Project Name: Threat Hunting with Firewall Traffic
Description: – Whenever attackers are changing the routine procedure and evade defenses of enterprises,
Cyber Threat Hunting will always play a very important role to identify such sophisticated attacks.
Firewall acts as a protector against the malicious and unnecessary network traffic on the internet.
It also helps in enhanced privacy and concentrated security.By simply deploying the necessary security tools would never foolproof a system.
The to and fro events also needs to be figured out which will alert us timely to ensure security in network.The analysed information will help the administrator to understand the risks or hazards running in the system. To start with Threat Hunting with Firewall Traffic we will list all hunting hypothesis for evaluation. This blog will help you to understand different aspects of threat hunting performed through log analysis
Author: Rohit D Sadgune / Amruta Sadgune
FAQ:-
- Firewall SIEM use cases
- Firewall threat hunting scenario
- Threat hunting over network traffic
- Threat detection over traffic anomaly
- Threat hunting with firewall logs
- Threat hunting with firewall traffic
Firewall hunting hypothesis
- Hunt if a host scan is made by an IP address and then a successful tunnel is established between connected IP to connecting IP.
- Catalogue behavior detection over source address. Hunt for 100 distinct IP Address establishing a connection from the public IP address to the same destination IP in one minute.
- Catalogue behavior detection over source address for services. Hunt for 100 distinct public IP address which are connecting to same destination address over distinct destination port in one minute.
- Analysis over firewall traffic for more than 100 consecutive connection are getting dropped or blocked by perimeter firewall from the same source IP in 30 min.
- Analysis over firewall traffic for more than 100 requests are getting dropped or blocked by perimeter firewall from the same source IP in a day and with some pattern or cluster.
- Hunt for traffic anomaly to a destination address or from a public IP address which is malicious or with a bad reputation.
- Hunt over firewall traffic if public destination address is malicious or with bad reputation.
- Adversary Trajectory System: – If multiple source address of private network is connecting to public address which is malicious or with bad reputation.
- Identification of Rare DHCP server and communication of private IP address to multiple DHCP servers of same network. Primarily, hunt for a traffic occurring as north south traffic (internal to external) or from east to west (internal to internal) whose protocol is UDP, destination port is 67, and destination address is not registered in server list.
- Hunt for following types of IP scanning. PING SCAN | TCP Half-Open | TCP CONNECT | UDP SCAN | STEALTH SCANNING – NULL, FIN, X-MAS | ACK Flag Probe SCAN
- Same Source IP Distinct Destination Address
- Same Source IP Distinct Destination Ports
- Same Source IP Same Destination Port Distinct by Destination Address
- Same Source IP Same Destination Address Distinct by Destination Port
- Hunt for network traffic circumvention if a scan is followed by a Port Opening.
- Analysis of traffic for the source address of an attack which was previously the destination address of an attack (within 1 day)
- Check for high severity of alerts from firewall in an interval of 10 min between the same source address and public destination address
- DMZ Jumping: – Detection of IP address which is hopping across DMZ servers. Detection technique
- Lateral movement port access
- Lateral movement process grouping
- Lateral Movement – Host Access
- Web shell illegal website accessed and movement
- Hunt for circumvention of control where public IP address was blocked and then allowed grouping on multiple source address request to same public IP address in a very short time.
- Hunt for circumvention of control where public IP address for nonstandard port (destination port > 1024) was blocked and then allowed grouping on multiple source address request to same public IP address and destination port in a very short time.
- Unusual firewall denies or block single source address: – Hunt for excessive firewall denies from a single host. Detects more than 500 firewalls deny attempts from a single source address to a single destination address within 8 minutes.
- Hunt for ICMP packets between 2 IP address that is consecutive for long duration.
- Rare IP address generating ICMP communication to single host.
- Rare IP address generating ICMP communication to multiple hosts.
- Outbound connection to a rare country IP.
