In Chapter 4, Collecting Network Evidence, there was a focus on the various sources of evidence that network devices produce. Most of this evidence is contained within the variety of log files produced by switches, routers, and firewalls. Depending on the type of environment that responders find themselves in, this evidence source can be augmented with NetFlow data and full packet captures.
Once the various sources are understood, it is important to then focus on what logs, NetFlow, and packet captures can tell us about an incident. The following are several areas of focus where proper logging and evidence collection may provide additional context surrounding an incident, as well as potential data points when deriving root cause:
- Reconnaissance and scanning behavior: There are a plethora of tools available to adversaries to automate scanning of perimeter devices such as firewalls and routers. These scanners attempt to ascertain open ports, vulnerabilities, or authentication protocols such as Secure Shell (SSH) that can be exploited. These scans do in fact leave a trace as they will often require connections to the devices. Depending on the level of logging and the retention period, responders may be able to identify the external infrastructure that is attempting to compromise the perimeter systems.
- Initial infection: Adversaries have become very sophisticated in compromising systems. They will often make use of multi-stage exploits and malware. The first stage will call out to an external infrastructure through a URL and download additional exploits. Web proxies and firewalls may have connection data contained within the log files that record this activity.
- Lateral movement: Once inside a network, adversaries will often attempt to conduct reconnaissance, exploit other systems, and move data around. NetFlow logs provide insight into this type of behavior.
- Command and control: Once a foothold is established in the network, adversaries require the ability to maintain control over compromised systems. Logs, packet captures, and NetFlow data may be leveraged to identify this type of behavior.
- Data exfiltration: One of the goals of an adversary may be the compromise and exfiltration of data. Proxy logs may identify the destination of such data. NetFlow may show the flow of data from the internal systems to any external systems. Finally, packet captures may be leveraged to identify the exfiltrated files, the source of the data, and the destination.
In Chapter 4, Collecting Network Evidence, there was a discussion on the three main types of network evidence that can be leveraged in an incident. It is often hard for responders that do not have knowledge about network traffic to understand the various aspects. Think about network traffic as a letter that is sent from one individual to another. Log data records the sender and receiver's address and mailbox number at a central location, such as the local post office. This is akin to the source and destination IP address and ports. NetFlow records much of the same information about the letter but can also tell the individual the weight or relative size of the letter, along with the sender and receiver's address and mailbox number. Finally, a packet capture tells us all the same information obtained through logs and NetFlow, but will also tell the individual the contents of the letter, including (as long as it is not encrypted) the actual data contained.
Identifying a root cause with network evidence is largely dependent on the evidence itself. One major drawback to evidence such as packet captures and log files is the sheer volume of data that normal network operations create. Often, an incident is identified days or even weeks after it is has occurred. During the intervening period, these log files and packet captures have become unavailable. It is therefore incumbent on responders to understand fully what their organization's capabilities are in regard to network evidence.