It is true that cybersecurity best practices require you to do much more than just monitor your organization’s endpoints. After all, to be successful, attackers must do much more than simply establish a “breachhead” on one of those endpoints. They must move laterally across your environment to discover and exploit your organization’s other vulnerabilities—until they finally make contact with the systems and/or data that make all their hard nefarious work financially worthwhile.
Effective network security monitoring is an essential element of enterprise threat hunting—complementing other key disciplines such as endpoint and cloud monitoring.
Here are three key principles to bear in mind as you seek to implement network monitoring as part of your overall cybersecurity strategy.
Network security monitoring principle #1: Networks don’t have baselines
A common misconception in cybersecurity is that SecOps can simply monitor the network for “anomalies” that will serve as initial indicators of compromise (IoCs). But networks don’t really have baselines per se. Network traffic is inherently erratic, because market activity is inherently erratic. In fact, markets are becoming more erratic given the increasingly unpredictable macro conditions of the global economy (e.g., climate change, pandemic impact, etc.). So “anomalies” on your network are as likely to be legitimate fluctuations caused by real-world business conditions as they are threat actors.
This is not to say that there’s no such thing as a network anomaly. There is. You just won’t locate that anomaly with crude behavioral metrics. That rudimentary behavioral approach will only lead to a deluge of false positives—which only make you less secure by draining your resources, attention, time, and energy.
You can try to use machine learning (ML) to define a baseline—and then try to use AI to detect when that mathematically complex baseline is exceeded for non-normative reasons—but that’s an exercise in futility. Even if you could somehow succeed, you’d be building an extremely expensive high-maintenance sledgehammer to swat a fly. That kind of spending is not very wise given how constrained your resources already are relative to the volume of threat activity you face.
Network security monitoring principle #2: The best place to hide a needle is in a needlestack
Threat actors are not trying to get caught. As they move across your network, they will go to some lengths to mask their activity. This isn’t especially difficult for them to do because networks are absolutely bursting with activity as packets of all kinds fly across their various segments.
These packets can vary greatly in their characteristics. Those characteristics include the actual structure of the packet (length, IP header options, etc.), the contents of the header (source, destination, time to live, etc.), and the payload (pings, HTTP requests, returned data, etc.).
To be successful in their attacks, threat actors must engage in malicious network activity that at least superficially resembles some specific type of legitimate traffic. In other words, they must make their needles resemble other needles that are somewhat commonly found in your everyday network needlestack.
Network monitoring in the context of threat hunting therefore requires some level of packet inspection. And that packet inspection must somehow be selective—because 1) excessive packet inspection adds a “tax” to network performance and 2) highly granular inspection is technically impractical at scale.
This is why it’s important to know what you’re looking to identify. Think of a TSA line at the airport where they’d search everybody. Yes, the odds of a successful attack would be dramatically minimized. But air travel would come to a halt. A similar principle applies to network monitoring.
You’re not looking for needles in haystacks. You’re looking for potentially interesting needles within a set of prioritized needlestacks. At least that is what you ideally should be doing. Otherwise, you’re going to waste a lot of resources by both over-inspecting and chasing red herrings.
Network security monitoring principle #3: Correlating and contextualizing
The principle of informed inspection brings us to our third principle: correlation and context. You can get so wrapped up in the technical challenges of network packet inspection that you forget that the whole point of network monitoring isn’t to monitor the network. It’s to leverage telemetry from the network in conjunction with other inputs—especially those from your endpoints and the cloud—to consistently spot emerging threats earlier in the kill chain.
Your network monitoring success really has three components in the context of threat hunting:
- How resource-efficiently you monitor your organization’s ever-intensifying network traffic.
- How well you integrate the inputs you get from your network monitoring with the telemetry you get from your endpoint and cloud monitoring.
- How expertly you leverage that aggregated behavioral data to detect actual threats.
Plus, of course, there’s a fourth component: How well you translate your detections of active threats into the countermeasure actions necessary to fully neutralize them.
If you’re a cybersecurity leader, Secureworks® is the ideal partner in your efforts to optimally incorporate network monitoring into your broader threat hunting and cyber safety strategy. Our network monitoring capabilities are second to none. Our leading-edge threat research team rigorously maintains unmatched insight into how threat actors unwittingly reveal themselves through the distinctive behavioral clues they leave as they pursue their criminal goals. Our Taegis XDR technology uniquely translates that threat research into threat protection.
Additionally, our team of security experts builds a strong partnership with you on a human, professional-to-professional basis.
If you’d like to learn more about how you can better monitor your network to more effectively mitigate your cybersecurity risk, please feel free to reach out to us today and talk to one of our experts.