When the seasons change in New England, there are distinct things you notice - such as the chill in the air as the leaves change in fall, to the rainy months of early spring. Most changes are anticipated, but as New England weather goes, you always expect the unexpected - you can just as easily get snow in April or have warm January days. Where I am going with this is in relation to Network Awareness, the ability to notice changes, additions, etc. from endpoints on your network - whether this is new ports, increased protocol activity, or just actively getting to know the hosts making use of your network.
Much like the weather in New England, the network activity of your hosts is at many times predictable, but there are also the numerous anomalies that appear every day - hosts that shouldn't be running a web server, or increased activity from an IP address. Alerting on, and profiling these anomalies, is what I am getting at with this Network Awareness approach. Basically, utilizing existing tools (nessus, nmap, p0f, etc.), with storage (mysql, text, etc.), and custom tools (perl, c, etc.) to build profiles, notice trends, and generate alerts.
Maybe there are open source tools already in the this space (do you know of any?), but it also is a task that benefits from the flexibility of a home-grown process - as each network and set of endpoints is so vastly different nowadays.
Things of interest (have any others?):
* Build profiles and store all interesting events in a database, both for maintaining history, state, and future correlations
* Analyze various sources of data for various types of items
* Sources of Data:
- nessus: both for assessing and verifying compliance, provides a baseline
- nmap: actively profile port openings and OS detection
- p0f: passively identify OS
- tshark: for traffic profiling and statistics
- pads: passively noticing new services offered
- argus: counting hosts, ports, traffic, etc.
- various others, including netics or fl0p
- custom: for mining logs, running comparisons, etc.
- tcp and udp ports
- ip addresses
- services offered on those ports
- identifying operating system usage
- traffic patterns
- establishing normal usage profiles on traffic, endpoints, and potentially users of those endpoints
This is not an idea based on real-time alerting or analysis, but a crunching of various data to cast a light over areas that deserve attention or investigation. I guess the operative word here is change. Change can be good, especially when making improvements, but in our context, we are looking for those changes that indicate something unauthorized or outside the scope of a security policy. Services and people many times operate in a set pattern with noticeable characteristics...let's find the anomalies.
No comments:
Post a Comment