TCP Build connections, Bytes Transferred to External Unkown IPs, Port Scans !! Oh Bad !! What to Look for on logs? A firewall is a network security device that monitors incoming and outgoing network traffic and determines whether specific traffic should be allowed or blocked based on a defined set of security rules.
“A firewall can help block hackers or malicious software from infiltrating your computer through the internet or a network, as well as stopping your computer from sending malicious software to other computers.”
A firewall might be hardware, software, or a combination of the two. For more than 25 years, firewalls have served as the first line of defense in network security. They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the Internet.
Use Case: Firewall logs
Objective: The mission of this hunt is to identify the scanning attempts from/to a malicious IP and the cases related to IP attacks. IP scanning is a common attack that is done worldwide to get into the machine with the open ports/breaking the rules/pushing the server to downstate. Assuming your company firewalls were put up in accordance with your security organization’s policies, you should be able to understand the following:
- Your company’s firewall security requirements
- Communication that is permitted
- Points for enforcement
- Allowable transaction flows in your environment
- Identify your business partners’ connections and make educated guesses about access networks
- Determine how your firewall should protect resources, applications, and services.
- Determine your firewall’s traffic baseline.
Log Source & Requirements: Firewall logs
Duration: 90 days
Firewall Log Attributes: Action, application, packets out/in, bytes in/out, destination IP, destination port, destination translated IP, source IP, source port, direction, transport, session end reason, protocol.
Firewall logs Anomaly Hunting Checklist for Soc Analyst:
- Compromised systems may start sending out traffic that doesn’t look like the rest of your traffic. Perhaps an attacker is trying to exfiltrate data, or a bot may simply try to contact its C&C infrastructure. So look carefully at outbound traffic logs from your perimeter firewalls such as ( Bytes IN/Out , Traffic allowed on firwall access control list , User account changes ,bandwidth and CPU utilzation exceeds ) .
- Consider looking at source geolocation as well, though as before, don’t fall into traps. Block the inbound and outbound traffic from a Geo-blocked IP to known signature.
- Check for denied inbound traffic from an IP towards particular port or generic ports which can be used as an early warning for your teams of what it is coming towards you in an early future.
- Denied outbound traffic: To have denied outbound traffic is concerning, ruling out misconfiguration issues in your infrastructure you need to wonder what is happening inside your network that the traffic is being denied in the firewall. If the traffic is being denied it is because your security policy contemplated that scenario before or because that communication it is not supposed to happen.
- Some botnets C2 protocols communicate port TCP 443, but using a proprietary protocol rather than HTTP over SSL. So monitoring the port 80 denied/blocked connections to a fixed count will help to control botnet connection.
- Monitoring the SSH port 22 for an unusual inbound and outbound connection can prevent unknown connection because Backdoors on hacked endpoints and networks typically run on standard services such as SSH on port 22 in order to blend with normal traffic and hide.
- Look for protocol-port mismatches. For example, having HTTP traffic on high ports, or maybe even something like SSH on TCP 80 is the sign of external target to our organization. Attackers often like to overload TCP 80 to slip through loosely secured perimeter networks.
- SMB ( Server Message Block ) is commonly used by attackers to communicate outbound and exfiltrate data from networks. So looking for/creating rules based on malicious SMB connections like Destination Ports 137 (UDP) , 138, 139 or 445 (TCP) from Same Source IP, Destination Port and Different Destination IP running for every 5 minutes will reduce the manual work of SOC analyst.
- Hunt for excessive denies from a single external source because it is a common attack now-a day. Create a search based on Same Source IP, Traffic direction Remote to Local & Firewall or ACL Denies.
- Rules can created for excessive denies from a single internal host, it just monitors a huge number of internal and outbound firewall denies on a single server. This could reveal network fingerprinting or a misconfigured device, for example. Rule can be created depend upon Same Source IP, Traffic direction Local to Remote, Local to Local, Firewall or ACL Denies with 3000 Denies / 30 Minutes. You may need to tune out things such as asset scanners, vulnerability scanners and the like from this rule.
