Modbus, Profinet or S7comm can also provide further insight into network behavior.
How is network monitoring established?
As described at the beginning, network analysis tools are placed at transitions of different network areas. Therefore, the interface between internal and public network should be chosen as the first point of deployment. When placing the sensor, care must be taken to ensure that internal (local) IP addresses are retained and are not changed by an upstream NAT (Network Address Translation) or proxies. This choice of location makes it possible to detect external communication and attacker behavior such as command & control or exfiltration. The visibility of the local addresses offers a direct assignment of the connections to systems in the own network. In a further implementation step, network analysis tools can be placed between different internal network segments to detect lateral movement or discovery activities.
SECUINFRA cooperates with the company Corelight Inc. in the implementation of network monitoring, which provides various sensors with an installation of Suricata and Zeek. The combination of both systems allows on the one hand a comprehensive detection of known attack vectors via signatures as well as a multitude of further information for analysis. Corelight also provides numerous extension scripts for Zeek to detect attacks based on anomaly or behavioral analysis. This includes, for example, the detection of command & control communication or the analysis of metadata within encrypted communication to draw conclusions about the use of an SSH or VPN connection. Corelight sensors can be installed in various network environments as cloud, software or hardware sensors.
*Supervisory control and data acquisition systems
Conclusion
Network infrastructure monitoring is an important addition to existing monitoring measures. It complements the information provided by a SIEM system in addition to the analysis of server and client systems, security tools and threat intelligence data. Only with details in all areas is it possible to effectively detect potential security incidents in advance or quickly resolve existing compromises.
Ready to increase your IT security with a network monitoring solution? Then contact us – we will be happy to advise you!
