If you don’t know what normal behavior is, how would you identify malicious activity? Baseline.
Simply put, baselining is the act of understanding how your operational software, system, and/or network is supposed to work in order to measure actual functionality against it. This can be a laborious task for complex systems but at the end of the day, having a deep understanding of the intended actions of your devices can help you find variances and potential Indicators of Compromise (IOC).
When building the baseline, it is important to consider the logical topology of the data flow and the type of structured and/or unstructured data within (i.e. headers, ports/protocols, payloads, etc.). The logical topology differs from the physical topology as it shows the logical flow of data which can sometimes differ than the way devices are physically connected. As a security professional, having the understanding of how the data is supposed to flow will allow you to immediately go into alert mode if it were to change. Additionally, knowing the different types of data that could traveling in that flow could be very beneficial if the normal traffic patterns were to deviate.
Since big data can be difficult to make sense of sometimes, I have to lean on an article from FireEye regarding data stacking.1 While there is some data that can be collected, easily parsed, and reviewed (Windows Event: Logon) there are other types of structured data that can be rather difficult to decipher (Windows Event: Sensitive Privilege Use). Sometimes it can feel like finding a needle in a hay stack and that’s where data stacking comes in. The use of common characteristics of the data allow for groupings based on similarities, illuminating variances and IOCs. If you want to know more about data stacking and how it can help identify IOCs from your baseline, check out the link below.
Contact us to see how we can identify malicious activity and baseline your environment.
1 An In-Depth Look Into Data Stacking, https://www.fireeye.com/blog/threat-research/2012/11/indepth-data-stacking.html