Monday, February 10, 2014

Host Data

Network traffic data provides a wealth of insight into all of the traffic that has crossed the network. It is an excellent data source through which we can understand precisely what is traversing our networks. But what do we do when we need to understand something that may or may not have occurred on a host? For example, consider these questions:
  • Did the exploit that I just saw fly across the network succeed?
  • Did the malicious binary downloaded by host X successfully execute and maintain persistence?
  • What process on host X was responsible for the malicious command and control activity I just observed in the network traffic?
  • What activity was completed on the host to stage the data I just saw exfiltrated before it was sent out of the network?
The answers to these and other important questions come from the correlation of host data with network data. The network data is the data of record regarding what crosses the network. Once those bits and bytes disappear "over the hill" and make their way onto the host, we lose sight of them. This is where host data can provide us additional information to complete the picture and help us correlate information. Examples of host data include host-based intrusion detection systems (HIDS), anti-virus (AV), Windows security event logs, and others.

If we revisit the questions posed above, we can imagine answering them as follows:
  • The exploit destined for host X at time T1 (network data) successfully exploited process Z at time T2 on host X (host data).
  • The malicious binary downloaded by host X at time T1 (network data) successfully executed on host X at time T2, runs as process Z, and as of time T3, is still maintaining persistence on host X (host data).
  • Process Z on host X (host data) initiated the malicious command and control traffic to site S observed at time T (network data).
  • Documents A, B, and C were compressed and encrypted by process Z into file F at time T1 on host X (host data). File F was exfiltrated from the network to site S at time T2 (network data).
That is a level of certainty and knowledge that is, unfortunately, all too rare in the security operations and incident response realms. That level of precision can only come from the timely and accurate correlation of host data with network data, as it requires different viewpoints to reconstruct. Pretty neat stuff.

No comments:

Post a Comment