Firewall logs anatomy
A firewall generates very useful logs, including valuable information. By understanding these firewall logs and their valuable information, you can investigate several attack tactics, such as lateral movement, reconnaissance, command and control, and exfiltration.
Log Timestamp
The Log Timestamp value within firewall logs plays a critical role in aiding SOC analysts and incident handlers. It provides essential information regarding the exact timing of specific events, often down to a fraction of a second. This timestamp enables analysts to determine when the analyzed traffic took place and establish correlations with logs from other sources and data repositories. As a result, investigators gain more evidence and information to support their analysis. Additionally, the timestamp facilitates the tracking of suspicious activities within a narrow timeframe, such as scanning activities.
Source IP
The Source IP value is the client IP that initiated the network communication traffic to the destination IP. This field is very important for identifying the origin of the communication.
If you’re investigating suspicious communication traffic such as the presence of lateral movement or reconnaissance, you should be able to identify the source IP of the communication for more investigation and respond to the infection by, for example, removing the malware from the machine or rebuilding it.
Destination Port
The Destination Port value in firewall logs typically denotes the service that was requested by the source IP from the destination IP. It helps identify the specific protocol or application involved in the communication. Notably, there are well-known ports (numbered 0–1023) assigned to standard protocols like SMB, RDP, FTP, and others.
Attackers often target these well-known ports for lateral movement, attempting to exploit vulnerabilities in the associated services. Here is a list of well-known ports commonly targeted for lateral movement:
- SMB (Server Message Block): Port 445
- RDP (Remote Desktop Protocol): Port 3389
- FTP (File Transfer Protocol): Port 21
- SSH (Secure Shell): Port 22
- HTTP (Hypertext Transfer Protocol): Port 80
- HTTPS (Hypertext Transfer Protocol Secure): Port 443
- DNS (Domain Name System): Port 53
- SQL (Structured Query Language) services: Port 1433 (Microsoft SQL Server), Port 3306 (MySQL), Port 5432 (PostgreSQL)
Monitoring and analyzing firewall logs for activity on these ports can help detect potential lateral movement attempts and aid in defending against such attacks.
Source Interface Zone
The Source Interface Zone, also known as Source Interface Role in some vendor terminologies, refers to the firewall security zone of the system responsible for initiating network communication traffic. The value of the Source Interface Zone can be categorized as LAN, DMZ, or WAN.
The Source Interface Zone provides valuable information for identifying the zone to which the source system belongs. This helps in determining the location of the source machine within the network infrastructure. By monitoring the Source Interface Zone, you can detect and investigate suspicious communications occurring between different network zones.
For instance, abnormal behavior can be observed when a system in the DMZ initiates communication traffic with external systems, such as specific IPs or domains. This allows for the identification of potential security risks or unauthorized activities within the network environment. Understanding the Source Interface Zone aids in enhancing security monitoring and response capabilities.
Destination Interface Zone
Also called Destination Interface Role by some vendors, it refers to the zone of the target system of the network communications traffic. The Destination Interface Zone’s value may be LAN, DMZ, or WAN.
The Destination Interface Zone allows you to identify where the destination system is located, which should help you investigate suspicious communications patterns and identify which zone in your network the attacker targets. It should also help you detect suspicious communications between the zones. For example, you may want to develop a detection use case to detect suspicious RDP traffic from the DMZ to the LAN zone.
Device Action
The Device Action value in firewall logs indicates the action taken by the firewall based on the predefined rules applied to it. The two expected Device Action values are “allowed” and “denied.”
The Device Action value is crucial in identifying the outcome of connections made through the firewall. When investigating lateral movement activities, it helps determine whether the attacker successfully pivoted to the targeted machines or if their attempts were denied by the firewall. This information is valuable for understanding the progression of an attack and assessing its impact.
Additionally, the Device Action value is helpful for developing detection use cases. By monitoring and analyzing patterns of denied communications from a single host within a short timeframe, potential security threats, such as brute force attacks or suspicious activity, can be identified. This allows for timely response and mitigation measures to be implemented.
Understanding the Device Action value provides insights into the effectiveness of the firewall’s rules and aids in detecting and responding to unauthorized or malicious connections within the network.
Source Geolocation country
Source Geolocation country is a new log field that has been added by some firewall vendors that refers to the geolocation of the source IP.
This log field helps with investigating and detecting communications from unexpected geolocation countries.
Destination Geolocation country
Destination Geolocation country is a new log field that has been added by some firewall vendors that refers to the geolocation of the destination IP.
This log field helps with investigating and detecting communications to unexpected geolocation countries.
At this point, you should be aware of the information that’s provided in the firewall logs and how to utilize it to either investigate or detect cyber incidents.
Investigating Cyber Threats by Using the Firewall Logs
The network firewall holds a strategic position within the network infrastructure, providing valuable insight and visibility into the traffic flowing between different zones and subnets. As a SOC analyst and incident responder, you can leverage the firewall’s position and the detailed logs it generates to effectively investigate and respond to cyber threats.
