Network Security Monitoring

 NSM:

History:
Todd Heberlein started NSM informally in 1988. It was the first NSM that used the network traffic as its source for generating alerts. Air Force Computer Emergency was the first organization who informally followed the NSM principles. In 1993, AFCERT with collaboration of Heberlein deployed the first version of NSM as the ASIM(Automated Security Incident Measurement).

NSM:
It is the best method from zero defense to some defense. By using this organization would prevent himself from being exposed or (prevent data breach). This is operated by the group of people known as CIRT(Computer incident response team).

Benefits:
  • Collect a rich amount of network derived data from different devices.
  • CIRT analyses this data to find compromise assets.
  • CIRT uses the NSM data to assess the cause of the incident.
Does NSM Prevent Incidents?
No it does not prevent incidents because breaches are inevitable. Intruders different techniques to cause the incident but by using NSM you can frustrate the intruders. Time is the key factor in the detect, respond and contain the intruder.

Difference between NSM and continuous monitoring?
NSM is threat centric and CM is the vulnerability centric. It means that adversaries are the focus of NSM and on the other hand configuration and weaknesses are the focus of CM. In CM continuous means checking the configuration monthly or quarterly and monitoring means determining systems are compliant with controls. So according to definition CM operation strives to find an organization's computers, identify vulnerabilities, and patch those holes if possible. NSM operation is designed to detect adversaries, respond to their activities and contain them before they can accomplish their mission.

NSM and other technologies:
These technologies are just blocking, filtering or denying mechanisms. Their job is to recognize malicious activity and stop them on the other hand NSM is not filtering and blocking technology. It focuses on visibility. CIRT monitors when the security controls fail because these tools do not inform their weakness or loopholes. So NSM is one way to make failure of security controls more visible.

CIRT and Forensic Professional:
CIRT: They perform analysis, watch malicious activities and protect authorized users and the organizations. It focuses on external threats. Forensic Professionals: They perform investigations, watch fraud, and monitor abuse by authorized users to protect the organization. It focuses on internal threats.

NSM data:
  • Full content
In this type of data analyst collects the full information that passes across the network. Analysts don't filter the data that would be associated with the security incident.
  • Extracted Content 
It refers to the high level data streams such as files, images and media transferred between the computers.
  • Session Data 
It is the record of conversation between two network nodes.
  • Transaction Data: 
It is similar to the session data but it also shows the request and response between the communicated devices. 
  • Statistical Data:
 It describes the traffic resulting from various aspects of an activity
  • Meta Data : 
Data about data by using the who is command
  • Alert Data : 
Data that is used for alert (data from IDS, snort)

Comments

Post a Comment

Popular posts from this blog

Analyzing Spear Phishing Email

Image
Phishing is the technique of fraudulent attempt by the attacker to obtain sensitive and confidential information i.e. Credentials, PII information, credit card, bank details. It can also be targeted attack to focus on the specific organization of individual. The attacker often tailors an email to speak directory to targeted user. There are many types of phishing as follow. I wouldn't explain the types. You can read Here . In this article you'll learn how to analyze the sophisticated phishing email. So, Let's start the case study to explain.  Spearphising :  Spearphising is the technique in which attacker aims at one person and lures him/her into providing confidential data. Attacker compile the email according to the specific user. The email would consist some of the target's email, username, designation.  Case Study: User receive the spearphising email containing the PDF attachment with double extension. Email body contains the unprofessional statement "Kindly m
Read more

Cyber Threat Intel

Image
What is Cyber Threat Intel? Threat intel is the information about the threats. Cyber threat intel is used to better understand, predict and adopt to the behavior of malicious actors. It plays an important role in preventing the zero-day attacks. " Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes " (NIST). Threat Intel life Cycle: Intelligence lifecycle is the process of developing raw information into finished intelligence for policymaker to use in decision making and action. CTI Life Cycle Planning and Direction Planning and direction helps in setting up the goals for the threat intel program. Priorities and requirements are defined in this phase. Collection: Collection means gathering of data to produce the finished intelligence. Data includes logs(Firewall, IPS/IDS, Endpoints), threat feeds and OSINT(reports, social media, public forums). Collection Types of Collectio
Read more

Practical Malware Analysis (Introductory)

Hi folks, just started the series on PMA (Practical Malware Analysis) . Being an analyst i would recommend to gain expertise on "Malware Analysis". This blog help us to quick recap the concepts of malware as well as from analysis perspective. We'll start from basic and proceed towards advance level. Introduction: Malware refers to "Malicious Binary" which is instructive by the threat actors (called as "Hackers" ) to achieve their motives. Motives can be vary like it could be data stealing, damage/destroy organization systems. Viruses Worms Trojan Spyware Adware Ransomware Aforementioned names are the malware types which is collectively called "Malware". Let's jump into the main topic of this blog without going into the details. Malware Analysis: Malware analysis is the process of understanding the working flow/behavior/malicious activity of malware. The results of the malware analysis help the analysts to detect and prevent the threats.
Read more