You're reading from Effective Threat Investigation for SOC Analysts The ultimate guide to examining various threats and attacker techniques using security logs

Product type Paperback

Published in Aug 2023

Publisher Packt

ISBN-13 9781837634781

Length 314 pages

Edition 1st Edition

Concepts

Cybersecurity

Author (1):

Mostafa Yahia

View More author details

Table of Contents (22) Chapters

Preface

1. Part 1: Email Investigation Techniques

2. Chapter 1: Investigating Email Threats FREE CHAPTER

3. Chapter 2: Email Flow and Header Analysis

4. Part 2: Investigating Windows Threats by Using Event Logs

5. Chapter 3: Introduction to Windows Event Logs

6. Chapter 4: Tracking Accounts Login and Management

7. Chapter 5: Investigating Suspicious Process Execution Using Windows Event Logs

8. Chapter 6: Investigating PowerShell Event Logs

9. Chapter 7: Investigating Persistence and Lateral Movement Using Windows Event Logs

10. Part 3: Investigating Network Threats by Using Firewall and Proxy Logs

11. Chapter 8: Network Firewall Logs Analysis

12. Chapter 9: Investigating Cyber Threats by Using the Firewall Logs

13. Chapter 10: Web Proxy Logs Analysis

14. Chapter 11: Investigating Suspicious Outbound Communications (C&C Communications) by Using Proxy Logs

15. Part 4: Investigating Other Threats and Leveraging External Sources to Investigate Cyber Threats

16. Chapter 12: Investigating External Threats

17. Chapter 13: Investigating Network Flows and Security Solutions Alerts

18. Chapter 14: Threat Intelligence in a SOC Analyst’s Day

19. Chapter 15: Malware Sandboxing – Building a Malware Sandbox

20. Index

Why subscribe?

21. Other Books You May Enjoy

Firewall logs anatomy

A firewall generates very useful logs, including valuable information. By understanding these firewall logs and their valuable information, you can investigate several attack tactics, such as lateral movement, reconnaissance, command and control, and exfiltration.

Let’s discuss and explain all the possible fields that exist in the logs that are generated by a network firewall, regardless of the vendor or product name, and how to benefit from them during incident investigations.

The firewall log fields are called Log Timestamp, Source IP, Source Port, Destination IP, Destination Port, Source Interface Zone, Destination Interface Zone, Device Action, Sent Bytes, Received Bytes, Sent Packets, Received Packets, Source Geolocation country, and Destination Geolocation country. We’ll look at these in detail in the following subsections.

Log Timestamp

The Log Timestamp value contains information that identifies when a certain event occurred. It usually consists of date and time information and is sometimes accurate to a small fraction of a second.

The log timestamp is crucial information to SOC analysts and incident handlers because it allows them to determine when the investigated traffic occurred and correlate between this log and the logs generated from other variant log sources and data sources. This provides the investigators with more evidence and information. Also, the timestamp allows you to track suspicious activities in a short time, such as the scanning activities.

Source IP

The Source IP value is the client IP that initiated the network communication traffic to the destination IP. This field is very important for identifying the origin of the communication.

If you’re investigating suspicious communication traffic such as the presence of lateral movement or reconnaissance, you should be able to identify the source IP of the communication for more investigation and respond to the infection by, for example, removing the malware from the machine or rebuilding it.

Source Port

The Source Port value is the port of communication for sending a request. The source port’s value is randomly generated and should be in the range of 1024 to 65535.

In some cases, the source port value allows you to detect and track port scanning activities, as well as identify the tool used for the scanning activities. For example, I have noticed that the NMAP tool uses a fixed source port during its scanning activities. See Figure 8.2:

Figure 8.2 – Port scanning using a fixed source port

As you can see, the source IP, 188.215.235.108, conducted port scanning by using the NMAP tool on the destination IP, 10.10.10.10, on several destination ports by using two fixed source ports – 42723 and 42722.

Destination IP

The Destination IP value is the target system IP of the communications traffic.

If you are investigating IP scanning, port scanning, or lateral movement activities, the destination IP value allows you to identify the attacker’s next target. If you are investigating suspicious communications to external servers, the destination IP value can help you investigate the destination IP’s category and reputation (if it’s a known malicious source) by using threat intelligence platforms and feeds such as AbuseIPDB, IBM X-Force, and VirusTotal, as we will see in Chapter 14, Threat Intelligence in a SOC Analyst’s Day. Also, in the case of confirmed infections, the Destination IP field can help you scope the infection by identifying any other infected internal hosts (source IPs) communicating with the same destination IP.

