Network traffic analysis for IR: Connection analysis
Introduction to connection analysis
Connection analysis is the highest-level type of network analysis that is used in incident response. Rather than developing and scanning with signatures of particular attack types or performing statistical analysis to identify anomalies in a network’s overall traffic profile, connection analysis monitors the connections made by a particular machine.
Each computer has certain types of connections that are normal and expected for it, as well as others that are anomalous. By identifying the various ways that a connection can be anomalous and monitoring for those particular anomalies, incident responders can detect a variety of different attack types with very high-level data.
Learn Incident Response
Connection analysis also has the advantage of being very lightweight to implement on a machine. Netstat is a common tool used in connection analysis, and it is installed by default in the Linux and Windows terminal. Using terminal tools for analysis makes it easy to leverage existing command line utilities to process data and to set up automated monitoring and alerting, using utilities like cron and syslog.
Performing connection analysis
Connection analysis is one of the simplest techniques for using network traffic analysis for incident response. Since it only looks at the network at the connection level, it lacks a lot of the details available with different analysis techniques. However, connection analysis can be used to detect a variety of different issues by identifying common types of connection anomalies and monitoring for them.
Unusual connection paths
One application of connection analysis for incident response is identification of unusual connections between computers. These could either be connections between internal and external machines or between internal machines. Connections crossing the network boundary may be in use by an attacker for command and control or data exfiltration, while unusual internal-to-internal connections could be in use for lateral movement within the organization’s network.
Netstat can be used for monitoring for unusual connection paths. The netstat command will show all established connections on the machine. Since netstat is a terminal command, it can be piped to additional tools that can filter out machine-specific connections (like those on 0.0.0.0 or 127.0.0.1) and others that can be safely ignored. The resulting list of connections can then be analyzed for anything unusual or suspicious.
Processes with network access
While some applications have a legitimate need to access the network and listen on certain ports, many others do not. If a seemingly legitimate process is exhibiting unusual behavior (like accessing the network), it may be a sign of process hollowing, DLL injection or other attacks.
With netstat, the PID of a process associated with a given connection can be printed with the -o command. Since netstat is a terminal utility, its output can be piped to other tools or scripts that can identify the particular process using a given port and determine whether the use of that port is anomalous for the process. If so, an alert can be generated to mark the process for further investigation.
Unauthorized servers
Netstat and connection analysis can also be used to detect unauthorized servers running on a machine. A process running a server (like a web server or email server) will have to keep a connection to a particular port when listening for connections. This will appear in netstat output as either a listening port or an established connection (if a server is active).
Testing for unauthorized servers can be accomplished using the netstat -a command and then filtering the resulting output. Any connections on addresses local to the machine (0.0.0.0 and 127.0.0.1) can be ignored, as well as any connections using high number ports (unless the port is in a listening state). Any other connections should be investigated, especially if they are on a common port for a service that the machine is not authorized to run — like a program listening on port 443 on a machine that should not be hosting a web server.
Long connections
Any connections with an unusually long duration should be investigated. Most connections have relatively short durations, and long-lived connections may be an indicator of an attacker with a remote shell or data exfiltration tool executing on the machine.
Unfortunately, netstat is not capable of explicitly showing the start time of a given connection. However, a couple of options exist.
If a computer has connection logging enabled, connections will be logged to /proc/net/nf_conntrack. Monitoring this file can allow an analyst to determine if a particular connection is long-lived.
If connection monitoring is not enabled, checking the runtime of the associated process (using netstat -o) may be helpful. The process start time can then be found using ps (on Linux). While there is no guarantee that the connection has been live for the duration of the process’s life, this can be used to help narrow the field of possibilities.
Missing connections
While many indicators of compromise that are detectable using connection analysis deal with additional or unusual connections, missing connections can be a cause for concern as well. If a machine is supposed to be hosting a web server, a failure to listen on port 443 should raise a red flag. Monitoring for missing connections can be implemented as a simple script that triggers an alert if a particular service seems to be down.