The firewall’s ability to capture and log pertinent details about network traffic grants you access to valuable information for threat detection and analysis. By examining firewall logs, you can identify potential indicators of compromise, track suspicious activities, and gain insights into the tactics, techniques, and procedures employed by threat actors.
The firewall’s position and log details enable you to correlate events across various systems, detect patterns indicative of malicious behavior, and establish a comprehensive understanding of the threat landscape within your network. This information empowers you to proactively defend against cyber threats and respond swiftly and effectively to security incidents.
In summary, leveraging the firewall’s strategic position and log details equips you with the necessary tools to investigate, detect, and respond to cyber threats, strengthening your organization’s overall security posture.
- Public-facing IPs and port scanning
- Internal network service discovery
Public-facing IPs and port scanning
In an attack scenario, an attacker might engage in reconnaissance activities to gather information about the victim’s environment. This often involves scanning the victim’s IP blocks and ports to identify active IP addresses and determine which services are running. The purpose of this reconnaissance is to gather valuable intelligence for potential exploitation attempts and gain initial access to the target system or network.
By scanning IP blocks and ports, the attacker aims to identify potential vulnerabilities, misconfigurations, or weak points that can be exploited later. The information obtained during reconnaissance allows the attacker to understand the victim’s network architecture, identify potential entry points, and tailor their attack vectors accordingly.
It is crucial for organizations to be aware of such reconnaissance activities and implement robust security measures to detect and prevent them. Monitoring network traffic, employing intrusion prevention systems, and maintaining up-to-date security configurations can help mitigate the risk posed by reconnaissance activities and enhance overall cybersecurity defenses.
Remember, proactive defense and continuous monitoring are essential to identify and respond effectively to potential cyber threats.
Internal network service discovery
After gaining initial access to a victim’s environment, the attacker should discover the environment by performing network scanning on the victim’s network to search for open ports, running services, OS fingerprinting, and known vulnerability signatures.
Investigating lateral movement attacks
- Remote desktop application (RDP)
- Windows admin shares
- PowerShell Remoting
Investigating C&C and exfiltration attacks
Command and Control (C&C) refers to the communication between an attacker’s server and a victim’s machine. This communication can occur through various means. One method involves configuring malware installed on the victim’s machine to establish a reverse shell, allowing the attacker to control the compromised system remotely. Another approach involves exploiting services running on the victim’s machine, such as SSH or Telnet, to send instructions and commands that are executed on the victim’s machine.
During the C&C phase, the attacker maintains control over the compromised system and can issue commands, extract information, or carry out malicious activities. The C&C channel serves as a communication conduit for the attacker to interact with the compromised machine.
Exfiltration, on the other hand, refers to the process of extracting valuable or sensitive data from the victim’s machine. Once the attacker has collected the desired information, they may choose to transfer it to their own server using the same C&C channel or through an alternative channel. The exfiltrated data can include intellectual property, personal information, financial records, or any other valuable data that the attacker intends to exploit or profit from.
Effective detection and prevention of C&C communication and data exfiltration are essential for mitigating the impact of cyber attacks. Implementing robust network security measures, including intrusion detection and prevention systems, traffic monitoring, and data loss prevention mechanisms, can help detect and block malicious C&C activities and prevent unauthorized data exfiltration attempts.
- Suspicious traffic to external IPs
- DNS tunneling
- Date exfiltration
Investigating suspicious traffic to external IPs
If you have a suspicion of C&C communications traffic from the internal victim machine to the external attacker server, you need to use the firewall logs to investigate the following attributes:
- Destination IP: Investigate the destination IP’s reputation, whether the IP is currently in use by an active threat actor, and whether it hosts any malicious command and control domains by using threat intelligence platforms such as VirusTotal, IBM X-Force, and Google’s search engine (we have dedicated Chapter 14 to threat intelligence investigation).
- Suspicious ports: While most attackers configure their malware to communicate with their C&C servers over well-known standard ports such as
80and443ports, some attackers keep the attacking and C&C tools’ default communications ports such as the4444port, which is the default port of Metasploit Meterpreter communications. The6667,6660,6669, and7000ports, the default ports of the Internet Relay Chat (IRC) protocol, may be used in command and control communication between the attacker’s server and the victim’s machine. - Suspicious communication patterns: Several suspicious communication patterns indicate command and control communications, including a huge number of requests from the victim’s machine (source IP) to the attacker’s server (destination IP) and heartbeat requests, which are also called malware beaconing communication. Malware beaconing is when the attacker configures their malware to send requests from the victim’s machine to the attacker’s server asking for instructions or delivering gathered data at regular intervals (such as daily, every 7 hours, every hour, every 10 minutes, and so on). This strategy is employed by attackers to evade detection
Investigating DNS tunneling
The Domain Name System (DNS) is a service that is used by computers to map domain names into IP addresses by asking the DNS servers for a domain’s IP. The DNS servers then work recursively to answer the request with the available records (IPs) for the domain. Such processes allow the computer to access the internet resources.
Investigating data exfiltration
Data exfiltration refers to the unauthorized transfer of collected data and files from the victim’s environment to systems controlled by the attacker. Attackers employ various techniques to exfiltrate data, aiming to bypass detection and maintain control over the stolen information.
