As hackers adapt and evolve their attacks, and regulations such as GDPR raise the stakes when it comes to handling security incidents, IR (Incident Response) is rapidly increasing in importance. Recent research suggests that the global incident response market will be worth $33.76 billion dollars by 2023.
When responding to an incident, typically consulted sources of information include logs (syslog, Windows events, firewall logs, etc.), digital forensics (dead drive acquisition, live acquisition, RAM dumps, etc.) and basic flow-based traffic analysis. However, while useful, these methods do not reveal the true content of the communications between devices on a network. To see this, we need to examine each packet traversing the network - payload and all.
Whether dealing with an attack from a third party or unauthorised exfiltration by a disgruntled or oblivious employee, the network will be the medium via which the damage is done. As such, an integral part of incident response is to understand what is happening, or has already happened, on your network.
However, most traditional forms of security or auditing are endpoint-centric. This introduces a few issues.
The first is that in the event of compromise, trust in the affected system is diminished. As an example, an investigator may wish to examine event logs on the compromised machine, however, clearing these logs, or manipulating them, is common practice for hackers. Tools like Metasploit have intrinsic commands that will eliminate these logs (clearev).
Secondly, endpoint-centric approaches often will only work where the device in question is under the full control of IT. Due to the proliferation of BYOD devices and the possibility of incursions by unauthorised devices, not all devices on your network will necessarily be monitored by such software.
However, regardless of the device involved, if the activities of the compromised machine include the transmission of data across the network then a record of network activity related to that machine is obtainable, and may be key in a subsequent investigation.
So what type of information can we glean from the network traffic? During an attack we may expect to see traffic encompassing denial of service attacks, remote exploitation, data exfiltration, C2 (command & control), lateral movement attempts, etc..
Below we can see a classic example with a DNS tunnel. Here we can see that Corvil has identified a number of features about this DNS traffic which have caused it to stand out. These include a low TTL (Time to Live ) value, an apparently random domain that could suggest some sort of domain generation or encoding, and finally an explicit detection based on known patterns which suggest that this may in fact be a Iodine DNS tunnel.
Do we need to capture and/or analyse the entire packet? What about using NetFlow? While NetFlow has its uses and is relatively lightweight; NetFlow only records who’s talking, not what’s being said. Thus, NetFlow records are denuded of the sort of detail regarding traffic content which can be important when investigating or responding to an incident.
Below we can see an example the advantages gleaned from having a deeper insight into what’s actually traversing a network. Beyond simply knowing that a connection has been formed between two endpoints, looking at a specific HTTP connection we can see specifically that the infamous mimikatz application has been spotted amongst the transmitted data.
As 451 Research said:
Raw network traffic provides insights for applied behavioral analysis and protection from cyber-threats that cannot be found in netflow or activity logs. Enterprises are embracing products such as Corvil that perform real-time deep content inspection and analysis of enriched packet data as key elements of an effective security strategy.
Once you’ve identified a potential source for an issue in your environment, what then?
As with any investigation, you’ll want to corroborate your findings and look for additional insights into what is happening on a given device.
Corvil’s action framework facilitates integration with products like Carbon Black, allowing a security analyst to investigate the processes on the compromised machine related to identified network traffic.
You’ll also wish to hamper the efforts of the attacker, minimizing the potential havoc they may wreak within your environment.
Corvil’s integration with products like Palo Alto Networks firewalls, allows a security analyst to quickly and intuitively block a device (local or remote) from continuing the attack.
When dealing with an incident, being able to detect quickly survey your entire environment to detect evidence of compromise in a timely and accurate manner is key. While traditional endpoint-centric software still plays a vital role, once a device has been compromised we can no longer always rely on such solutions, and interloping devices will be completely opaque to such techniques.
Key to effective Incident Response is effectively and thoroughly investigating to determine the impact and extent of a breach so that it can be effectively remediated. This is among the most time consuming and challenging aspects of a SOC Analyst’s role. Incomplete or inconclusive investigations resulting from shallow or non-canonical data sources are commonplace, demanding deeper insights, which can be delivered through network traffic payload analysis.If you would like to learn how Corvil can help you keep track of what's in your environment, please Schedule a Demo or Contact Us.