Network Monitoring and Incident response

Ahmet Göker
9 min readJul 21, 2022

--

Hey technophile.

I hope that you have been doing well! Today, I want to illustrate about these concepts:

  • SIEM
  • Firewall
  • IDS/IPS
  • Honeypot
  • EDR
  • NDR
  • OPENCTI

I reckon that, you will like this topic. Lets kick off.

Firewall

Firewall, is a hardware or software which monitors network traffic to compare a set of rules before passsing or blocking the network packets. When we summarize it, this wall controls and monitors inbound and outbound traffic from the server. This wall has been established between trusted and untrusted network such as the internet. We should think as a hacker that, it also has types of that, but before diving into that subject we need to remember important contents of an IP packet and TCP segment.

  • Protocol
  • Source address
  • Destination Address

We should remember, but if you could not remind yourself with these things, that will not be a problem :) because nowadays we have the term “Internet”.

It will be depending on the protocol field, the data in the IP datagram can be one of many options. Three common protocols are:

  • TCP
  • UDP
  • ICMP

Firewall should be able to check TCP and UDP headers.

  • Source Port Number
  • Destination Port Number

We should consume that, firewall might or might not be able to analyze many TCP field, which is shown in figure below.

Types of firewalls

Before explaining types of firewalls, do not forget that, an investigator may need to modify firewall configuration in order to configure the firewall to collect more evidence, or to gain access to systems of interests during the process.

  • Packet filter
  • Circuit level gateway
  • Proxy firewall
  • Next generation firewall
  • Cloud firewall

Packet filter

Device that route packets and can “allow” or “deny” traffic based on source and destination addresses. Firewall maintains an “access control list” what packets should be looked and what action should be run on that.

Circuit-Level Gateway

This can be referred as packet filter firewall rules. This monitor checks for TCP 3-way handshake against the firewall rules.

Proxy Firewall

This can also be reffered WAF(Web Application firewall) or AF(application Firewall). AF, this proxy takes this concept even further by inspecting all packet traffic from layer 7. WAF, checks only the packet headers and does not work for all protocols. It checks for incoming HTTP/HTTPS packets from the source address whether malicious or not, and those-will be filtered or blocked.

Next-Generation Firewall

This is the highest also newest firewall monitor, which literally protects from OSI layer 2 to layer 7. It has application awareness and control. Examples include the Juniper SRX series and Cisco Firepower.

Cloud Firewall

This can also be referred as ”firewall as a service”. As you can hear from this term, that it only protects network protocols within cloud, but it has been designed very well because cloud-firewall also prevents malicious packets from authorized access to private networks and cloud assets by filtering and monitoring unstrusted request based.

Honeypots

A honeypot is a cybersecurity mechanism to , set to detect, deflect, or, in some manner, away from legitimate targets. It can be referred as a computer security mechanism to bewilder malicous threat actors. It defends the computer and alert to administrator for any suspicious activites. Honeypots also being designed to collect data from hackers and unauthorized users.

This threat intelligence gathered useful data and also to enhace their cybersecurity strategy.

Types of honeypots

  • Low interaction honeypots
  • Medium interaction honeypots
  • High interaction honeypot

Low interaction honeypot

This interaction collects basic information from threat actors, this has some capabilities to simulate services, and capture against it. It means that adversaries are not be able to perfom any post-exploitation activity these honeypots as they are unable to fully exploit the simulated service.

These honeypots are really easy to set up and maintain it. These honeypots are considered low-interaction honeypots

Medium interaction honeypot

Honeypots are able to collect data by emulating both vulnerable service, shell, as well as underlying OS. This allows adversaries, that they are able to utilize and complete their intitial exploit. The system is presented as a simulation for adversaries and it is not usually that they shall be able to fully range of post exploitation activity.

High interaction honeypot

This can be referred as a vulnerable virtual machine that includes deliberate vulnerabilities. This research will perfom a great process for the cyber team to have a deep understanding about their target (cyber criminals, APT,…). How higher how costly. A high-interaction honeypot absorbs more resources, which provides more high-quality, and more relevant information obviously.

Internal honeypots

This type of honeypots perfoms inside a LAN. It mimics a target for hackers, such a honeypot acts as a way to perform its defenses network threats.

External honeypots

As you can hear from this term that, it performs its defenses outside the LAN however, this type of honeypot is able to collect much more data on attacks.

IDS/IPS

When we hear these terms, IDS, which stands for (intrustion detection system) and IP, which stands for (inrustion prevention system) it is a security mechanism that detects and prevents network or system intrustions. This has been built for detecting vulnerability exploits against a target system. The goal of IDS is, only detecting threat packets from inbound and outboun traffic. This is useful because its being orginally developed to perfom a depth of analysis when it could not perfom the same task at the same time manually. Intrusion Prevention System (IPS) is a system that can detect and prevent intrusions. We need to understand the differences between IPS and IDS. I will recommend you to look at “snort” documentation (which has a built of IDS and IPS).

