In my previous blog post, I talked about the TAB AT&CT and how it can help you determine possible threats and threat actor techniques so you can better focus your limited resources on the most likely threats.
The next question you might ask yourself is, “Am I being attacked? and “Are my defenses working?”
To answer this question, you need to know what is happening on your network. To know what is happening on your network, you need to log activity from several different sources.
Take your typical network which consists of a wired network (the PC connected to the switch) and some wireless laptops (connected to the wireless access point). The switch and access point connect to a router and then to the firewall.
If you want to know what’s going on on your network, you want to see the activity (traffic) flowing through the wireless access point, switch, router, and firewall. To do this, you need to log the devices and traffic on your wireless and wired networks as well as the traffic flow between the wired and wireless network and the traffic flow between the router and the firewall.
Typically, you would have access logs or system logs from each of these devices sent to a central collector, called (surprise!) the syslog server or syslog server. Your network would now look like this:
Now that you’re collecting this traffic information on a daily basis, you can get a good idea of what “normal” traffic looks like. And you can then run (usually automated) searches that examine the log data and tell you if any strange or suspicious traffic is occurring.
You can check the syslog server for bad traffic coming from the internet to your firewall and confirm that the firewall is blocking the traffic. Or, you can confirm that you only allow certain types of traffic to leave your network to prevent private or sensitive data from leaving your network (think PII, HIPAA, IP, CUI, etc.) via Dropbox or Google Drive or Box, for Example. By checking the firewall logs, you can see that your data is not leaving your network through the firewall.
You can search the syslog server for unknown devices on the wireless or wired network. You would already know which devices should be on the network, because you should already know what devices you own or have provisioned for your users. If a new device appears in the wireless log or wired (switch) log, then you know you need to know what that device is. How did it come to this? Has anyone brought their own wireless access device in order to get a better signal in their office? Did they bring a wireless printer so they could print in their office? By looking at the logs of these two networks, you can determine this.
Your network team knows whether traffic from the wired network should be allowed to flow to the wireless network or to flow in the opposite direction. Perhaps you allow this type of traffic flow; maybe not. Either way, with a syslog server, you can confirm that only approved traffic is flowing on wireless or wired networks by viewing the router’s traffic logs.
This is a simple example to help you visualize how collecting this network traffic allows you to see if the controls (access control lists [ACLs], firewall rules, network access control [NAC] rules, etc.) work as expected.
In my next blog post, I’ll add more data points (antivirus software, windows event logs, web server logs, etc.) that you can collect from the syslog server to give you an even better picture what is happening on your network.