- Commutation to a rare country IP address which is blocked
- Allowed communication to IP address of same country / same subnet.
- Allowed inbound communication from same IP to DMZ server
- Allowed communication from same public IP to multiple port
- Decoy engagement with public IP address. Analyze network traffic which is engaged with decoy and understand TTP’s of adversary.
- Single source address with Multiple MAC addresses.
- From single source address which private IP address communicating to distinct destination port in a very short time.
- Communications to potential suspicious ports.
- 31,tcp,Agent 31 Hackers Paradise Masters Paradise | 1170,tcp,Psyber Stream | 1234,tcp,Ultors Trojan | 1243,tcp,SubSeven server (default for V1.0-2.0) | 1981,tcp,ShockRave | 2001,tcp,Trojan Cow | 2023,tcp,Ripper Pro | 2140,udp,Deep Throat, Invasor | 2989,tcp,Rat backdoor | 3024,tcp,WinCrash | 3150,tcp,Deep Throat, Invasor | 3700,tcp,Portal of Doom | 4950,tcp,ICQ Trojan | 6346,tcp,Gnutella | 6400,tcp,The Thing | 6667,tcp,Trinity intruder-to-master and master-to-daemon SubSeven server (default for V2.1 Icqfix and beyond) | 6670,tcp,Deep Throat | 12345,tcp,NetBus 1.x, GabanBus, Pie Bill Gates, X-Bill | 12346,tcp,NetBus 1.x | 16660,tcp,Stacheldraht intruder-to-master | 18753,udp,Shaft master-to-daemon | 20034,tcp,NetBus 2 Pro | 20432,tcp,Shaft intruder-to-master | 20433,udp,Shaft daemon-to-master | 27374,tcp,SubSeven server (default for V2.1-Defcon) | 27444,udp,Trinoo master-to-daemon | 27665,tcp,Trinoo intruder-to-master | 30100,tcp,NetSphere | 31335,udp,Trinoo daemon-to-master | 31337,tcp,Back Orifice, Baron Night, Bo Facil | 33270,tcp,Trinity master-to-daemon | 33567,tcp,Backdoor rootshell via inetd (from Lion worm) | 33568,tcp,Trojaned version of SSH (from Lion worm) | 40421,tcp,Masters Paradise Trojan horse | 60008,tcp,Backdoor rootshel via inetd (from Lion worm) | 65000,tcp,Stacheldraht master-to-daemon | 4444,tcp,trojans or METASPLOIT Note: – | is a separator
- Monitoring TOR Ports – 9001,9003,9050,9151,9150 – for outbound logic
- Monitoring Crypto ports – 8333,18333 ,9333,9999, 22556, 30303 – for outbound logic
- Monitoring TOR Exit Node IP’s based on threat intel records.
- Communication to Proxy Server IP (Firewall/Proxy). Traffic to known suspicious proxy domains/IP is indicative of a malicious payload or process which would cause an endpoint to communicate with known bad domains.
- Unusual amount of Time-Taken for Connection by source or firewall.
- Possible Network Flood Detection: – IP Address using Same Destination Port Communicating to Distinct Destination Address in a very short time.
- Volumetric increase in packet sent public address on nonstandard port
- Volumetric increase in packet sent to public address where source and destination port are same.
- DNS threat hunting through firewall
- Allowed traffic for DNS port by public IP address over TCP.
- Volumetric increase in packets sent to public DNS address.
- Catalogue Behavior detection over critical systems (High Value Asset). Internal host accessing known distinct critical server in a very short time
- Hunt for unusual RDP/LDAP/FTP traffic from rare system to a known critical server.
- Hunt for unusual SMB traffic from a rare system to known critical server.
- Source address violating multiple policies of firewall.
- Abnormally very high traffic to rare port of known HVA (High Value Asset)
- Destination port > 1024 (or non standard port which is not used by enterprise)
- Destination port < 1024 (All standard port)