Author: David Balaban
Network traffic monitoring is a particularly important issue these days, especially given the conditions of remote work practices imposed by the COVID-19 pandemic. Modern malicious programs successfully bypass whitelisting techniques and can effectively hide their presence in the system. Let us discuss how to approach the daunting task of network monitoring.
Today, while political IT boundaries are becoming more and more clear (countries like China or Russia try to create their own ecosystems that include independent Internet, special services, and software), in the corporate environment, the process is exactly the opposite. The perimeters are increasingly dissolving in the information sphere, causing severe headaches among cybersecurity managers.
Problems are all around the place. Cybersecurity professionals must deal with the hardships of remote work with its untrusted environment and devices, as well as with shadow infrastructure – Shadow IT. On the other side of the barricades, we have more and more sophisticated kill chain models and careful concealment of intrusion and network presence.
Standard information cybersecurity monitoring tools cannot always give a complete picture of what is happening. This prompts us to look for additional sources of information, like analyzing network traffic.
The Growth of Shadow IT
The concept of Bring Your Own Device (personal devices used in a corporate environment) has suddenly been replaced by Work From Your Home Device (a corporate environment brought onto personal devices.)
Employees use personal computers to access their virtual workplace and email. They use a personal phone for multi-factor authentication. All their devices are connected to an untrusted home network at a zero distance to possibly infected computers or IoT. All these factors force security personnel to change their methods and sometimes turn to Zero Trust radicalism.
With the advent of microservices, the growth of Shadow IT has intensified. Organizations do not have resources to equip legitimate workstations with antiviruses and tools for detecting and processing threats (EDR) and monitor this coverage. The dark corner of the infrastructure becomes a real ‘Hell’,
which does not provide any signals about information security events or infected objects. This area of uncertainty substantially hinders the response to emerging incidents.
For everyone who wants to understand what is happening with information security, SIEM has become a cornerstone. However, SIEM is not an all-seeing eye. The SIEM vertigo is also gone. SIEM, due to its resource and logical limits, sees only things that are sent to it by a limited number of sources, which are also prone to disconnection by hackers.
There has been an increase in the number of malicious installers that use legit utilities already located on the host: wmic.exe, rgsvr32.exe, hh.exe, and many others.
As a result, the process of installing a malicious program occurs in several iterations that integrate calls to legal utilities. So, automatic detection tools cannot always combine them into a chain of installation of a dangerous object into the system.
After gaining persistence on the infected workstation, attackers are very accurate about hiding their actions in the system. In particular, they ‘cleverly’ work with logging. For example, they do not just clean logs but redirect them to a temporary file, perform malicious actions and then return the log stream to the previous state. This way, they manage to avoid triggering the ‘Logfile cleared’ scenario on the SIEM.
Threat Intelligence cannot identify all C2 servers. For a targeted attack, a new infrastructure is formed with unique IPs that have not been used before. Malicious programs get constantly recompiled. Besides, one-off indicators of IoT attacks often end up in threat data streams \ feeds. In this case, the feed becomes useless.
The current state of network monitoring
Currently, organizations have several options for monitoring network activity. This may include NGFW or UTM with an IDS module and various events on network activity sent to SIEM.
In each of the options, the issue of performance is acute. In NGFW and UTM, due to the high load, the IDS module is often simply turned off. In addition, when discussing means of detecting attacks, we often mean signature analysis. However, modern attackers already know how to bypass such measures. On most Ransomware-as-a-Service platforms, this option is already included.
In the case of SIEM, which already processes a significant number of events per second from non-network sources, you often have to sacrifice some rules or multiply the cost of hardware resources.
These reasons lead us to the idea of the need for a separate solution for providing network monitoring and analysis both at the perimeter and inside different segments of the corporate network. The main areas of cybersecurity that need such a solution are attack detection and digital forensics.
Using open-source solutions for network monitoring
Today, there are at least three great open-source solutions that you can use for monitoring network activity.
- Intrusion Detection System (IDS) – Suricata is a high-performance IDS, IPS, and a network security monitoring engine. Suricata is developed by the Open Information Security Foundation (OISF) and its supporting vendors.
- Deep Packet Inspection (DPI) – Zeek is a traffic analysis and IDS platform primarily focused on tracking security events, but not limited to this. Different modules are provided for analyzing and parsing various network protocols of the application level that take into account the state of the connections and allow to form a detailed log (archive) of network activity. Users may use an object-oriented language to create monitoring scripts and detect anomalies, considering the specifics of their infrastructures. The system is optimized for usage in high bandwidth networks. An API is provided for integration with third-party systems and real-time data exchange.
- Full Packet Capture System – Arkime is able to parse and index billions of network sessions, providing an extremely fast and simple web application for navigating through vast collections of PCAP files, including IP, ASN, hostname, URL, etc. It can be used to monitor traffic in real-time. It can also be used as a network forensic tool in incident investigation.
Let us consider several examples where we can use these open-source tools.
Detecting malicious activity depends on the type of tools used by the attacker. Here are some examples.
- Known hacker utilities: These are, in particular, exploits for Windows RDP (like CVE-2019-0708, Blue Keep vulnerability), which is exploited in legitimate processes. SEIM events allow us to detect them only indirectly. However, if you use passing traffic analysis (Suricata), it is quite possible to identify the exploitation of known vulnerabilities
- Modified malware with its own protocols: To detect malware, you need to use algorithms for detecting hidden DNS, SMTP, HTTP, and ICMP tunnels, which attackers use to steal data, communicate between C&C servers and the agent, and also to hide their activity from protection tools. In addition to searching for hidden tunnels, the network monitoring system should be able to create and use its own algorithms for identifying similarities that are coupled with statistical methods, as it is done in Zeek.
- Remote administration tools (RAT) and control protocols – SSH, RDP: Often, attackers use legitimate remote administration utilities that are allowed in the system. There is also a need to control the use of VPN tunnels, proxy servers. TOR, instant messengers – everything that is usually prohibited by information security policies in large companies.
In addition to responding to computer attacks in real-time, there are still many obstacles in the investigation of cybersecurity incidents. Skilled attackers do not neglect to clear the logs and hide their actions in the victim’s infrastructure.
A new source of data is needed to investigate or validate existing hypotheses. And this source of data can often be found within network traffic. To conduct an investigation, you need a tool that can use existing PCAPs, can be quickly deployed in the customer’s infrastructure, accumulate all traffic passing through the network in advance, and quickly provide information about what was happening. This functionality is very conveniently implemented in Arkime.
In view of the problems described above, it becomes clear that tools of the EDR level (but of network nature – NDR) are needed to detect the actions of intruders inside the perimeter, which not only contain Suricata rules from the 90s but also meet modern requirements for threat detection, in-depth traffic analysis, data collection and storage for investigation and retrospective study.
Such a set of functions can be implemented by companies themselves by building a system based on the open-source solutions described here. Using the above-mentioned tools, it is possible to obtain functionality that is combined in a relatively new class of cybersecurity solutions called Network Traffic Analysis (NTA). Gartner calls this class of solutions one of the cornerstones of modern SOC, along with SIEM and EDR.
The implementation of the NTA system is a logical and natural process. However, it requires a high qualification of employees and management, which, given the increasing staff shortage, is often hard to achieve. The classic solution may be to obtain an NTA based on the MSSP model.