Destination Port

The Destination Port value usually indicates the service (RDP, SMB, FTP, and so on) that was requested by the source IP (client) from the destination IP (server). There are well-known ports (0-1023) for standard protocols such, as SMB, RDP, FTP, and others. The following table describes a list of well-known ports that are usually targeted by attackers for lateral movement:

Port	Protocol and Usage
445	SMB (file sharing)
3389	RDP (remote desktop)
5985, 5986	WinRM (PowerShell remoting)
22	SSH (remote administration over an encrypted channel)
23	Telnet (remote administration)
20, 21	FTP (file transfer)
5900, 5800	VNC (remote control)

Table 8.1 – Ports targeted by attackers

The preceding table shows a list of ports that are usually targeted by attackers to discover and pivot in the victim's network. The destination port allows us to understand the intents and objectives of the attacker. For example, if you found an attacker conducting port scanning for the 3389 port against several systems, such behavior indicates that the attacker is discovering an open RDP port on the environment’s systems that they can exploit, either by exploiting a vulnerability or by using a technique such as brute-force to pivot in the network by using the remote desktop protocol.

Source Interface Zone

Also called Source Interface Role by some vendors, it refers to the firewall security zone of the system that initiated the network communications traffic. The Source Interface Zone’s value may be LAN, DMZ, or WAN.

The Source Interface Zone allows you to identify to which zone the source system belongs, which should help you identify where the source machine located and detect and investigate suspicious communications between the network zones. This could include abnormal behavior in your environment to observe a system in the DMZ that’s initiating communication traffic to external systems (IPs or domains).

Destination Interface Zone

Also called Destination Interface Role by some vendors, it refers to the zone of the target system of the network communications traffic. The Destination Interface Zone’s value may be LAN, DMZ, or WAN.

The Destination Interface Zone allows you to identify where the destination system is located, which should help you investigate suspicious communications patterns and identify which zone in your network the attacker targets. It should also help you detect suspicious communications between the zones. For example, you may want to develop a detection use case to detect suspicious RDP traffic from the DMZ to the LAN zone.

Device Action

The Device Action value allows you to identify what action the firewall has taken based on the predefined rules applied to it. The expected Device Action values are either allowed or denied.

The Device Action value helps you identify whether the connections have succeeded or not. For example, if you’re investigating a lateral movement activity, you would need to verify whether the attacker successfully pivoted to the targeted machines or not. The Device Action value is also helpful if you want to develop a detection use case that detects excessive denied communications from a single host in a short amount of time.

Sent Bytes

The Sent Bytes value refers to the size of the data that’s sent from the source system to the destination system in bytes.

In the case of investigating a lateral movement activity, the Sent Bytes value helps you identify the size of the binaries that are transferred from the source system to the target system. Also, in the case of investigating a data exfiltration activity, it helps you identify the size of the data that’s transferred from the victim’s system to the attacker’s server.

Received Bytes

The Received Bytes value refers to the size of the data received by the source system from the destination system in bytes.

The Received Bytes value helps you identify the size of the data that’s retrieved by the source system from the target system when investigating data and information enumerations activities. It also helps you identify the size of the data that’s been downloaded by the victim's system from the attacker’s system, such as when investigating malware or additional tools that have been downloaded onto the victim’s system by the attacker.

Sent Packets

The Sent Packets value refers to the number of packets that have been sent from the source system to the destination system.

The Sent Packets value helps with investigating and detecting an increase in the number of packets that are sent to an external system.

Received Packets

The Received Packets value refers to the number of packets that have been received by the source system from the destination system.

The Received Packets value helps with investigating and detecting an increase in the volume of packets that have been received from either external or internal systems.

Source Geolocation country

Source Geolocation country is a new log field that has been added by some firewall vendors that refers to the geolocation of the source IP.

This log field helps with investigating and detecting communications from unexpected geolocation countries.

Destination Geolocation country

Destination Geolocation country is a new log field that has been added by some firewall vendors that refers to the geolocation of the destination IP.

This log field helps with investigating and detecting communications to unexpected geolocation countries.

At this point, you should be aware of the information that’s provided in the firewall logs and how to utilize it to either investigate or detect cyber incidents.