There are several data sources that can prove extremely valuable for monitoring the interior of a network:
- Interior firewall logs
- DNS logs
- Network flow data (netflow)
First, let's consider the example where an enterprise monitors proxy logs and DPI (Deep Packet Inspection) at the edge. Let's say that a client endpoint was re-directed via a drive-by re-direct attack (e.g., Blackhole Exploit Kit), downloaded, and was subsequently infected by a malicious executable. Further, let's say that the malicious executable that was downloaded is not proxy aware. If we miss the executable download (which happens somewhat regularly, even in an enterprise that is monitored 24x7), then our proxy and DPI will likely be of little help to us in detecting the artifacts of intrusion. This is because of two main reasons:
- The malicious code is not proxy aware, and thus its callback/C&C (command and control) attempts will most likely be blocked by an interior firewall.
- The infected system will likely attempt domain name lookups for callback/C&C domain names. Even if these domain name requests resolve (they don't always resolve, i.e., in cases where the domain name has been taken down), there will no subsequent HTTP request (remember, it was blocked by an interior firewall). Because of this, there will be no detectable footprint in the proxy log. In the DPI data, the DNS request will be co-mingled with the millions of other DNS requests and will show as coming from an enterprise DNS server. This makes detection and endpoint identification nearly impossible.
- Interior firewall logs will allow us to detect attempts to connect to callback/C&C sites that have been blocked/denied.
- DNS logs will allow us to identify endpoints requesting suspicious/malicious domain names.
- Netflow data will allow us to very quickly identify other systems that may be exhibiting the same suspicious/malicious behavior.
Hopefully this hard earned advice is helpful to all.