Trends Over Time

Published: 2017-07-24
Last Updated: 2017-07-25 09:56:59 UTC
by Russell Eubanks (Version: 1)
8 comment(s)

The business goal of Critical Security Control #9: Limitation and Control of Network Ports is “To limit potential vulnerabilities on systems by limiting unauthorized ports, protocols, & services on systems”. Sounds totally reasonable and something everyone should systematically monitor in their respective environments. How can this be accomplished, especially if this has not been an area of focus?

 

One strategy is capturing data about the network traffic in order to develop and maintain a rolling trend over time. A specific area to focus on is the Top Ports that were targeted on a daily basis. This data will readily highlight trends that can be investigated and help detect changes in traffic that may or many not be “normal". This daily baseline, when added to the last 30 days worth of the same data can easily be to highlight and compare traffic patterns. What could this look like for your network? As a practical example, below is a visualization of data that has been sent to the Internet Storm Center. 

 

 

What have you found effective in your quest to actively monitor the Trends over Time in your environment? Please leave what works for you in our comments section below.

 

Russell Eubanks

ISC Handler

SANS Instructor

@russelleubanks

8 comment(s)

Comments

I reviewed the last 24 hours of activity on my firewall at home. The firewall sends logs to a Splunk instance I maintain. Only ssh is allowed. It's just your generic run o' the mill home account, nothing to draw any real attention.

DPT count
23 448
123 178
1433 124
22 104
5060 65
8080 37
2323 33
3389 31
53 20
161 14
81 12
33436 11
443 9
7547 8
21 7
2222 7
111 6
3306 6
3390 6
3392 6

Looking through CIS Control #9, well, the concepts there are something I've been working with for a long time. Providing publically accessible services is challenging when done correctly. There must be established processes for monitoring and maintenance. Creating a service and not paying any attention to it once has been published is irresponsible behavior.

There are many, many factors involved in maintaining public services. Looking at the increased inbound traffic is one component that might be used to establish potentially malicious activity, but it only one of the indicators that should be analyzed.

I've started writing where I was heading off in several different tangents, on which I could drone on forever. This is a topic that expands in many different directions.
First of all, I admire you for taking a look at this concept in your home network.

I agree with you that it is so easy to set things up and then forget about them, deciding to focus on the next “new thing”. The priority has to be on creating and then diligently monitoring our networks. Not every change is bad, however every change must be analyzed.

Thanks for supporting the ISC!
Russell
I work in infosec in the financial industry, and use my own test network for at least starting most of the project I am assigned. Lots of various tools/services running permanently. Netflow, SNMP, proxy logging, syslogs all are sent to Splunk in that network. I've been contemplating usig an docker ACS instance with an AD backend utilizing kerberos for my various devices/VMs. It's all in place, just need to tweak some of it and stop testing. SDN is part of the environment, but that's a long way from being rolled out as something I use in that environment. I have lots of data to analyze.

Using some flavor of an IDS/IPS (or some of the heuristic variants that integrate their own intelligence gathered from ?) can help. I'm not convinced the heuristic solutions are really any better than the signature based models. They seem to compliment one another well, but it takes deep pockets to acquire both, or even one depending on your flavor.

There are the SIEMs that provide all sorts of analytics, such as Splunk's Enterprise Security -- this magical super solution that you just plug in! Uhh...no, they're designed to take huge amounts of setup (or at least in my experience), which translates to big consulting hours. They're all like that. I'm mentioning Splunk as that's the one with which I have the most experience.

I suppose I'm a bit jaded by dealing with the vendors.

As far as SIEMs go, I hope that market provides a better solution sometime in the future, because I'm not terribly impressed with what I've seen up to this point.

Read a bit about Apache Metron within the last year or so. Seemed to have potential. Too many projects presently.

I liked the idea of Arcsight's CEF standard. Seems any vendor can puke out whatever they want in a log and you have to figure out how to sed/regex (fun!) it into something useful. A standard would be good, but that'll never happen.

Anyhow, proper information security is expensive. The people providing it are expensive, and the tools are expensive as well.
Very impressive home network setup that likely rivals many small businesses, devwatchdog! Thanks for supporting the ISC.
The only way i have found to sleep well while sshd daemon runs 24/7 is to require login by a certificate that has an alphanumeric (with punctuation) passphrase. The certs are changed regularly along with the passphrases. After some initial whining, people get used to the extra hassle.
I use my unrouted networks for that with flow monitoring.
The flows are classified by DST port
and by SRC port (to catch backscatter from DoS
with spoofed adresses from us)
Excellent discipline to regularly change the passphrases.
Sweet dreams and thanks for supporting the ISC!

Russell
Jens,

Like you, I have always been a fan of monitoring flow data to show these trends as well.
Thanks for supporting the ISC!

Russell

Diary Archives