Table of Contents
June 24, 2024
|8m
How to Configure Your SIEM to Identify Reconnaissance Attacks on Your Network?
In the world of cybersecurity, knowledge is power - for both defenders and attackers. Before launching any assault, threat actors typically engage in reconnaissance, a critical phase of information gathering about their target. This process can take countless forms, making it a vast and complex topic.
While reconnaissance methods are numerous, this blog post focuses on a specific, actionable aspect: configuring your Security Information and Event Management (SIEM) solution to detect scanning attacks on your network and infrastructure. Scanning is a form of active reconnaissance, where attackers probe your systems for vulnerabilities and potential entry points.
By fine-tuning your SIEM to identify these scanning attempts, you're taking a crucial step in bolstering your network's defenses. Early detection of reconnaissance activities can provide valuable insights into potential threats, allowing you to respond proactively and potentially thwart attacks before they escalate.
Let's dive into the practical steps you can take to enhance your SIEM's capabilities in detecting these reconnaissance efforts. Let's begin with learning about the scanning.
Note: This article is for Security Professionals works protecting their network and infrastructure against the cyber attacks. The reader should know have the knowledge of scanning attacks and SIEM solutions to understand this article. We recommend to read these posts:
Types of Scans Adversaries Often Use to Gather Information?
Scanning is a technique used by attackers to systematically probe networks, systems, or applications for information. It's akin to a burglar testing doors and windows to find an easy way into a house. In the digital realm, scanning helps adversaries identify active systems, open ports, running services, and potential vulnerabilities that could be exploited.
There are some common scanning techniques attackers employ to collect valuable information about their targets. It is better to know some of those scanning techniques to configure your SIEM to detect and alert on potential reconnaissance activities targeting your network.
1. Network Scanning Network scanning involves probing a range of IP addresses to discover live hosts, open ports, and network topology. Attackers use tools like Nmap to perform these scans, which can reveal:
* Active devices on the network
* Operating systems in use
* Network architecture
2. Service Enumeration This type of scanning aims to identify specific services running on target systems. Adversaries use this information to:
* Determine software versions
* Find potentially vulnerable services
* Gather details about the target's infrastructure
3. Tools like Netcat or Nmap with version scanning options are often used for this purpose.
4. Vulnerability Scanning Vulnerability scanning involves using automated tools to identify known security weaknesses in systems or applications. Attackers use this method to:
* Discover unpatched systems
* Identify misconfigurations
* Find potential entry points for exploitation
5. Popular tools in this category include Nessus and OpenVAS.
6. DNS Reconnaissance DNS reconnaissance focuses on gathering information about a target's domain name system. This can reveal:
* Subdomains and associated IP addresses
* Mail server information
* Network topology hints
7. Attackers often use tools like dig or DNSRecon for this purpose.
Prerequisites to Configure Your SIEM to Identify Scanning Attacks on Your Network
While there are several detection and prevention techniques for scanning attacks, one of the most common approaches is monitoring network traffic for anomalous or unusual patterns using network security devices like Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS). However, setting up detection on a SIEM can provide more comprehensive information about the attack and its patterns.
It's important to note that a SIEM solution can't operate alone like Firewalls and IDS/IPS. To effectively detect scanning attacks, your SIEM needs two inputs:
Logs from network security devices
Detection mechanisms in the form of queries, rules, alerts, and notifications to identify unusual network traffic and scanning patterns
To set up your SIEM for optimal scanning detection, you should integrate the following devices as data sources:
Firewalls Firewalls are your first line of defense, providing crucial information about attempted connections and blocked traffic.
Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS) These systems offer detailed insights into potential malicious activities and can help identify sophisticated scanning techniques.
Endpoint Detection and Response (EDR) tools EDR solutions can provide valuable data about scanning activities targeting specific endpoints in your network.
Network devices (switches, routers) These devices can offer information about traffic patterns and potential network-level scanning activities.
