Threat Hunting Strategy: Identifying Anomalous Protocol Activity
As the Director of the Threat Reconnaissance Unit here at Security On-Demand, I am responsible for both Threat Intelligence and much of the Threat Hunting we conduct. Our Hunting efforts focus on looking through the billions of logs that our customers send us every day – often without focusing on a particular customer – and hunt for anomalous and malicious activity that is getting through our customers’ defenses. A very productive way to find anomalous and potentially malicious activity is to look for uncommon port activity. I chose this approach for two reasons. First, as security practitioners we want to know where and with whom our systems are communicating with on the outside. We certainly do not want to have sensitive information leaving the network. Second, it is a relatively simple query to build.
In order to keep the dataset manageable, asking the following question of our dataset is quite effective and provides leads that we can then investigate further:
Show me all network traffic originating inside our network AND heading outbound to either China, Russia, or Iran (again, to help narrow things down initially, I expand later) AND is Allowed by the firewall AND the Destination Port IS NOT port 25, 80, 123, 443, or 445).
Here is what it looks like in our Portal:
Once you have the results, organize them by destination port and you can start identifying those things which are concerning and those which are not. This is a pretty basic, simple hunt. One can get far more specific and detailed, but this gives you a quick view of things that probably should not be occurring on or from a network.
After running queries like this across our data set for different customers, it is striking how much unnecessary protocol activity is going on. It turns out in most cases, the network owners did not know the activity was occurring. And while there is usually no evidence of malicious activity, it certainly is network leakage and poor network hygiene.
Here are our recommendations as to what you should do once you have identified suspicious uncommon port activity:
Identify the device generating the traffic
Remember, since this is outbound information leaving your network, you need to know why this is happening and what kind of data it is sending out. If the device is acting normal and this activity was expected and approved, but your IT or IS team did not know about it, then you can move on. On the other hand, if it turns out to be traffic that is not expected or allowed, you can stop it and figure out why it was occurring in the first place. If it’s an error, you have corrected it; if it’s a breach you can launch IR and clean it up.
Block on the Firewall
Go on your firewall and block all traffic on that port if you do not need it. This will prevent other systems from inadvertently and successfully communicating out in a similar fashion. (Note: an even better best practice is to implement “default deny” rather than “default permit”, meaning the only traffic that gets through the firewall is traffic that you have said is allowed.
Create rule to alert in your monitoring system
Whether you use Security On-Demand as your MSSP or run your own security monitoring, you can set up an alert to fire if you see the same activity again. Of course, after doing the above, you should not see it so if it does fire an alert, it is something you should act on quickly.
Ultimately, this effort has verified that many companies and organizations are still too loose with network hygiene and security. They are leaking information off the network far too frequently. It both can inadvertently expose sensitive data that can be used by hackers in reconnaissance efforts or even potentially open up a vulnerability that hackers could use to exploit your system.
As you can imagine, manually going through that many logs of port activity is nearly impossible. That is why our disruptive and innovative AQ technology – used for processing and sifting through huge data sets – and our hunting analytics and technology are quite useful. But I have found that some of the most effective hunting comes from our own ingenuitive manual efforts. Our customer portal provides incredible functionality that allows us to drill down on data quite effectively if we ask the right questions.
If you’d like to see more of our portal in action, contact us.
Find out more about our newest solution: ThreatWatch Hunt
About Security On-Demand
Security On-Demand (SOD) provides full-spectrum threat management and advanced cyber threat detection services for hundreds of businesses and government agencies globally. SOD’s patented, behavioral-analytics ThreatWatch technology enables the detection of advanced threats to protect brand value and reduce the risk and mitigate the impact of a data breach. SOD is headquartered in San Diego, CA with international R&D offices and a Security Operation Center in Warsaw, Poland.