Expert blog: Using open source tools for network traffic analysis

Monitoring network traffic is a particularly important issue today, especially given the conditions imposed by the COVID-19 pandemic on remote work practices. Modern malware successfully circumvents whitelisting techniques and can effectively hide its presence in the system. Let's discuss how to approach the daunting task of network monitoring.

While the political IT boundaries are becoming clearer (countries like China or Russia are trying to create their own ecosystems that allow independent Internet, specialized services, and software), the process is exactly the opposite in the enterprise environment. Perimeters are increasingly dissolving in the information domain, causing severe headaches for cybersecurity managers.

Problems are everywhere. Cybersecurity professionals must deal with the difficulties of working remotely with their untrusted environment and devices, and with shadow infrastructure - Shadow IT. On the other side of the barricades, we have increasingly sophisticated kill chain models and careful obfuscation of intrusions and network presence.

Standard information cybersecurity monitoring tools cannot always provide a complete picture of what is happening. This leads us to look for additional sources of information, such as network traffic analysis.

The growth of Shadow IT

The concept of Bring Your Own Device (personal devices used in an enterprise environment) was suddenly replaced by Work From Your Home Device (an enterprise environment pushed to personal devices).

Employees use PCs to access their virtual workplace and email. They use a personal phone for multi-factor authentication. All their devices are zero distance from potentially infected computers or IoT connected to an untrusted home network. All these factors force security personnel to change their methods and sometimes turn to Zero Trust radicalism.

With the advent of microservices, the growth of Shadow IT has intensified. Organizations do not have resources to equip legitimate workstations with antivirus and threat detection and processing (EDR) tools and monitor this coverage. The dark corner of the infrastructure is becoming a real "hell".

which does not provide signals about information security events or infected objects. This area of uncertainty significantly hinders the response to emerging incidents.

For anyone who wants to understand what is happening with information security, SIEM has become a cornerstone. However, SIEM is not an all-seeing eye. The SIEM hoax is gone, too. SIEM, because of its resources and logical limitations, only sees things that are sent to the organization from a limited number of sources and that can also be separated by hackers.

The number of malicious installers that use legitimate utilities already on the host has increased: wmic.exe, rgsvr32.exe, hh.exe and many others.

As a result, the installation of a malicious program takes place in several iterations that integrate calls to legitimate utilities. Therefore, automatic detection tools cannot always combine them into a chain of installing a dangerous object into the system.

After attackers gain persistence on the infected workstation, they can hide their actions very precisely in the system. In particular, they "cleverly" work with logging. For example, cleanse they not only logs, but redirect them to a temporary file, perform malicious actions and return the log data stream to the previous state. This way, they can avoid triggering the "log file deleted" scenario on the SIEM.