Monday, December 04, 2017

On "Advanced" Network Security Monitoring

My TaoSecurity News page says I taught 41 classes lasting a day or more, from 2002 to 2014. All of these involved some aspect of network security monitoring (NSM). Many times students would ask me when I would create the "advanced" version of the class, usually in the course feedback. I could never answer them, so I decided to do so in this blog post.

The short answer is this: at some point, advanced NSM is no longer NSM. If you consider my collection - analysis - escalation - response model, NSM extensions from any of those phases quickly have little or nothing to do with the network.

Here are a few questions I have received concerned "advanced NSM," paired with the answers I could have provided.

Q: "I used NSM to extract a binary from network traffic. What do I do with this binary?"

A: "Learn about reverse engineering and binary analysis."

Or:

Q: "I used NSM to extra Javascript from a malicious Web page. What do I do with this Javascript?"

A: "Learn about Javascript de-obfuscation and programming."

Or:

Q: "I used NSM to capture an exchange between a Windows client and a server. What does it mean?"

A: "Learn about Server Message Block (SMB) or Common Internet File System (CIFS)."

Or:

Q: "I used NSM to capture cryptographic material exchanged between a client and a server. How do I understand it?"

A: "Learn about cryptography."

Or:

Q: "I used NSM to grab shell code passed with an exploit against an Internet-exposed service. How do I tell what it does?"

A: "Learn about programming in assembly."

Or:

Q: "I want to design custom hardware for packet capture. How do I do that?"

A: "Learn about programming ASICs (application specific integrated circuits)."

I realized that I had the components of all of this "advanced NSM" material in my library. I had books on reverse engineering and binary analysis, Javascript, SMB/CIFS, cryptography, assembly programming, ASICs, etc.

The point is that eventually the NSM road takes you to other aspects of the cyber security landscape.

Are there *any* advanced area for NSM? One could argue that protocol analysis, as one finds in tools like Bro, Suricata, Snort, Wireshark, and so on constitute advanced NSM. However, you could just as easily argue that protocol analysis becomes more about understanding the programming and standards behind each of the protocols.

In brief, to learn advanced NSM, expand beyond NSM.

4 comments:

@infosec42 said...

Overall I agree with you. I'm surprised you don't mention learning about / understanding IDS signatures though? I feel like that is a more "advanced" part of analysis that analysts need to learn about that's hard to come by.

Richard Bejtlich said...

That's a good point. I suppose writing good signatures is an advanced task.

Ryan Russell said...

I might add to that list: Security Automation and Orchestration. (Full disclosure, this is what my current employer makes.) So you've extracted a binary? Send it to the analysis and reputation services and products for evaluation, and if it's malicious, send the IOCs to your enforcement devices, have your endpoint solutions hunt and block, go back to the packets and look for the phone-homes, etc.

Anonymous said...

Advanced NSM comes from correlating several low-fidelity or high false-positive indicators which alone would be noise, but collectively are significant. As an example, you might have an IDS signature which is tuned as noise and doesn't show in the main channel, but if you combine an OS event for failed logons, and a FIM alert for a new file creation, you now have something which should be investigated.