Security Monitoring: At Network or Host Level?
Today, to reach a decent security maturity, the keyword remains "visibility". There is nothing more frustrating than being blind about what's happening on a network or starting an investigation without any data (logs, events) to process. The question is: how to efficiently keep an eye on what's happening on your network? There are three key locations to collect data:
- The perimeter (firewalls, proxies, etc)
- Hosts (servers, endpoints)
- The network
Performing log collection at the perimeter sounds the bare minimum for many years but it's not sufficient (Example: How to detect lateral movement on your LAN?) and everybody agrees to say that the perimeter is gone for years.
You can deploy controls and collect information at the host level with tools like Sysmon[1], OSSEC[2] and many other end-points solutions. The problem is a constant fight between teams in big organizations. System admins are not always happy to deploy more and more agents. It also has a constraint in terms of management, upgrades, costs (license for a commercial product) and how do you handle people who bring their own device?
I'm more and more convinced that network monitoring is a key element today. Just by sniffing the traffic at critical exchange points in the network, you have full visibility and increase capacities to detect suspicious traffic. I'll give you two practical examples that I faced during the BruCON[3] security conference last week (where I'm involved in the NOC/SOC). Basically, the network is used by untrusted devices and people.
First, we had to track somebody based on a downloaded picture. We knew the timestamp and found corresponding pictures on the filesystem of the server. Based on the hash, we found the TCP flow corresponding to the download and finally the IP address assigned by DHCP, the device name and its MAC address. In less than 15 mins.
In the second example, somebody was testing some exploits on a laptop (an official test, nothing malicious). We were able to detect the call-back to the C2 (Cobalt-Strike). In this situation, you don't know what's happening on the end-point but you know that it is for sure compromized.
Even if today more and more traffic is encrypted, it is possible to detect suspicious activity just by having a look at the network flows. When they occur, how often, the size of transferred data, the destination, etc.
What was deployed:
- Zeek (Bro)
- Full packet capture
- Full logging of flows
- Transparent Proxy
- DHCP, DNS
- Extract of interesting files
- Splunk
Of course, network monitoring can be implemented only on networks that you control. You can't control devices that travel (like laptops). That's why, in a perfect world, you need both (network & host controls) but the amount of information that can be collected and analyzed on networks is amazing! If you are interested in this field, I recommend you the FOR572[4] training: "Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response".
[1] https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
[2] https://ossec.net
[3] https://brucon.org
[4] https://www.sans.org/course/advanced-network-forensics-threat-hunting-incident-response
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments