Network traffic is increasing exponentially imposing ever increasing challenges to network monitoring and analysis tools. BYOD, Vx workloads, migration to SaaS etc. add complexity and unpredicted traffic patterns. All these expose significant surface areas for threat vectors to execute. Bad actors move and out of the network. It is simply naïve to imagine that networks cannot be compromised or have not been already compromised. APT and zero-day attacks are here to stay.
Continuous Adaptive Risk and Trust Assessment (CARTA) based policy management must be enforced through the network. These will at the very least ensure that the SIEM teams are ready when the event happens and perhaps can even steer the attacks away or reduce the exfil and lateral movement of these attacks as they happen
While hunting for TTP’s (Tactics, Techniques and Procedures) used by the bad actors, credible evidence is of utmost importance. Being able to get to the packet data from the flow evidence and being able to get to it quickly is important.
Being able to make queries that can pivot on a variety of dimensions and measures is important as well:
e.g. Get all packets of all DNS traffic, that have domain query lengths greater than 200B and do not seem to have any responses and which occur everyday between 0200 and 0300 hours
Get all packets of flows that seem to be using ((OS:Android 4.1.x Jelly Bean)) AND ((service_name: PANDORA))
Armed with this packet data the SOC team can then conduct exfil audits, compliance forensics and even quarantine the packets for replay to other tools such as honeypots or NIDS tool chains