How do you detect anomalies using network baselines and thresholds?

These insights into network baselines and thresholds are spot on. In my practice since the late 90s, using Ghost to clone disks for baseline images has given me a parallel understanding of how network baselines function. Just as with these images, network baselines capture the typical state of the network across various metrics, allowing for vigilant monitoring. Network thresholds, by defining acceptable metric levels, ensure timely alerts and actions. Together, they contribute to the optimal operation and safeguarding of the network.

A traditional approach to detecting threats in your environment has been to look for things that look like an attacker. This uses prior attack data, to be able to create explicit fingerprints of known bad, or using Machine Learning to create a sort of "Fuzzy match" of stuff that sort of looks a bit like known bad. This still only really detects activity that has been seen/detected before, and requires a sacrificial lamb to get hit first, from which everyone can learn from. Instead, rather than trying to learn what the attacker looks like, learn what doesn't look like the defender. Not everything anomalous is malicious, but I can promise you, everything malicious was at one point anomalous.

I used to run a SOC, and I would have 2-hours on the screen, 2-hours learning and reading, and 2-hours reviewing logs that did not cause alerts. They would rotate (we worked 10-hour shifts). Burnouts did not happen due to the rotation. The most productive time spent were the ones reviewing old logs that did not cause alerts. We would find alerts that should have happened and we found intrusions and "unapproved applications" because of that. Doing so eliminated the issues created by our belief that if our network was operating within the baselines and thresholds, it was secure (a standard SIEM thinking). For us, we would breach baselines regularly when unexpected events occurred, so we had to adapt there too.

Network baselines can use a single metric - bytes/sec or use a pattern of data - TCP handshake or behavior - volume of traffic for a specific source IP. Just baselining a single metric while useful in generating thresholds can also generate a lot of false positives.

New traffic patterns should be reviewed automatically since baseline will have established existing and most likely routine traffic. SSL encrypted traffic should also be reviewed; but new SSL encrypted traffic especially, since it could be data exfiltration.

Establishing baselines over a sufficient time is great if we know that the network is clean, but if the malfeasants are already in, then the data is skewed and erroneous. One possible solution is to group assets into categories based on their normal communications habits. For example, a printer VLAN should be limited to communications with one or more print servers, and no more. The ports and protocols are pretty locked down so any deviation for this should generate an alert, and the offending system examined. If it does happen to be malicious, you can then start tracing origins and targets.

The key here, is visibility, and as much as you can get. But there are some important things to remember: 1) Users and devices move around a network. To be able to define any decent patterns of life, you'll need a way to track those discrete items, so you're not creating an endless set of patterns every time DHCP rotates. 2) Don't just track at Layer 2/3, strip protocols apart as high up the stack as you can go, so you can tell the different between lots of port 135 activity, or lots of SMB read/write commands with weird file extensions. 3) Finally, it's not just about network data - combining network events with SaaS audit logs; and then linking it to an anomalous email gives incredible insight and allows you to chain events together.

Very few people or orgs are going to build their own tools to baseline network traffic as it's hard to do well. Fortunately there are vendors in the Network Detection and Response (NDR) space that provide tools that to accomplish this. It is important to not overthink things too much. You should not be trying to capture every possible piece of data on your network but instead capture critical data. Packets are great but expensive to capture, process, and store (not even mentioning encryption). A really good flow-based tool can get you pretty far along the same path with significantly less difficulty and expense. Look for the best tool at the right price point - better to do something than nothing, even if it isn't the best.

There are a number of mechanisms you can use to detemine how different two datapoints are - we've used a number of different Machine Learning approaches across our range to do that, with the main approach involving use of Bayesian-based machine learning with a statistical determination of how different the new event is from the previously observed baseline. A trick however, is not just relying on a single, atomic, isolated anomaly, which could be easily be from a simple human action of logging in a bit earlier, or travelling with work. Instead link multiple anomalous events, that are indicative of an overall change in behaviour and thus more worrying than someone doing their day job, just in a different timezone.

You can get very "Donald Rumsfeldian" at this point. But essentially Threat Intel (TI) is great at detecting the "Known Knowns" - you need to make sure you've got a good feed of the latest indicators, and focussed for those threats that you're most worried about, but TI absolutely has it's place. The challenge is finding stuff beyond that. How do you find things for which TI doesn't exist? Or in reality, how do you find things that your TI vendor doesn't know exists? And with techniques such as "Living off the Land" - how do you find activity that is just using your own network or sys admin tools for lateral movement. What about the legitimate account that's been hijacked? Anomaly detection gives you the best shot at detection here.

"The early bird catches the worm". Being proactive is the key here. Organizations should look to do more than just the norm or the standard when it comes to being proactive. Simulating "stealthy" and "noisy" attacks are vital when establishing network baselines, while also providing training opportunities for the defense teams on detection of attack indicators. Additionally, an area often overlooked, is enabling monitoring and DDOS protection for outbound traffic on public facing nodes. Outbound attacks originating from public facing nodes can cause IPS lockups, reserve mode & denial-of-service conditions on firewalls, due to open session thresholds being breached, etc. If the worm can't spread internally it might DOS you on its way out.

I come back to my comment at the beginning. Sure you can build this yourself but, honestly, don't. There are lots of really good tools out there (even some open source) that handle all of this (collecting data, updating baselines, looking for and analyzing deviations, alerting as necessary, etc.). If you still choose to go your own way you absolutely must continually update your baseline. Your network doesn't stay the same and if the baseline doesn't reflect your networks near real-time state it is effectively useless. Ensuring the baseline understands the current state of network connectivity, connections, and activity means the deviations from those states will be more accurate. As the old saying goes, garbage in, garbage out.

I am a huge fan of using network baselines for anomaly detection around network security (and ops). It is not a panacea but if you look at the majority of the security breaches that have happened (including things like ransomware) a good NDR tool likely (no guarantees in life) would have caught most of them. The technology isn't perfect. There will be plenty of false positives that have to be analyzed and dealt with. The sensitivity may be too low to detect some anomalies but increasing the sensitivity may then result in too many false positives. Attackers are aware that organizations use NDR tools and work very hard to avoid detection by them. In an imperfect world NDR is an important tool to securing your world.

Bad actors, the good ones, know how to play their games within the baselines. What they will do is set up standard communications that at first should have triggered an alert, but they did it at such a low level that no one noticed. Then over the months they gradually increase, thus also increasing the baseline. Once they have become part of the normal baseline, they can start exfiltrating volumes of data through an encrypted pipe, and no one will notice it until it is too late. In some cases, like at the OPM, they stayed in there and trickled out information on a regular basis to China, and it became part of the baseline so no one noticed. A baseline is but one tool in the arsenal, and does not work well alone.