Cyber Security Threat Hunting Using Network Performance Management Metrics
If you are familiar with Network Performance Management (NPM) metrics, you’ll recognize the following key performance indicators. But did you know that these same KPIs, along with many other metrics, are helpful for cyber security threat hunting?
- IP Addresses
- Typical Port and Protocol Usage
- HTTP Return Code Ratio
- Traffic Volume Metrics, and many more…
Threat hunting is what cyber security analysts do…but they need data sources that can’t be compromised like full-fidelity network wire data or network flow data. Why network wire data? It is clean and consistent across the network. Attackers can manipulate logs, source of event, and break through deployed security infrastructure, but they can’t manipulate network packet/wire data.
Let’s focus on two key aspects of cyber security:
1. Threat Hunting: Proactive threat identification applies new intelligence to existing data to discover unknown incidents.
What you should be looking forward for: Threat intelligence often contains network-based indicators such as IP addresses, domain names, signatures, URLs, and more. When these are known, existing data stores can be reviewed to determine if there were indications of the intel-informed activity that warrant further investigation.
2. Post-Incident Forensic Analysis: Reactive detection and response examines existing data to more fully understand a known incident.
What you should be looking forward for: Nearly every phase of an attack can include network activity. Understanding an attacker’s actions during each phase can provide deep and valuable insight into their actions, intent, and capability.
Why Threat Hunting is Important
No evidence of compromise does not mean evidence of no compromise. Hackers are always busy trying to avoid detection. You don’t know today what you’ll need to know tomorrow! You need to investigate. If you are not putting telemetry in place, you don’t have a recording of what’s happening, which means you will not see who’s doing what, with whom, etc.
If you have a Network Performance Management background and are not a professional threat hunter, then let’s start by describing the phases of an attack and how the attacker sees your network. There are seven specific phases of cyber attacks, several of which include network activity:
- Reconnaissance (recon) to know the target
- Scanning to find something attackable
- Gaining an initial point of compromise into the target network to create a foothold and use it for a pivot point for additional recon and scanning
- Pillaging the network for valuable resources (e.g., useful info, internal DNS, username enumeration, passwords, other attackable machines)
- Exploiting data to get resources (i.e., data exfiltration)
- Creating back doors to stay in the network, including creating listeners and/or backdoor C2 channels, installing software, maintaining persistent access
- Covering tracks by cleaning up logs, backing out of changes, and patching systems
You’ll notice many familiar KPIs related to network performance management. That’s because nearly every phase of a cyber attack can include network activity—which is why monitoring for traffic anomalies is a great starting point for threat hunting.
Here are a few examples of how Riverbed Unified Network Performance Management can help you leverage network KPIs for threat intelligence and hunting:
|Network Performance KPI||Data Source||Existing Usage||Threat Hunting Usage|
|Top-Talking IP Addresses||Full-Fidelity NetFlow||The list of hosts responsible for the highest volume of network communications in volume and/or connection count. Calculate this on a rolling daily/weekly/monthly/annual basis to account for periodic shifts in traffic patterns.||Unusually large spikes in traffic may suggest exfiltration activity, while spikes in connection attempts may suggest Command & Control activity, their actions, intent, and capability.|
|Traffic Volume Metrics||Full-Fidelity NetFlow||Maintaining traffic metrics on time-of-day, day-of-week, day-of-month, and similar bases.||These will identify normative traffic patterns, making deviations easier to spot and investigate. A sudden spike of traffic or connections during an overnight or weekend period (when there is typically little or no traffic) would be a clear anomaly of concern.|
|Top DNS Domains Queried||Network Wire Data & Full-Fidelity NetFlow||The most frequently queried second-level domains based on internal clients’ request activity.||In general, the behaviors of a given environment don’t drastically change on a day-to-day basis. Therefore, the top 500-700 domains queried on any given day should not differ too much from the top 1000 from the previous day. Any domain that rockets to the top of the list may suggest an event that requires attention, such as a new phishing campaign, C2 domain, or other anomaly.|
|Typical Port and Protocol Usage||Full-Fidelity NetFlow||The list of ports and corresponding protocols that account for the most communication in terms of volume and/or connection count. Calculate this on daily/weekly/monthly/annual basis to account for periodic shifts in traffic patterns.||Similar to the purpose for tracking top-talking IP addresses, knowing the typical port and protocol usage enables quick identification of anomalies that should be further explored for potentially suspicious activity.|
|HTTP GET vs POST Ratio||Network Wire Data||The proportion of observed HTTP requests that use the GET, POST, or other methods.||This ratio establishes a typical activity profile for HTTP traffic. When it skews too far from the normal baseline, it may suggest brute force logins, SQL injection attempts, server feature probing, or other suspicious/malicious activity.|
Network forensics is a critical component for most modern incident response and threat hunting work. Network data can provide decisive insight into the human or automated communications within a compromised environment. Network forensic analysis techniques can be used in a traditional forensic capacity as well as for continuous incident response/threat hunting operations.
What you really need is complete data so threat hunting can be meaningful, not sample data that retains only statistics. It’s best to use Riverbed AppResponse and NetProfiler to start collecting full-fidelity network packet and network flow data for threat hunting.
Riverbed NetProfiler Advanced Security Module is a full-fidelity network flow solution that watches for changes in behavior. These changes could be new services on a sensitive host, connections to untrusted systems, or unexpected data movement. The network fingerprinting process creates a statistical profile of network connections to identify the abnormal sessions.
The threat hunting process is data- and time-intensive. Focus on filtering key assets, unique threat identifiers, or other known aspects in the search—these are great starting points for threat hunting!