Network traffic analysis for IR: Connection analysis

Introduction to connection analysis

Connection analysis is the highest-level type of network analysis that is used in incident response. Rather than developing and scanning with signatures of particular attack types or performing statistical analysis to identify anomalies in a network’s overall traffic profile, connection analysis monitors the connections made by a particular machine.

Each computer has certain types of connections that are normal and expected for it, as well as others that are anomalous. By identifying the various ways that a connection can be anomalous and monitoring for those particular anomalies, incident responders can detect a variety of different attack types with very high-level data.

Connection analysis also has the advantage of being very lightweight to implement on a machine. Netstat is a common tool used in connection analysis, and it is installed by default in the Linux and Windows terminal. Using terminal tools for analysis makes it easy to leverage existing command line utilities to process data and to set up automated monitoring and alerting, using utilities like cron and syslog.

Performing connection analysis

Connection analysis is one of the simplest techniques for using network traffic analysis for incident response. Since it only looks at the network at the connection level, it lacks a lot of the details available with different analysis techniques. However, connection analysis can be used to detect a variety of different issues by identifying common types of connection anomalies and monitoring for them.

Unusual connection paths

One application of connection analysis for incident response is identification of unusual connections between computers. These could either be connections between internal and external machines or between internal machines. Connections crossing the network boundary may be in use by an attacker for command and control or data exfiltration, while unusual internal-to-internal connections could be in use for lateral movement (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: