top of page
Search
  • Luis Miguel Acosta Guzmán
    • Aug 8, 2021
    • 4 min read

Threat Hunting Trick - Identify network activity to hunt malicious connections

Back in 2016 I published a paper describing the process to identify and classify network connections inside an Android device as the first step in order to identify a threat or a compromise inside a device using that network telemetry as an input (https://www.researchgate.net/publication/336888492_Network_Activity_Monitoring_Against_Malware_in_Android_Operating_System).



Today, network activity monitoring or network security analytics have become a fundamental capability in every security architecture or security strategy as a way to prevent and identify the presence of a threat or an already compromised element inside a network. This is very true as we have different kinds of threats such as malware, phishing, lateral movement, back doors, that will use network communications at some point in their path to fulfill their purpose.


Currently, there are many enterprise solutions that will allow an organization to monitor network activity using native telemetry such as Cisco Secure Network Analytics (previously know as Stealthwatch) or Darktrace Enterprise Immune System. They will first somehow collect network telemetry and then use their own means, mainly AI, machine learning, analytics and intelligence from their own threat intelligence groups to identify network anomalies and match them as security threats or incidents.


It is very likely that at some point you will find yourself, or you already have, trying to make sense of spikes, bottlenecks or exhausted bandwidth in your network or just trying to find clues for a strange behavior on your endpoints without the luck of having already a Network Security Analytics technology in place. I must say I have found myself in this situation a lot of times and let me tell you, there are some really simple things you can do just to start figuring out a clear picture of what is happening using your network logs and free threat intelligence sources.


Make good use of free threat intelligence fees


We live, breathe and eat information nowadays. You just need to open your favorite web browser, open Google and search for utterly anything that comes to your mind.


Luckily, free threat intelligence information is also available in the Internet for use to consume and take advantage of it. This includes information regarding, hashes, domains, URLs, email addresses and IP addresses that relevant security researchers or threat intelligence groups have identified and marked as suspicious o malicious.


I'm not gonna go very deep on this topic but I want to share with you two of my favorite free threat intelligence sources. I also want to invite you to take a look into Google and see all the free threat intelligence feeds available for you to draw upon.


  1. Cisco Talos Talos is one of the biggest if not the biggest Threat Intelligence Center in the world. They have built a strong organization with many great security researchers that are capable of dissecting existing threats, finding new threats, and anticipate to future threats; they even get to identify zero day vulnerabilities. All this intelligence is pushed into Cisco Security solutions to protect their customers; fortunately, Talos has a completely free blog (https://talosintelligence.com/ ) were you can find many of their work, including tools, vulnerability information, IP, domains and file reputation lookup engines and of course free threat intelligence feeds. Talking about network activity monitoring, I love to use their malicious IP addresses feed which is a txt file containing a list of the IP addresses they have identified as malicious (e.g. addresses related to botnets, malware campaigns, spear phishing attacks, etc). This list is updated every 15 minutes and you can find it in the following URL: https://www.talosintelligence.com/documents/ip-blacklist

  2. The CINS Score CINS stands for Collective Intelligence Network Security (http://cinsscore.com/ ), they are basically an organization that has deployed a large number of Sentinel IPS systems around the world detecting all kinds of attacks and threats. CINS uses the information gathered by these IPS systems to calculate a score for every IP address that is flagged so they can provide detailed information about it to their customers. Fortunately, they offer a free subset of 15,000 of the bad IP addresses they have found. You can find this list in the following URL: http://cinsscore.com/list/ci-badguys.txt


Harness your network logs


You don't necessary need a specific technology that helps you generating network activity telemetry, probably you already have firewalls, routers and switches that are already seeing all the packets in your network, so use those logs. You can even use the "netstat" command on your endpoints to generate a log of the network connections of that device in that specific point in time.


All logs are made different and that could be a problem, that is why you can simply use a script to strip the IP addresses out of those logs. Here is a python example using python library re to roam a list of strings and extract into another list all the IP addresses found using a regular expression:



def getInputIPs():
    ips =[]
    for i in fileContent:
        #print(""+i)
        ips.append(re.findall(r'\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b',i))

    a = []
    #print(ips)
    for i in ips:
        for j in i:
            a.append(j)
    #print(a)
    return list(set(a))


Putting all together


Up to this point, we have threat intelligence feeds regarding malicious IP addresses in one hand and on the other hand a way to gather IP addresses from pretty much every log you can put your hands on. The final step is to identify if any connection in your network matches a malicious IP address:


Here is an example script to identify an element in a list inside another list, for our purpose, that would be find an IP address part of a list of IP addresses (the connections in our network) inside a list of malicious IP addresses:



def searchListIntoList(listA,listB):
    booleanFlag = any(elem in listA for elem in listB)
    #print(booleanFlag)
    if booleanFlag:
        for i in listB:
            if i in listA:
                malicious_IPs.append(i)
                print(i)
    else:
        print("---------- 0 matches ----------")

Now you have your own simple and easy network security analytics engine that could potentially help you see some light when you are in the middle of a security incident or just running an old school threat hunting.


You can find the full script at:



Cheers!


a security artist




258 views
bottom of page