A study in detecting network intruders
What to Look For?
The art of network analysis involves sorting out the known and intended traffic so that detailed investigations focus on connections of interest. At the end of the day, you are looking for the unusual – true to the Sherlock Holmes motto: "Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth." At the network level, there may be traffic that should not normally exist. This unusual traffic may manifest itself in systems communicating (or attempting to communicate) with unusual targets on unusual ports.
The other axis for detecting unusual behavior is the time axis. Malware can repeatedly be identified by its tendency to phone home very regularly. A heartbeat pattern on the time axis is a good indicator. If the employees work in the office from 9 a.m. to 5 p.m., the desktops should only update around midnight at the most. If there is a local update server, traffic to the outside should be completely absent.
The geographical distribution of traffic directed to the Internet is also interesting. If there are no business relations to former Soviet Union countries and no employees, the traffic can be interpreted as a warning sign.
If a web proxy is used, admins can also use its logs as a data source. In addition to the analysis of unknown domain names and target IPs in unusual countries, the HTTP return code also helps to clarify the situation. Command and control servers often disappear again without the malware noticing. Access via the proxy then fails but leaves a trace. An unknown host causes error code 503 on a Squid proxy:
1541025318.775 32 10.10.10.10 TCP_MISS/503 4040 GET http://www.skjhskshdf.sfkhskfshf/ - HIER_NONE/- text/html
The code alone is not yet an indicator, but it reduces the number of logs you'll need to search to find an answer.
If one of the methods presented in this article reveals an anomaly, be it a domain name, a network area on the Internet, or something similar, you should check all the sources after the occurrence of the indicator. Not infrequently, only one indicator remains unchanged (e.g., only the port if addresses or domain names change).
To make your work easier, solutions like ELK prove very useful. Common sense, paired with knowledge of what is considered normal on your own network, will help you filter out normal traffic with the data sources in order to find that needle in the haystack.
Infos
- tcpdump: http://www.tcpdump.org
- Wireshark: http://www.wireshark.org
- ELK Stack: https://www.elastic.co/elk-stack
- Splunk: https://www.splunk.com
- Dumpcap: https://www.wireshark.org/docs/man-pages/dumpcap.html
- TShark: https://www.wireshark.org/docs/man-pages/tshark.html
- NetFlow: https://en.wikipedia.org/wiki/Netflow
- NetFlow module for Logstash: https://www.elastic.co/guide/en/logstash/current/netflow-module.html
- Open vSwitch: http://www.openvswitch.org
- ipt_netflow kernel module: https://github.com/aabc/ipt-netflow
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)