One method involves using the same command and control (C&C) channel established during the attack to transfer the exfiltrated data. This allows the attacker to leverage the existing communication infrastructure between the compromised system and their external server.
Alternatively, attackers may utilize popular storage cloud services like Dropbox or MEGA to store and transfer the stolen data. By leveraging these legitimate platforms, they can camouflage their activities and blend in with regular network traffic, making it harder to detect the exfiltration.
To further evade detection, attackers may opt to exfiltrate data in small, fixed-size chunks rather than sending large volumes of data at once. This fragmentation technique helps minimize suspicion and reduces the chances of triggering security alerts.
Detecting and preventing data exfiltration requires a multi-layered defense approach. Implementing data loss prevention (DLP) solutions, network monitoring systems, and encryption mechanisms can help identify unusual data transfer patterns, detect unauthorized access to sensitive information, and prevent exfiltration attempts before significant damage occurs.
Regular security assessments, incident response planning, and employee training on data protection and cybersecurity best practices are also crucial in mitigating the risk of data exfiltration.
Investigating DoS attacks
A Denial of Service (DoS) attack is an attack meant to consume resources such as machines, websites, applications, or networks, making them inaccessible to their intended users. For example, imagine that you have a website that allows only five visitors to browse it at the same time. An attacker conducted a DoS attack against the website by browsing it using five fake visitors at the same time, consuming the number of allowed website visitors and preventing legitimate visitors from accessing the website. There are several network DoS attack types that could be conducted by threat actors:
- Distributed denial-of-service attacks (DDoS): These are like DoS attacks, except that requests are sent from many clients instead of just one. To carry out this attack, the attacker usually uses many bot machines (bots are machines that have been previously compromised and controlled by attackers). Each of these controlled bot machines conducts a DoS attack against the target resources.
- Application layer DoS attacks: This occurs when the attacker attacks the application itself to make it inaccessible to its intended users. The application could be a website, email portal, and so on. The most common type of application layer attack is the HTTP flood attack. This is when the attacker configures its controlled bots into sending various HTTP requests to a specific URL of the website by using different IP addresses. Due to repeated requests for the same resource from the same server by different IPs, such behavior makes the resources of the server unavailable for legitimate users or may cause a takedown of the server.
- Protocol DoS attacks: This occurs when the attacker exploits the work method of the protocol to exhaust the system resources, making it unavailable to legitimate traffic. An example of a protocol DoS attack is the SYN flood attack. In a SYN flood attack, the attacker takes advantage of the TCP three-way handshake process that requires the server to respond to the client with a
SYN-ACKpacket and wait for them to complete the aforementioned process. The attacker sends severalSYNpackets to the server by using several spoofed IP addresses. The server responds to each packet via aSYN-ACKpacket, requesting the client to complete the three-way handshake process. The spoofed IPs never respond, and the server keeps waiting until it crashes due to the long wait for those many responses.
- Volumetric DoS attacks: This occurs when the attacker uses his server(s) to generate massive volumes of traffic to completely consume the victim’s line bandwidth and create a traffic jam that makes the target resources unreachable to legitimate traffic. An example of a volumetric attack is the DNS amplification attack.
Web Proxy Logs Analysis
The web proxy is one of the most critical network security controls deployed in the network as it is necessary to manage and control communications between internal users and web servers. To do so, the web proxy gets visibility of web communication aspects such as the accessed domain and web resources, web category, and user agent, which allows the proxy to generate useful logs to allow cybersecurity professionals to detect and investigate several threats, such as access to malicious websites and C&C communications. As a SOC analyst, you should be aware and take advantage of the logs provided by the web proxy and be able to analyze them to investigate cyber incidents
The device action (s-action)
The device action field helps you to identify what type of action the proxy appliance took to process the web request. The possible values include ALLOWED, DENIED, FAILED, and SERVER_ERROR. In this case, the device action is TCP_DENIED, which means the proxy has denied requesting this web page.
In the case of communication with a malicious web server or any suspicious web category, it helps to identify if the connections have succeeded or not.
The response status code (sc-status)
The response status code is a code issued by either the web server, web proxy, or internet gateway in the HTTP response packet of the client HTTP request. This code allows us to identify whether the client HTTP request was successfully responded to by the web server or not. The expected values of the HTTP response status code are separated into five code families:
1xx– Informational: Means the request was received2xx– Successful: Means the request was successfully received and accepted3xx– Redirection: Means the request to a specific page was redirected to another4xx– Client error: Means the request can’t be proceeded due to a client error, such as requesting a non existent page or unauthorization to perform such request5xx– Server error: Means the server failed to respond to the valid request
The HTTP method (cs-method)
The HTTP method is the method used by the client in the HTTP request to access the web server resources; in other words, this field shows the way that the client wants to deal with the web server. The following are the most common and important HTTP request methods:
GET: Used to request and retrieve data from the web serverPOST: Used to send data to the web serverHEAD: Same asGET, but it is used to just request headersDELETE: Used to delete data from the web serverCONNECT: Used to create a tunnel through the proxy server for secure protocols, such as HTTPSOPTIONS: Used to get the allowed HTTP methods by the web server
References:
