In the realm of cybersecurity monitoring and response, an organization's effectiveness hinges on its proficiency across all facets of the SOC Triad. The SOC Triad encompasses critical high-level elements of a fully functional SOC operation.
NDR "Network Detection & Response"
EDR "Endpoint Detection & Response"
SIEM "Security Information & Event Management"
A key component of the SOC Triads is NDR, or "Network Detection Response." Properly implemented, NDR furnishes invaluable network telemetry to bolster the capabilities of security monitoring systems, such as SIEMs.
In this article, we'll delve deep into the corner of the SOC Triad dedicated to NDR. This comprehensive examination aims to shed light on various types of network data and elucidate their potential significance for cyber defenders. Throughout this discussion of NDR, we'll also use the term NSM, "Network Security Monitoring," interchangeably with the term NDR.
Types of NSM Data
Network analysis is a crucial tool for detecting malicious activity. There is a saying in the cybersecurity industry, "The network doesn't lie." The meaning of this is, sophisticated malware can go to great lengths to hide itself on the computer it resides on, but at some point, the malware has to communicate on the network. Some key types of network evidence are:
Full Packet Capture - Notable examples of packet capture analysis tools are Wireshark (https://www.wireshark.org/) and Network Miner (https://www.netresec.com/).
Network Security Monitoring (NSM) Tools -These include both Signature-based Intrusion Prevention Systems (IPS), like SNORT/Suricata, and Analyst-based IPS such as Zeek (https://zeek.org/).
Netflow - Metadata about network data flows.
Firewall Logs - Including both network-based and host-based firewall logs.
Proxy Logs - Web proxy server activities.
Computer/Server Network Transaction Logs - Recording network transactions on these systems.
WWW Transactions - Covering activities like Apache logs.
SMTP Transactions - Pertaining to email appliance/server interactions.
DNS Transactions - Documenting DNS server interactions.
Other Sources - Depending on specific network configurations.
Unlocking the Origins of Network-Based Evidence
In the diagram provided below, we unveil the fundamental sources of network-based evidence within a simplified network environment. Here, a solid grasp of core network engineering concepts becomes a cornerstone for cybersecurity professionals to decipher and utilize network information effectively in their security monitoring and investigations.
Commencing with host information (located in the lower left corner), an array of data about the network connections established by the host can be collected. This data can be gathered from the server, using tools like 'netstat'. Furthermore, packet captures (utilizing tools like Wireshark or tcpdump) can be executed directly on the host to investigate network traffic to and from the computer.
As we follow the data path to the right from the host, additional methods for capturing network traffic emerge. These include employing Network TAPs on the wire or copying traffic from SPAN ports (traffic copy/mirror) on a switch. There are three prevalent types of traffic collection techniques:
Port-Mirroring
Physical Taps
Packet Brokers
Note: For network security monitoring most traffic capture devices are deployed at key network choke points like trunk connections between network devices. In network security monitoring the term "North/South traffic" is used to describe traffic leaving and entering the organization, and "East/West traffic" is used to describe traffic staying within the organization (e.g., workstation to server, server to server, etc).
Additionally, many individual servers maintain logs of their network transactions (servers in diagram far right). For instance:
DNS servers log DNS transaction data.
SMTP servers document SMTP transactions.
Proxies track user web browsing activities, including HTTP methods like POST and GET.
Web servers (e.g., Apache, NGINX, IIS) maintain records of web transactions.
The network's firewall also serves as another rich source of network logs, as it acts as a pivotal gateway for traffic entering and leaving the network.
In certain instances, an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) may also be in place, offering specialized network event detection capabilities. Notably, Next-Generation Firewalls often incorporate IDS/IPS functionality within the firewall itself.
To inspect encrypted SSL traffic, the network might deploy a dedicated SSL traffic inspection device or have SSL traffic inspection as a function of the NGFW.
Lastly, various network devices (i.e., routers, firewalls) within the infrastructure can generate traffic flow logs, commonly referred to as Netflow data, offering insights into traffic patterns and behaviors.
This comprehensive array of data sources underscores the multifaceted nature of network analysis, enabling cybersecurity professionals to piece together a complete understanding of network activities and threats on the networks they monitor.
Monitoring and Analyzing Network Data
In the best-case scenario, your organization may employ a centralized logging system, which significantly streamlines the analysis of some of these diverse sources of network evidence. However, it's crucial to exercise caution when assessing an organization's ability to log network data, as the mere presence of centralized logging doesn't guarantee the availability of all essential components of network evidence.
There might be gaps in the network's data capture capabilities. For instance, the network could lack sensors tasked with collecting crucial network evidence, or these sensors may not be strategically positioned to capture relevant data effectively. Additionally, there could be instances where systems are either misconfigured or intentionally designed (perhaps due to budget constraints) not to transmit all network data to the centralized logging system.
While centralized logging is undoubtedly a valuable asset for comprehensive network analysis, it's essential to recognize its limitations and be prepared to employ alternative strategies when necessary to ensure a thorough examination of network activities related to security monitoring.
Navigating Network-Based Evidence: Access and Significance
In the complex realm of network systems, many of these network technologies are managed by dedicated professionals. Achieving mastery of every technology in networking can be a formidable task. From the perspective of Incident Response (IR), it's not imperative to possess exhaustive knowledge of every system (But the more you understand and know about networking the better!). It is critical to comprehend the potential origins of evidence, the value it holds, and how to access it, even if that means knowing who to approach for assistance if you need access to that network data.
It's worth noting that certain evidence may remain elusive due to various factors. For instance, it might be unavailable if the necessary network sensors are absent, or if network transaction logging settings are misconfigured—either deactivated or set to overwrite older entries. In such cases, evidence from prior time periods pertinent to an investigation may not be retained indefinitely. An awareness of the intricacies and potential pitfalls of accessing network-based evidence is invaluable in ensuring a swift and effective response to cybersecurity incidents.
In network analysis, numerous variables come into play. While many of these network log sources provide data that overlaps, they also offer varying levels of granularity concerning the information they provide. Additionally, network data analysis often falls under the "It depends" category. For example, some organizations might not have web proxy or firewall logging enabled, rendering that data unavailable for monitoring and analysis.
For deeper insights into Network Security Monitoring tools, Chris Sanders, the founder of Applied Network Defense (https://chrissanders.org/), has authored a compelling article. In this work, he categorizes network data analysis into five key areas:
Context
Pivot fields
Search
Acquisition
Retention
For instance, PCAP, represented by tools like Wireshark, excels in providing rich Context (A+) but falls short in terms of Acquisition and Retention (D). Conversely, Netflow receives high marks (A and A+) for Acquisition and Retention but rates lower in providing Context (D). This divergence in scores is logical since PCAP captures full packets, offering rich context but presenting challenges in data acquisition and retention due to the sheer volume of data. In contrast, Netflow provides metadata (a few key fields) about network packets, offering ease of acquisition and retention but less context.