SANS ISC: Network Traffic Analysis in Reverse

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Most of the time, people focus on what is coming inbound toward their networks.  This is quite understandable as the threat is usually considered outside of our perimeter and trying to come into our networks.  However, looking at traffic in this fashion is sometimes very tedious. There is alot that can get lost in the noise, especially if the analysis is done at the network edge.  There is just so much "background noise" on the internet such as port scans, old malware lingering around, network probes, etc.  There is alot to filter through.

An interesting exercise is do an analysis on your outbound traffic.  Many organizations do not do good egress filtering.  If you have never done this, then do some trend analysis on your egress traffic only.  In all that noise of traffic destined toward your network, what you really want to know is did a system answer?  Do you really know where your internal systems connecting to?  On what ports?  Why?  

I am not saying that you shouldn't watch traffic destined for your network, but you should spend some quality time analyzing the traffic leaving your network.  I would expand this to include traffic flows between your internal systems.  If you have never done this, you might be surprised at what you find.