Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Passive Network Forensics

by Steve Tilson
June 8, 2017

Passive_Network_Forensics

Organization are constantly being exploited for trade secrets, financial gain or malicious behavior. Attacker techniques are getting harder to detect and intrusions are not always easily identified. Passive monitoring of the data entering and leaving an enterprise network can support a number of forensic objectives, such as discovering the source of security attacks or other problem incidents. Passive network forensics plays an essential role for analyst in combating computer crime for organizations by analyzing abnormal behavior of systems.

 Network traffic is transmitted and then lost, unlike stored media, making network forensics more challenging. By looking at the way a given machine interacts with others, we can often determine the role of the machine based solely on the network data. A compromised host behavior can change the way the host acts subtly or in more dramatic ways. These behavioral changes are used to identify role shifts and to trace the malicious or unintentional disperse of that change to other machines.

 Information displayed by the components of this dashboard takes a look at that network activity along with event logs that shows possible network intrusion. This dashboard presents information passively detected over the last 72 hours, such as summaries of domains accessed and indicators of suspicious network activity. This information can be helpful for network monitoring and forensics.

 The Passive Network Forensics dashboard is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Monitoring.

 The dashboard requirements are:

  • SecurityCenter 5.4.5
  • Nessus Network Monitor 5.3.0
  • LCE 5.0.1
  • LCE Client - Tenable NetFlow Monitor
  • LCE Client - Tenable Network Monitor

 

    Note that this dashboard relies on PVS detections being forwarded to the LCE. Make sure that the PVS is configured to send syslog messages to the LCE: in Configuration > PVS Settings > Syslog, include the LCE host (with port 514) in the Realtime Syslog Server List. The LCE listens for syslog messages by default.

    Listed below are the included components:

    • Passive Network Forensics - Suspicious Activity Over Last 72 Hours - This matrix presents indicators of suspicious events that have occurred in the last 72 hours, including intrusions, potential data leaks, potentially unwanted long-term activity, threatlist activity (interaction with known botnets), crowd surges, suspicious proxy activity, suspicious server activity, and other suspicious host activity.
    • Passive Network Forensics - SSL Activity Over Last 72 Hours - This matrix presents indicators of SSL events that have occurred in the last 72 hours, including use of SSL certificates known to be associated with malware, use of expired SSL certificates, media access (such as Netflix or Skype), social media access (such as Facebook or Twitter), cloud file storage access, access to services commonly used for sensitive data, and access to services used for processing credit card transactions. The last indicator notes all passively detected SSL activity; this includes the above, plus other activity that might be of interest.
    • Passive Network Forensics - Large Network Anomalies Over Last 72 Hours - This matrix presents indicators of large network anomalies that have occurred in the last 72 hours, including spikes in DNS events, SSL events, PVS events, network events, file access events, web access events, web error events, NetFlow events, and connection events (including inbound, outbound, and internal). Event rates are compared by hour to the same hour in previous days; large spikes in event rates can indicate new applications, new types of network usage, and in some cases, abuse.
    • Passive Network Forensics - Activity Over Last 72 Hours - This matrix presents indicators of network activity that has occurred in the last 72 hours, including long TCP sessions (more than 47 hours), TCP sessions with large data transfers (1GB or more), streaming traffic (such as Netflix or XM Radio), gaming traffic (such as logins to gaming networks), web activity (requests, logins, uploads, and downloads), non-web downloads, EXE downloads, e-mail attachment detections, BitTorrent activity, FTP activity, remote activity (SSH, VNC, or RDP), non-standard traffic (such as non-HTTP traffic on port 80), mDNS traffic, and SCADA traffic. Indicators are also presented for activity that falls under the event types of social network activity, general network activity, and detected changes.
    • Passive Network Forensics - Domains of Interest Over Last 72 Hours - This matrix presents indicators of domains of interest accessed over the last 72 hours. This component can be altered to add or remove domains of interest as needed. The Domain_Summary, Domain_Failure_Summary, and SSL_Cert_Summary events all give lists of domains accessed; searches are done within these events to find specific domains of interest. Each summary event for a given IP address gives the domains accessed by that IP since the last such event for that IP (which may be as often as hourly).
    • Passive Network Forensics - Domain Summaries Over Last 72 Hours - This table presents summary events for domains accessed over the last 72 hours, with trending. The Domain_Summary, Domain_Failure_Summary, and SSL_Cert_Summary events all give lists of domains accessed; searches can be done within these events to find specific domains of interest. Each summary event for a given IP address gives the domains accessed by that IP since the last such event for that IP (which may be as often as hourly).
    • Passive Network Forensics - Network Connections Over Last 72 Hours - This table presents network connection events from the Tenable Network Monitor (TNM) that have occurred over the last 72 hours, with trending. These events record network sessions, and indicate length and amount of data transferred. Note that a long TCP session maybe recorded twice – once for the length and once for the amount of data transferred.
    • Passive Network Forensics - Network Anomalies Over Last 72 Hours - This matrix presents indicators of network anomalies that have occurred in the last 72 hours. Minor, medium, and large anomalies are tracked for each event type. Event rates are compared by hour to the same hour in previous days; spikes in event rates can indicate new applications, new types of network usage, and in some cases, abuse.

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

    Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    100 assets

    Choose Your Subscription Option:

    Buy Now

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

    Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    100 assets

    Choose Your Subscription Option:

    Buy Now

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

    Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    100 assets

    Choose Your Subscription Option:

    Buy Now

    Try Tenable Web App Scanning

    Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

    Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

    Buy Tenable Web App Scanning

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    5 FQDNs

    $3,578

    Buy Now

    Try Tenable Lumin

    Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

    Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

    Buy Tenable Lumin

    Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

    Try Tenable Nessus Professional Free

    FREE FOR 7 DAYS

    Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

    NEW - Tenable Nessus Expert
    Now Available

    Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

    Fill out the form below to continue with a Nessus Pro Trial.

    Buy Tenable Nessus Professional

    Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

    Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

    Select Your License

    Buy a multi-year license and save.

    Add Support and Training

    Try Tenable Nessus Expert Free

    FREE FOR 7 DAYS

    Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

    Already have Tenable Nessus Professional?
    Upgrade to Nessus Expert free for 7 days.

    Buy Tenable Nessus Expert

    Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

    Select Your License

    Buy a multi-year license and save more.

    Add Support and Training