Detecting anomalous network patterns

Detecting anomalous network patterns

Using anomaly patterns for improved data security, network monitoring and observability.

Tickets

Loading…

Anwesha Sen

@anwesha25

Checklist for Network Security Monitoring (NSM) for On-premise, Data Centers and Cloud set-ups

Submitted May 30, 2022

This checklist was developed from the Birds of Feather (BOF) session on Tooling for NSM held on 15 June 2021 under the Anomalous Network Detection Patterns programme. Swapneel Patnekar - Founder at Sreshta IT - and Rashid Feroz - Security Engineer at CRED - shared their experiences and learnings. Anand Venkatnarayan, cybersecurity expert and editor of Privacy Mode and Rootconf progammes moderated the session.

This checklist is compiled by Anwesha Sen, intern at Privacy Mode programme.

Network Security Monitoring (NSM) for different set-ups.

  1. Full packet capture has its limitations and cannot be done for the entire infrastructure. It is applicable for a subset of core network architecture.

  2. NetFlow and Zeek: There are many ways to implement NSM in a Data Center (DC) environment. One of them is NetFlow.

  • NetFlow provides statistical information about packets.
  • It allows you to do threat hunting with flows which indicate possible data exfiltration or flows in the traffic. These point to bursts in traffic that gives you an indication of communication with command and control activity or even beaconing.
  • You can also sift through the different flows and decide if there has been potential activity with bad actors.
    Zeek is like NetFlow on steroids.
  • It generates event logs.
  • You can identify infected systems and mitigate them by taking those systems offline.
  • For On-premise systems, you can use a sensor device.
  1. DNS can connect the dots with regards to whether there was a security incident or not. There are many ways to find anomalies in DNS. You can put a recursive resolver in your network and look at the DNS responses. (*Here is a link to Swapneel’s presentation on Threat Hunting using DNS at SANOG 37. The slides serve as reference for further details.)

  2. Honeypots can be used to obtain malware samples as well as to generate in-house threat intelligence. You can incorporate Honeypots at very minimal costs in a Cloud-based environment. When the attacker tries to interact with Honeypots, it sends an alert. In For On-premise setups, you can use small appliances like Raspberry Pi.

Ways to look at traffic

  1. North-South - all the traffic from your systems, internal networks to the Internet, and back in. Egress as well as ingress.
  2. East-West - the traffic which is on the intranet, i.e. RFC 1918 addresses which are communicating with one another.

Implementing NSM in Cloud

  • Placing NSM at the wrong network interface will lead to the setup being ineffective. The moot idea is to put NSM at the right interface to capture maximum traffic.
  • In case of encrypted traffic, put your NSM just behind that SSL decryption product.

NSM tools Cloud

  1. Suricata is an NSM tool which captures all your packets and uses its own rule engine to find out if there are any known threats present in those packets. It will try to filter out the packets based on the rules provided by you.
  2. Zeek consumes all the traffic on the interface you have set it up on. It generates very contextual event logs. You can consume those logs and outputs which are generated by Zeek and build some use-cases on top of it. It gives you a meaningful contextual event log that will tell you the source IP address, destination IP address, and how much data was transferred. Zeek also tells you the type of traffic and does protocol parsing. You can push Zeek logs into a SIEM solution, making it very easy to do threat hunting. The Zeek community ID will allow you - as an analyst or a threat hunter - to take that ID, and sift through the entire chain of events to find out what exactly happened.
  3. NetFlow can allow you to look at the source IP, the source port, destination IP and destination port as well as the amount of data that was transported. This can help with identifying DoH communications.

How do you differentiate people looking at data for running a dev setup?

Correlating connection logs generated by the VPN with Zeek output logs can help you easily figure out who is extracting data from your environment and from where. The destination IP range for dev setup will be different from production.

Use Honeytokens to tackle vulnerabilities in access keys in dev setups.

In a cloud environment, the first thing an attacker will try to do is find an access key and secret key. Place honeytokens within your environment. If anybody uses that pair of access and secret key, you will immediately be notified because those are invalid sets of credentials. You can look for those pairs of access keys using automation by reading logs and cloud trail events, etc. If the attacker gets into your code repository, they will find an access key and try to use it. This helps you to catch them. Similarly, you can place Honeytokens in very obvious places where you would want to catch such malicious activities.

Here is the link to a guide on how to implement honey tokens - https://summitroute.com/blog/2018/06/22/guidance_on_deploying_honey_tokens/

Cloud vs Data Centers (DCs)

DCs are far harder to secure because of the hardware asset, whereas on the Cloud, you can figure out NSM easily because of the segregation of production accounts, dev accounts, etc. Asset enumeration, which is a problem in the On-premise environment, is generally what leads to problematic network behaviour because the endpoint is insecure. One can see fewer attacks in a cloud environment.

The reason why DCs generally don’t get breached as much as cloud environments is because they’re running in their own private environment. Nothing is exposed to the Internet apart from a single interface which is hosting an application or network. There are a lot of avenues for attackers to get into your network on cloud.

Recommended books on NSM

  1. The Practice of Network Security Monitoring by Richard Bejtlich
  2. Applied Network Security Monitoring by Chris Sanders
  3. Practical Packet Analysis by Chris Sanders
  4. Intrusion Detection Honeypots by Chris Sanders

Videos

  1. Network Security Monitoring for all and tracking packets by Swapneel Patnekar - https://hasgeek.com/rootconf/detecting-anomalous-network-patterns/sub/packets-dont-lie-network-security-monitoring-nsm-f-Km3ZiUqyWt4VYDwxtKGh9W
  2. Achieving a high level of network inspection with VPC traffic mirroring and Suricata by Rashid Feroz - https://hasgeek.com/rootconf/detecting-anomalous-network-patterns/sub/achieving-a-high-level-of-network-inspection-with-Q2hJVXmBf85hyBopnbZJzm

Comments

{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Hybrid access (members only)

Hosted by

We care about site reliability, cloud costs, security and data privacy

Supported by

Omidyar Network India invests in bold entrepreneurs who help create a meaningful life for every Indian, especially the hundreds of millions of Indians in low-income and lower-middle-income populations, ranging from the poorest among us to the existing middle class. To drive empowerment and social i… more
We’re the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. As a hyperscale cloud service provider, AWS provides access to highly advanced computing tools on rent for startups and SMEs at affordable prices. We help t… more
The FreeBSD Foundation is a 501(c)(3), US based, non-profit organization dedicated to supporting and promoting the FreeBSD Project and community worldwide. Funding comes from individual and corporate donations and is used to fund and manage projects, fund conferences and developer summits, and prov… more

Promoted

Deep dives into privacy and security, and understanding needs of the Indian tech ecosystem through guides, research, collaboration, events and conferences. Sponsors: Privacy Mode’s programmes are sponsored by: more