DNS servers DNS logs can reveal attempts at DNS reconnaissance and other domain-related scanning activities.
Web servers Web server logs can help identify potential web application scanning attempts and reconnaissance activities targeting your web assets.
By integrating these diverse data sources, your SIEM will have a comprehensive view of your network activity, enabling more accurate and effective detection of scanning attacks.
In the next section, we'll delve into the specific queries and rules you can implement in your SIEM to detect various scanning patterns effectively.
SIEM Queries to Detect Network and Port Scans
Once you've integrated logs from your various source devices, the next critical step is crafting effective search queries to detect scanning attempts. Attackers perform various types of scans to retrieve information about target networks, applications, services, or other assets.
Attackers perform scanning for various reasons:
Identifying the presence of firewalls
Discovering the existence of hosts
Finding services running on specific hosts or multiple hosts
Determining versions of operating systems, applications, and services to target known vulnerabilities
Reasons could be anything, but, it's the responsibility of the security team to detect the scan attempts.
Let's see some example queries for two popular SIEM solutions: Splunk and Microsoft Sentinel.
Splunk Queries to detect network and port scans
Splunk query to detects sources that have attempted to connect to a large number of unique IP addresses, indicating a possible network sweep.
index=* sourcetype=firewall OR sourcetype=ids
| stats dc(dest_ip) as unique_destinations by src_ip
| where unique_destinations > 50
| sort - unique_destinationsSplunk query to detect sources that have attempted to connect to multiple ports on a destination, which is characteristic of a port scan.
index=* sourcetype=firewall OR sourcetype=ids
| stats count BY src_ip dest_ip dest_port
| where count > 100
| sort - countSplunk query to identify the attempts to connect to multiple ports on a single destination, which could indicate service enumeration.
index=* sourcetype=firewall OR sourcetype=ids
| stats dc(dest_port) as unique_ports by src_ip dest_ip
| where unique_ports > 20
| sort - unique_portsSplunk query to identify ICMP Ping sweep.
index=* sourcetype=firewall protocol=icmp
| stats count by src_ip
| where count > 20
| table src_ip count
| rename src_ip as "Source IP", count as "ICMP Packets Sent"Microsoft Sentinel Queries to detect network and port scans
Let's see the equivalent queries for Microsoft Sentinel.
Sentinel Query to identify the host discovery scans:
CommonSecurityLog
| summarize dcount(DestinationIP) by SourceIP
| where dcount_DestinationIP > 50
| order by dcount_DestinationIP descSentinel Query to identify the port scans:
CommonSecurityLog
| where DeviceAction == "Allow" and Protocol == "TCP"
| summarize count() by SourceIP, DestinationIP, DestinationPort
| where count_ > 100
| order by count_ descSentinel Query to identify Service Enumeration:
CommonSecurityLog
| summarize dcount(DestinationPort) by SourceIP, DestinationIP
| where dcount_DestinationPort > 20
| order by dcount_DestinationPort descThese queries provide a starting point for detecting common scanning activities. However, you should adjust the thresholds (like the number of unique ports or destinations) based on your network's normal behavior to reduce false positives while maintaining effective detection.
Remember, attackers constantly evolve their techniques, so it's crucial to regularly review and update your detection queries to stay ahead of emerging threats.
This is not the end, this is the beginning. These are just a few example queries to detect scanning attacks. You are free to write queries in your own way and configure alerts and notifications.
You need to take care about two things, log ingestion and correct queries to detect the scanning attacks on the network. Now, you have the entire ground to play. Configuring the scanning detection mechanism would give security professionals a chance to understand the scanning patterns and motive in holistic and quantitive way.
That's all for now, we will cover about the detection of other cyber attacks in the up coming articles. Please keep visiting thesecmaster.com for more such technical information. Visit our social media page on Facebook, Instagram, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive information like this.
You may also like these articles:
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- September 12, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- September 12, 2024
