Putting an Attack Into Context
Network security monitoring can speed up analysis of an attack
November 28, 2007
5:44 PM -- Remember that investigation for one of my clients that I mentioned in my last post? It occurred to me during the investigative process just how valuable a full network security monitoring (NSM) solution would have been. NSM, a term made most popular by Richard Bejtlich’s books and blog, is a broad approach to analysis techniques that utilize information gained from IDS/IPS, network flow monitoring, firewall logs, captures of all network traffic, and more.
The goal of NSM is to provide the security analyst with the contextual information needed to make quick decisions about security incidents. For example, just because the IDS alerted you about an attack doesn’t mean the attack was successful. NSM provides the context around an attack -- to see how the victim responded to the attack, and if something suspicious followed the attack, like connections to normally unused ports.
In my client's case, I had several sources of information to deduce what happened, but not enough to perform the analysis as quickly as I could have with a NSM implementation. For example, I had network flow data showing source and destination IP addresses, ports, timestamps, protocol (TCP/UDP/ICMP), and amount of traffic. The IDS showed downloads that took place from the compromised server, but not the actual attack that compromised the server. There were also some logs from the compromised server, but they couldn’t be completely trusted. They were incomplete because the attacker’s rootkit turned off logging.
What would NSM have gained for me? Well, had this company implemented Sguil -- a popular, open-source NSM solution based on Snort -- I would have had full packet captures that would have shown the exact attack used against my client’s Web application. I could also have dissected the code that was injected into the Web application to see what effect it has on the server because it would have been in the full packet captures.
All of this information would have been available whether or not an IDS signature had been triggered, making my analysis quicker and easier without having to work from experienced assumptions.
If you're not familiar with NSM and you're interested in it, take a look at Bejtlich's TaoSecurity blog and Sguil to learn more. Just be aware that for NSM to be truly useful in a large network with lots of traffic, you'll need equally large amounts of disk space to capture all traffic.
– John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading
Read more about:
2007You May Also Like