Detecting anomalous network patterns

This checklist was developed from the Birds of Feather (BOF) session on Tooling for NSM held on 15 June 2021 under the Anomalous Network Detection Patterns programme. Swapneel Patnekar - Founder at Sreshta IT - and Rashid Feroz - Security Engineer at CRED - shared their experiences and learnings. Anand Venkatnarayan, cybersecurity expert and editor of Privacy Mode and Rootconf progammes moderated the session.

This checklist is compiled by Anwesha Sen, intern at Privacy Mode programme.

Network Security Monitoring (NSM) for different set-ups.

1. Full packet capture has its limitations and cannot be done for the entire infrastructure. It is applicable for a subset of core network architecture.

2. NetFlow and Zeek: There are many ways to implement NSM in a Data Center (DC) environment. One of them is NetFlow.

• NetFlow provides statistical information about packets.
• It allows you to do threat hunting with flows which indicate possible data exfiltration or flows in the traffic. These point to bursts in traffic that gives you an indication of communication with command and control activity or even beaconing.
• You can also sift through the different flows and decide if there has been potential activity with bad actors.
  Zeek is like NetFlow on steroids.
• It generates event logs.
• You can identify infected systems and mitigate them by taking those systems offline.
• For On-premise systems, you can use a sensor device.

3. DNS can connect the dots with regards to whether there was a security incident or not. There are many ways to find anomalies in DNS. You can put a recursive resolver in your network and look at the DNS responses. (*Here is a link to Swapneel’s presentation on Threat Hunting using DNS at SANOG 37. The slides serve as reference for further details.)

4. Honeypots can be used to obtain malware samples as well as to generate in-house threat intelligence. You can incorporate Honeypots at very minimal costs in a Cloud-based environment. When the attacker tries to interact with Honeypots, it sends an alert. In For On-premise setups, you can use small appliances like Raspberry Pi.

• For those who don’t want to self-host honeypots, Opencanary is a good tool. Canary Tokens is the most effective technology from a visibility perspective and is available for free. Other organisations also use Thinkst Canary, Community Honey Network and Modern Honey Network on GitHub.
• Also look up Intrusion Detection Honeypots - https://chrissanders.org/2020/09/idh-release/
• Swapneel suggested that at his firm - Shreshta IT - they run a Honeypot network using CHN and custom tooling - https://communityhoneynetwork.readthedocs.io/en/stable/
• Another alternative is https://github.com/pwnlandia/mhn

Ways to look at traffic

1. North-South - all the traffic from your systems, internal networks to the Internet, and back in. Egress as well as ingress.
2. East-West - the traffic which is on the intranet, i.e. RFC 1918 addresses which are communicating with one another.

Implementing NSM in Cloud

• Placing NSM at the wrong network interface will lead to the setup being ineffective. The moot idea is to put NSM at the right interface to capture maximum traffic.
• In case of encrypted traffic, put your NSM just behind that SSL decryption product.

NSM tools Cloud

1. Suricata is an NSM tool which captures all your packets and uses its own rule engine to find out if there are any known threats present in those packets. It will try to filter out the packets based on the rules provided by you.
2. Zeek consumes all the traffic on the interface you have set it up on. It generates very contextual event logs. You can consume those logs and outputs which are generated by Zeek and build some use-cases on top of it. It gives you a meaningful contextual event log that will tell you the source IP address, destination IP address, and how much data was transferred. Zeek also tells you the type of traffic and does protocol parsing. You can push Zeek logs into a SIEM solution, making it very easy to do threat hunting. The Zeek community ID will allow you - as an analyst or a threat hunter - to take that ID, and sift through the entire chain of events to find out what exactly happened.
3. NetFlow can allow you to look at the source IP, the source port, destination IP and destination port as well as the amount of data that was transported. This can help with identifying DoH communications.

How do you differentiate people looking at data for running a dev setup?

Correlating connection logs generated by the VPN with Zeek output logs can help you easily figure out who is extracting data from your environment and from where. The destination IP range for dev setup will be different from production.

Use Honeytokens to tackle vulnerabilities in access keys in dev setups.

In a cloud environment, the first thing an attacker will try to do is find an access key and secret key. Place honeytokens within your environment. If anybody uses that pair of access and secret key, you will immediately be notified because those are invalid sets of credentials. You can look for those pairs of access keys using automation by reading logs and cloud trail events, etc. If the attacker gets into your code repository, they will find an access key and try to use it. This helps you to catch them. Similarly, you can place Honeytokens in very obvious places where you would want to catch such malicious activities.

Here is the link to a guide on how to implement honey tokens - https://summitroute.com/blog/2018/06/22/guidance_on_deploying_honey_tokens/

Cloud vs Data Centers (DCs)

DCs are far harder to secure because of the hardware asset, whereas on the Cloud, you can figure out NSM easily because of the segregation of production accounts, dev accounts, etc. Asset enumeration, which is a problem in the On-premise environment, is generally what leads to problematic network behaviour because the endpoint is insecure. One can see fewer attacks in a cloud environment.

The reason why DCs generally don’t get breached as much as cloud environments is because they’re running in their own private environment. Nothing is exposed to the Internet apart from a single interface which is hosting an application or network. There are a lot of avenues for attackers to get into your network on cloud.

Recommended books on NSM

1. The Practice of Network Security Monitoring by Richard Bejtlich
2. Applied Network Security Monitoring by Chris Sanders
3. Practical Packet Analysis by Chris Sanders
4. Intrusion Detection Honeypots by Chris Sanders

Videos

1. Network Security Monitoring for all and tracking packets by Swapneel Patnekar - https://hasgeek.com/rootconf/detecting-anomalous-network-patterns/sub/packets-dont-lie-network-security-monitoring-nsm-f-Km3ZiUqyWt4VYDwxtKGh9W
2. Achieving a high level of network inspection with VPC traffic mirroring and Suricata by Rashid Feroz - https://hasgeek.com/rootconf/detecting-anomalous-network-patterns/sub/achieving-a-high-level-of-network-inspection-with-Q2hJVXmBf85hyBopnbZJzm