The network is a path to target systems for attackers. This path is divided into 2 sections: Paths inside the organization and the interface that faces outside the organization. Network connections between the devices facing the external interface of the institution and network connections of the devices within the institution are critical for attack detection and preventing attacks. In this article, we will discuss which sources SOC analysts can use to collect information about network connections. There are lots of log sources about network, we did not list all of them but listed the most popular.
- Why Network Information for the Analyst
- Network and Their Place Within the IT
- Network Log Sources
- Network Security Devices Logs
- Web Server Logs
- Forensics Artifacts
Why Network Information for the Analyst
SOC analysts should analyze network flow when detecting and responding to attack violations. Because when we talk about IT infrastructure, network means communication between devices. In order for the attacker to attempt to infiltrate a system, he/she must mostly be connected to the target system.
Network and Their Place Within the IT
A network refers to the logical structure in which at least two devices are connected to each other. Today, there are small or large-scale networks almost everywhere there are devices used by people, including our home environment. As the number of devices used increases, the networks become larger. Networks in the IT sector are generally large networks. Depending on the growth of the network, attack vectors and attack surfaces also increase. The importance of a network is crucial to carry out activities in the IT sector. Therefore, it is very important to ensure the security of the network in order to not hinder these activities.
Network Log Sources
Network Devices Logs
Network devices can sometimes be targeted by attackers because network devices such as routers and switches are capable of packet routing. If the attacker interferes with the management of such a device and changes the existing lists, it may change the course and effect of the attack. It is useful to check the lists of network devices regularly to detect these situations. In addition, if there are logs produced by the device, such records should also be examined.
Linux Firewall Logs
UFW (Uncomplicated Firewall) is a firewall tool that allows us to perform port and firewall operations on both the console and GUI (graphical interface). It comes installed in Linux systems but must be activated. It performs operations just like other firewall software. When analyzing Linux systems, Linux firewall logs should be examined.
Server Message Block (SMB) is a network protocol that enables the communication between server and client. The SMB protocol provides access to shared files, network communication, printer sharing, and various connections. SMB connections are frequently used on Windows systems. Its importance is noticed especially in domain environments. The SMB protocol, which is seen as an important source of vulnerability for attackers, needs to be followed carefully by the analyst on the defense side. Therefore, SMB protocol logs should be examined with high priority.
Windows Firewall Logs
Windows Firewall is a Microsoft-developed firewall software that comes installed with the operating system. Windows firewalls can configure incoming and outgoing traffic. This configuration is provided by rules. Windows firewall logs are one of the resources that can be examined by the network.
Network Security Devices Logs
Intrusion detection and prevention (IDS/IPS) devices placed inside the organization or on the external interface of the organization record information about the violations they encounter. Examination of these logs by the analyst may reveal the type of attack and some network movements related to the attack.
Network Firewall Logs
Hardware firewall devices are where the attacks to the institution are first met and the packages are filtered according to certain rules. They can be used in the external side of the organization or to perform certain network segmentation within the organization and to ensure its security. In both cases, it may be possible to detect the network movements of the attacker in the logs of these devices. It is one of the points that must be examined.
Web Application Firewall (WAF) Logs
It is the firewall installed on the web side that corresponds to the threats that may occur in the application layer. Important records can be obtained in this section in response to application-level attack violations.
Web Server Logs
Apache is an open-source web server software that is free to access. It is widely used in the IT industry. It can be preferable because it works on both Unix and Windows servers. Apache web server software records the access logs of the requests received. It also keeps error logs. These logs must be examined in order to see external threats to the web server.
IIS (Internet Information Services) is a web server developed by Microsoft and embellished in Windows systems. It was founded and used by Microsoft ages ago. Considering its use in the IT sector, it can be said that it is quite frequently used. In order to see the attacks and violations attempted to the IIS web server, logs of the IIS must be examined.
Nginx is a web server software with much higher performance,it is faster and requires less resource consumption than its competitors. Due to its preference and widespread use, many attacks can be developed against this web server. In order to view and analyze these attacks, the web server logs should be handled and examined just like we do with the Apache and IIS web server.
Browser History and Cache
A browser is a software in which web pages can be viewed. Since it can be used by the attacker in a seized system, the parts that may be important such as the addresses connected to the scanner during the analysis phase should be examined as they may contain a trace of the attacker.
DNS Cache is the section where DNS analyses queried in the system are recorded. It could help us locate the command and control center the attacker was using. It must be checked as it may contain important information about the attack.
The hosts file is one of the first places where we start a DNS analysis to find an IP address before referring to the DNS server. In a seized system, a new record may have been added to this file by the attacker. It is one of the files that should be checked during the forensic analysis phase as it may contain the domain name or command control server IP address of the attacker.
Remote Desktop Protocol (RDP) Cache/History/Logs
The RDP protocol is a protocol that enables remote connection to the target system. In the analyzed system, information about systems with an RDP connection is saved in the RDP cache. If the attacker has made an RDP connection, IP address information of the attacker can be obtained in the cache. It is one of the points that should be examined while analyzing a system.
Other useful resources for forensics: