Network traffic data provides a wealth of insight into all of the traffic that has crossed the network. It is an excellent data source through which we can understand precisely what is traversing our networks. But what do we do when we need to understand something that may or may not have occurred on a host? For example, consider these questions:
If we revisit the questions posed above, we can imagine answering them as follows:
- Did the exploit that I just saw fly across the network succeed?
- Did the malicious binary downloaded by host X successfully execute and maintain persistence?
- What process on host X was responsible for the malicious command and control activity I just observed in the network traffic?
- What activity was completed on the host to stage the data I just saw exfiltrated before it was sent out of the network?
If we revisit the questions posed above, we can imagine answering them as follows:
- The exploit destined for host X at time T1 (network data) successfully exploited process Z at time T2 on host X (host data).
- The malicious binary downloaded by host X at time T1 (network data) successfully executed on host X at time T2, runs as process Z, and as of time T3, is still maintaining persistence on host X (host data).
- Process Z on host X (host data) initiated the malicious command and control traffic to site S observed at time T (network data).
- Documents A, B, and C were compressed and encrypted by process Z into file F at time T1 on host X (host data). File F was exfiltrated from the network to site S at time T2 (network data).
No comments:
Post a Comment