Detection of and protection from advanced cyber-attacks can’t rely on perimeter defense or endpoint agents alone.
It’s important to analyse other data sources to corroborate the indicators found at endpoints and create further opportunities to detect stealthier attacks. Foremost among these other sources are log and network analyses.
To understand why network analysis is so important, first you have to understand how an attacker will try to infiltrate your organisation, why they need to use the target network, and what methods attackers will deploy. We can show this process using the cyber kill chain.
Unless they can gain physical access, an attacker’s only way in is through the target network.
Most advanced attacks share common phases of the cyber kill chain, such as the initial compromise or lateral movement to reach their objective.
Attacker activities in these phases creates network traffic, leaving a footprint that can be used in hunt cases and network analysis. While network analysis itself provides unique opportunities to find threats due to its unique data types, when combined with endpoint and log analyses we can gain a full view of attacker movement along the cyber kill chain.
Cyber kill chain network activities
Each phase has a specific purpose and specific activities that can be individually identified. As such, defenses have been developed to monitor for malicious network use. But, as in all elements of cyber-attack, once a TTP is identified or becomes ineffective, attackers are forced to innovate.
Advanced persistent threats have become skilled at innovating TTPs that avoid detection and allow attackers to maintain persistence on a target’s network for multiple years. From a networking perspective, attackers have a number of techniques they can employ, for example:
- ‘Hiding in plain sight’ - using standard ports and protocols (HTTP(S) SSL/TLS DNS). These ports are generally open at the network perimeter, and the volume of traffic through them is high. Attackers can attempt to blend in with normal traffic, which given the typical volumes of legitimate traffic, makes detection more difficult. Further, the use of encryption often makes the contents, and therefore the context surrounding the data streams hidden. Defenders therefore need to spot anomalies or common identifiers of malicious activities, such as beaconing or anomalous IP/domain names.
- Using non-standard ports and protocols. Attackers risk that ports may be closed, or that they will be less closely monitored. Much effort is expended using or creating protocols that are not quickly flagged as anomalous or identifiable as malicious. In the most extreme of cases, advanced attackers will even find ways to misuse common protocols, such as hiding data inside of seemingly innocent packets.
As attackers continue to challenge through iteration and improvement, defenders must also continually hunt for threats. Threat hunters knowing the TTPs of attackers discover new attack paths that can then be remediated. Knowing the possible network movements and bleeding edge attacker TTPs creates the experience and intuition for effective threat hunting.
Supporting the hunt teams is the platform ingesting network data sources. Hunt teams will use datasets and associated analysis that is relevant to their hunt cases. Network datasets and analysis can include the:
- number of inbound/outbound network connections
- duration of connections
- amount of data exchanged
- frequency and jitter of connections
- network flow data
- other network device logs: firewall/proxy logs
- packet analysis.
Effective threat hunting is a strong defense against the evolving threat that persistent and well-resourced adversaries create. Continued effectiveness depends on knowing the different network indicators and varying attacker TTPs and building up the experience and intuition that successful threat hunters need.