Each computer has certain types of connections that are normal and expected for it, as well as others that are anomalous. By identifying the various ways that a connection can be anomalous and monitoring for those particular anomalies, incident responders can detect a variety of different attack types with very high-level data. Connection analysis also has the advantage of being very lightweight to implement on a machine. Netstat is a common tool used in connection analysis, and it is installed by default in the Linux and Windows terminal. Using terminal tools for analysis makes it easy to leverage existing command line utilities to process data and to set up automated monitoring and alerting, using utilities like cron and syslog.
Performing connection analysis
Connection analysis is one of the simplest techniques for using network traffic analysis for incident response. Since it only looks at the network at the connection level, it lacks a lot of the details available with different analysis techniques. However, connection analysis can be used to detect a variety of different issues by identifying common types of connection anomalies and monitoring for them.
Unusual connection paths
One application of connection analysis for incident response is identification of unusual connections between computers. These could either be connections between internal and external machines or between internal machines. Connections crossing the network boundary may be in use by an attacker for command and control or data exfiltration, while unusual internal-to-internal connections could be in use for lateral movement within the organization’s network. Netstat can be used for monitoring for unusual connection paths. The netstat command will show all established connections on the machine. Since netstat is a terminal command, it can be piped to additional tools that can filter out machine-specific connections (like those on 0.0.0.0 or 127.0.0.1) and others that can be safely ignored. The resulting list of connections can then be analyzed for anything unusual or suspicious.
Processes with network access
While some applications have a legitimate need to access the network and listen on certain ports, many others do not. If a seemingly legitimate process is exhibiting unusual behavior (like accessing the network), it may be a sign of process hollowing, DLL injection or other attacks. With netstat, the PID of a process associated with a given connection can be printed with the -o command. Since netstat is a terminal utility, its output can be piped to other tools or scripts that can identify the particular process using a given port and determine whether the use of that port is anomalous for the process. If so, an alert can be generated to mark the process for further investigation.
Unauthorized servers
Netstat and connection analysis can also be used to detect unauthorized servers running on a machine. A process running a server (like a web server or email server) will have to keep a connection to a particular port when listening for connections. This will appear in netstat output as either a listening port or an established connection (if a server is active). Testing for unauthorized servers can be accomplished using the netstat -a command and then filtering the resulting output. Any connections on addresses local to the machine (0.0.0.0 and 127.0.0.1) can be ignored, as well as any connections using high number ports (unless the port is in a listening state). Any other connections should be investigated, especially if they are on a common port for a service that the machine is not authorized to run — like a program listening on port 443 on a machine that should not be hosting a web server.
Long connections
Any connections with an unusually long duration should be investigated. Most connections have relatively short durations, and long-lived connections may be an indicator of an attacker with a remote shell or data exfiltration tool executing on the machine. Unfortunately, netstat is not capable of explicitly showing the start time of a given connection. However, a couple of options exist. If a computer has connection logging enabled, connections will be logged to /proc/net/nf_conntrack. Monitoring this file can allow an analyst to determine if a particular connection is long-lived. If connection monitoring is not enabled, checking the runtime of the associated process (using netstat -o) may be helpful. The process start time can then be found using ps (on Linux). While there is no guarantee that the connection has been live for the duration of the process’s life, this can be used to help narrow the field of possibilities.
Missing connections
While many indicators of compromise that are detectable using connection analysis deal with additional or unusual connections, missing connections can be a cause for concern as well. If a machine is supposed to be hosting a web server, a failure to listen on port 443 should raise a red flag. Monitoring for missing connections can be implemented as a simple script that triggers an alert if a particular service seems to be down.
Conclusion: Connection analysis for incident response
Connection analysis is a useful tool for incident responders attempting to detect and get in front of a potential incident. The various applications of connection analysis are designed to identify abnormalities in the connections maintained by a computer. These abnormalities can point either to a fault in the monitored systems or a potential attack. Since most cyberattacks use network communications as the initial delivery mechanism and for command and control, connection analysis can be used to detect and respond to a variety of different attack types.
Sources
netstat(8), die.net What is nf_conntrack used for?, linux.org V1.1 Release, Active Countermeasures