IDS setups can be divided based on their location in the network into:

  • Host Based (HIDS)
  • Network Based (NIDS)

Host Based (HIDS)

This type of based mechanism perfoms in OS such as Windows. This setup monitors and analyzes inbound and outbound treats activity in operating system. A HIDS monitors the inbound and outbound packets from the device only, this alerts the administrator when it detects malicous packets/ suspicious activity on the system. (Windows defender)

Network Based (NIDS)

This based mechanism ought to be connected with a monitor to perform its defenses and also network traffic of the network or VLANs we want to protect. Network based perfoms an analysis of passing traffic on the entire subnet

https://purplesec.us/intrusion-detection-vs-intrusion-prevention-systems/

SIEM

SOC teams proactively use SIEM(Security Information and Event Management) and EDR (Endpoint Detection and Response) so as to monitor suspicious and malicous activities. SIEM, provides a real time protection which can be alerted and informed system administrators. When you want to become a security analyst you should understand and prioritize the level based low,medium,high and critical as well.

A significant challenge that a great many organizations have is the nature of logging on network device. With limited space. Because logs files where the new logs files are written over older logs. Which can be criticial for the orginizations.

https://www.expertware.net/Solutions/Managed-IT-Services/managed-security-information-and-event-management

From the SIEM platform, security and network analyst have the ability to perform a number of different tasks related to incident response.

  • Log aggregation
  • Log retention
  • Routine analysis
  • Alerting

Log aggregation

this type of aggregation has several thousand devices within internal network, each with their own logs; The SIEM can be deployed to aggregate these logs in a central location.

Log retention

This can be referred as archiving log events, particularly those related to security, concerning the duration for which you store these logs. It compliances frameworks such as “Payment Card Industry Data Security Standard” which stipulates that logs should be maintained for a period of 1 year.

Routine analysis

As you can hear from this term that SIEM provides a dashboard that highlights key element such as the number of connections. Such as alerts/critical alerts from SIEM platform. This framework is superb because, it will report any alerts to administrator to keep them informed.

Alerting

SIEM platforms have the ability to alert to specific conditions that my indicate as malicious. This may be able to include all malicious, malware, threats activities. Moreover, this can alert to anti-virus, IDS, IPS so as to prevent such attacks or malicious activities either.

For instance, if a malicious user tries to attempt multiple logins across a number of systems in the enterprise, the SIEM will be able to identify and report its to stakeholders.

NDR/EDR

EDR, which stands for (Endpoint Detection and response). Nowadays malware has become more advanced and prevalent. That means it is not enough to set up a standart anti-virus. EDR, is used to identify suspicious behavior and advanced persistence threats. This security mechanism has a lot of functionality and provides us the surveillance, alerting, and reporting capabilities that allow IT security teams to monitor users and identify suspicious behaviors.

  • Improved visibility
  • Rapid Investigations
  • Remediation automation

Improved visibility

It improves the visibility because, EDR security perfoms continuous data collection and report to a single centralized endpoint, the security teams provide from this feature with fully visibility.

Rapid Investigations

This security mechanism is designed to rapidly automate data collections, processing, and certain response activities.

Remediation automation

We have not covered yet however, EDR solution can also perform certain incident response to malicious activities on predifend rules, which helps them to block or rapidly remediate such threats activities.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

NDR, which stands for(Network Detection and Response). NDR solution provides us many things but, let me explain briefly what it does. NDR security mechanism continuously monitors an organization’s network to detect cyber threats. This solution collects all network traffic to perform its defenses. Do not confuse it with normal (network solution ) because, NDR also identifies unprecedented network traffic as well as calculating the analytics with help of the artificial intelligence and machine learning.

What are the benefits of using NDR?

  1. Network Detection and Response cybersecurity solutions provide continuous visibility across all users..
  2. They provide detection coverage for several phases of an attack lifecycle, including persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, data collection, C2 and exfiltration
  3. Leading AI-driven NDR solutions are automatic and dramatically improve security detections and security operations center (SOC) operational efficiency despite organizations and teams being plagued by a chronic shortage of cybersecurity expertise & personnel by offering full attack reconstructions in natural language that provide analysts, all the information they need to act on alerts quickly and completely.

for more information, source — -> https://www.vectra.ai/learning/ndr

https://www.esecurityplanet.com/threats/xdr-emerges-as-a-key-next-generation-security-tool/

OPENCTI

To be frank, when I had decided to write a blog about this topic, I suddenly came across with this project. As you might know until now, i have not learnt so much about blue team tools. I found this framework absorbing because; The French national agency for the security of information systems, contributed to the development of the OpenCTI project (Open Cyber Threat Intelligence), in a partnership with the Computer Emergency Response Team for the EU Institutions, bodies and agencies (CERT-EU). The community project released its latest software version in September 2021.(source https://joinup.ec.europa.eu/collection/open-source-observatory-osor/news/cyber-threat-intelligence-tool-endorsed-anssi)

This framework aims to help many organization to technical and non technical to illustrate them with GUI(Graphical User Interface) it has been visualized to alert real events such as phishing, malware, and other threat intelligence. It uses GraphQL API and an UX oriented frontend.

You can find the source code at : https://github.com/OpenCTI-Platform/opencti/releases

for more info about this project → https://www.opencti.io/en/

https://www.opencti.io/en/
https://wallpaperaccess.com/network-security

Summary

First of all, thanks for reading this blog. If you are interested in such things, please follow me and subscribe… and share with your friends.

Ahmet Göker | Exploit researcher | malware Researcher| Cryptanalyst | CTF player | Reverse Engineering

You can follow me on:

Linkedin: https://www.linkedin.com/in/ahmetg%C3%B6ker/

Twitter: https://twitter.com/TurkishHoodie_

Youtube: https://www.youtube.com/c/TurkishHoodie

Github: https://github.com/DarkGhost010

--

--