YOU CAN ONLY HUNT WHAT YOU CAN SEE: BEST NETWORK LOG SOURCES FOR THREAT HUNTING

DNS

One of the most critical network log sources is DNS. DNS logs will reveal name resolution that occurs in the environment, and depending upon the logging, who made that resolution. This can enable hunters to identify simple name resolution, but it can also serve as a vital source for anomalous domains (think high entropy domains such as those produced by DGAs).

NETFLOW

Netflow data comes from network traffic analyzers like Zeek (formerly Bro), which generates metadata around each session in your network. Metadata can be extremely useful information for piecing together network activity — in fact the leaks some years back from Edward Snowden revealed that the National Security Agency (NSA) views metadata collection of various networks as one of its most useful intelligence tools.

PROXY

Proxy logs are also important because even if you don’t necessarily have DNS logging enabled, some of the same information can be gleaned from a proxy server.

FIREWALL

Firewall data is some of the most fundamental of network log sources for threat hunting. The data itself is relatively simplistic, but the conclusions that can be drawn from that data can be exceptionally valuable. Firewall data can reveal abnormally large file transfers, volume and frequency of communication by host, and important events such as failed sequential connection attempts.

TLS/SSL CERTIFICATE MONITORING

While TLS/SSL certificate monitoring is not a common log source, its value to threat hunting cannot be overstated.

VPC FLOW LOGS FOR CLOUD PROVIDERS

Finally, Virtual Private Cloud (VPC) flow logs continue to grow in importance for threat hunting. When organizations operate cloud environments, threat hunters will need to be able to examine network flows between clouds or between clouds and endpoints. Having that visibility in an era of increasing cloud dependence is very critical.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyborg Security

Cyborg Security

452 Followers

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.