Conclusion: Connection analysis for incident response
Connection analysis is a useful tool for incident responders attempting to detect and get in front of a potential incident. The various applications of connection analysis are designed to identify abnormalities in the connections maintained by a computer. These abnormalities can point either to a fault in the monitored systems or a potential attack.
Since most cyberattacks use network communications as the initial delivery mechanism and for command and control, connection analysis can be used to detect and respond to a variety of different attack types.
Learn Incident Response
Sources
- netstat(8), die.net
- What is nf_conntrack used for?, linux.org
- V1.1 Release, Active Countermeasures
Incident Response
Build your skills responding to each phase of an incident, and get a technical deep dive of the tools and techniques used. What you'll learn:- IR phases and stages
- IR tools and techniques
- Conducting memory, network and host forensics
- And more
In this Series
- Network traffic analysis for IR: Connection analysis
- Disaster recovery: What's missing in your cyber emergency response?
- How will zero trust change the incident response process?
- How to build a proactive incident response plan
- Sparrow.ps1: Free Azure/Microsoft 365 incident response tool
- Uncovering and remediating malicious activity: From discovery to incident handling
- DHS Cyber Hunt and Incident Response Teams (HIRT) Act: What you need to know
- When and how to report a breach: Data breach reporting best practices
- Cyber Work Podcast recap: What does a military forensics and incident responder do?
- Top 8 cybersecurity books for incident responders in 2020
- Digital forensics and incident response: Is it the career for you?
- 2020 NIST ransomware recovery guide: What you need to know
- Network traffic analysis for IR: Data exfiltration
- Network traffic analysis for IR: Basic protocols in networking
- Network traffic analysis for IR: Introduction to networking
- Network Traffic Analysis for IR — Discovering RATs
- Network traffic analysis for IR: Analyzing IoT attacks
- Network traffic analysis for IR: TFTP with Wireshark
- Network traffic analysis for IR: SSH protocol with Wireshark
- Network traffic analysis for IR: Analyzing DDoS attacks
- Wireshark for incident response 101
- Network traffic analysis for IR: UDP with Wireshark
- Network traffic analysis for IR: TCP protocol with Wireshark
- Network Traffic Analysis for Incident Response: Internet Protocol with Wireshark
- ICMP protocol with Wireshark
- Cyber Work with Infosec: How to become an incident responder
- Simple Mail Transfer Protocol (SMTP) with Wireshark
- Internet Relay Chat (IRC) protocol with Wireshark
- Hypertext transfer protocol (HTTP) with Wireshark
- Network traffic analysis for IR: FTP protocol with Wireshark
- Infosec skills - Network traffic analysis for IR: DNS protocol with Wireshark
- Network traffic analysis for IR: Data collection and monitoring
- Network traffic analysis for Incident Response (IR): TLS decryption
- Network traffic analysis for IR: Address resolution protocol (ARP) with Wireshark
- Network traffic analysis for IR: Alternatives to Wireshark
- Network traffic analysis for IR: Statistical analysis
- Network traffic analysis for incident response (IR): What incident responders should know about networking
- Network traffic analysis for IR: Event-based analysis
- Network traffic analysis for IR: Data analysis for incident response
- Network traffic analysis for IR: Network mapping for incident response
- Network traffic analysis for IR: Analyzing fileless malware
- Network traffic analysis for IR: Credential capture
- Network traffic analysis for IR: Content deobfuscation
- Traffic analysis for incident response (IR): How to use Wireshark for traffic analysis
- Network traffic analysis for IR: Threat intelligence collection and analysis
- Network traffic analysis for incident response
- Creating your personal incident response plan
- Security Orchestration, Automation and Response (SOAR)
- Top six SIEM use cases
- Expert Tips on Incident Response Planning & Communication
- How to Use AlientVault SIEM for Threat Detection & Incident Response
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Incident response
Disaster recovery: What's missing in your cyber emergency response?
Incident response
Incident response
Incident response
Sparrow.ps1: Free Azure/Microsoft 365 incident response tool