- During internal network scanning, an attacker may attempt to connect to a large number of ports from a single host; to see which ports are open. This will stand out among normal network traffic. SIEM Rule can be created depend upon Same Source IP, Traffic direction Local to Remote, Local to Local, Firewall or ACL Denies with 100+ Different Destination Ports within 1 Hours. We can apply it same for denies from internal host to many destination.
- Check if an IP address does a host scan and then establishes a successful tunnel between connected IP and connecting IP. Ngrok.io urls in logs indicates malware is actively communicating with external IP with safe tunnels to evade firewall.
- Hunt for 100+ distinct external IP address initiating a connection to the same target IP over distinct destination port in every 5 minutes or last 30 Minutes.
- If a scan is followed by a Port Opening, look for network traffic potential violations.
- In a 10-minute period, check for high-severity firewall alarms between any source address and the public destination address.
- Hunt of any scanning probes & malicious payloads towards DMZ servers ( demilitarized zone ) , Compromising DMZ will leverage attackers for Web shell uplaods/port access/process grouping/host address. Detection of IP addresses that bounce between DMZ servers. Mostly in the organizations, the SSH port will be open in DMZ servers. So the target will be for port 22.
- Analyze the traffic of the source IP which was involved in previous attack as destination IP to make sure the machine are not infected.
- Check for the traffic from private IP connecting to public address which is malicious or with bad reputation.
- Some of the IP scanning types are: PING SCAN | TCP Half-Open | TCP CONNECT | UDP SCAN | STEALTH SCANNING – NULL, FIN, X-MAS | ACK Flag Probe SCAN. Here we can create rule based on: (a) same source IP targeting distinct destination address (b) same source IP targeting distinct destination ports (c) same source IP targeting same destination port but distinct by destination address (d) same source IP targeting same destination address but distinct by destination port
- Check for excessive firewall denies from a single host. Detects more than 500 blocked attempts from a single source address to a single destination address within an hour.
- Check for 200+ blocked hits from an IP towards multiple destination IP targeting multiple/single ports within an hour.
- Look for ICMP packets between two IP addresses that are consecutive over an extended period of time and for ICMP communication to a single host/multiple hosts is generated by a unknown external IP address.
- Check for ICMP types and codes in logs to indicator the compromise.
- Look for Commutation to an external/Geo-Blocked IP address which is blocked: (a) Communication to a rare country IP address which is blocked (b) Allowed communication to IP address of same country / same subnet. (c) Allowed inbound communication from same IP to DMZ server (d) Allowed communication from same public IP to multiple port
- Hunt for multiple MAC addresses from a single source address.
- In a relatively short period, a single source address with a private IP address communicates to a distinct destination port.
- IP Proxy Server Communication (Firewall/Proxy) A malicious payload or process that causes an endpoint to communicate with known bad domains is indicated by traffic to known suspicious proxy domains/IP.
- Check for source or firewall is taking an unusually long time to connect.
- Check for any TOR Ports 9001,9003,9050,9151,9150 can be monitored for outbound connection. Outbound connections can be monitored on Crypto ports 8333, 18333, 9333, 9999, 22556, and 30303. Monitoring TOR Exit Node IP’s based on threat intel records.
- In a relatively short time, an IP address using the same destination port communicates with a different destination address.
- Increase in the volume of packets delivered to a public address on a nonstandard port, where the source and destination ports are the same.
- DNS hunting can be done by scanning for authorized traffic for DNS port via TCP using a public IP address and increase in the number of packets sent to the public DNS address.
- Examine odd RDP/LDAP/FTP and SMB activity from a rare machine to a known critical server.
- Communications to potential suspicious ports collected from the previous attacks.
- Hunt for traffic allowed by firewall such as Build connections , Access list – Permitted and check for unsual activites.
- Hunt for traffic denied by firewall such as Access list – Deny inbound.
- Always keep in mind , Attacker inbound IP will be different with same attacker outbound connections, For Example : Post exploitation attacker takes full control of hostmachine and exfiltrates data towards his CnC server with Different IP. source IP ( Inbound connections towards organization ) and attackers destination ( Stolen data is sent to different IP address to there server )
Log management is important, but log analysis is even more important. Start with what you have, even if there are very few logs from the firewall.