Following his recent post 'What application is connecting to the internet?', our guest blogger Terrence Lillard, Senior Incident Response Analyst at NTT Security, explores the STEP methodology.

In the physical world, a law enforcement investigator must search or process a crime scene. To conduct this search or process a crime scene, the officer can use different search methods (e.g. Outward or Inward Spiral, Grid, Wheel, Strip, Zone). The selection of the best crime scene search method depends on various parameters (e.g. the size of the crime scene, the resources available, the complexity of the terrain). For many investigators, especially when the crime scene is very large, the axiom “Finding a Needle in a Haystack” comes to mind.   

In the past, to solve this dilemma, philosophers would espouse different techniques to find the needle in the haystack. Below are a few of their most common approaches:

  • Burn the haystack and the needle will remain in the ashes.
  • Blow the haystack away and because of the weight of the needle it remains on the ground.
  • Drop the haystack in water and because of the weight of the needle it will sink to the bottom.
  • Use a powerful magnet to pull the needle out of the haystack because of the material of the needle.

Regardless of the approach, the objective remains the same which is to separate the needle from the haystack by using a verifiable method or technique.

STEP Methodology Overview

For many network forensics investigations, just like physical crime scene investigations, the incident responder faces many of the same dilemmas. The incident responder must select a search method designed to identify bad network traffic amongst the good network traffic.  In essence, a search method which allows the incident responder to find the proverbial needle in a haystack.

The methodology I use when performing network traffic-based forensics leverages the security principles of an implemented network architecture combined with an approach used by law enforcement for searching a physical crime scene. The methodology, known as STEP, is comprised of four phases as shown below. It is a top-down network traffic filtering approach used to reduce the large amount of network traffic and identify the transversal network flow path of bad traffic.

Note:  The term network traffic used throughout the article represents network/security device logs and/or full/partial binary packet captures.

The first phase, Segmentation/Separation, splits up the network traffic into a series of security zones (e.g. Internet, Data Center, Intranet, DMZ). This phase allows the incident responder to divide the captured network traffic into more manageable groups for further analysis. Some enterprise network traffic artifacts are too large for some network analysis tools. The secured network segmentation and traffic routing is enforced via security devices (e.g. firewalls) and/or network devices (e.g. routers, switches). During the segmentation phrase, the identification of the compromised key zone which contains the compromised device (e.g. DMZ) is critical. The below figure shows a simple network diagram, with four zones, and the compromised web server residing in the DMZ (Zone B).

The second phase, Tracking, maps the permissible network traffic path from the compromised device’s (e.g. web server) zone to the other zones identified during the first phrase based on router or firewall policies. The following Tracing Matrix Zones presents a sample relationship traffic flow between the security zones. Since the compromised web server resides in the DMZ (Zone B), the Tracing Zone Matrix highlights (Red) the possible compromised (DMZ) key zone’s relationship with the other zones. The network traffic flow path between the compromised (DMZ) key zone and the other permissible zones should be carved out and saved as individual zone-to-zone logs for separate analysis or possible elimination (e.g. no zone-to-zone traffic exist, only trusted zone traffic exist). In cases where Intra-zone traffic (Lateral Movement) occurs, the incident responder should also extract and analyze the network traffic, because the culprit can reside within the same zone. 

The third phase, End-to-End, identifies specific bi-directional IP address relationships between the specific compromised device (e.g. web server) and, if possible, any specific devices communicating with the compromised device per zone. This should contain only network traffic to or from the attacking or attacked device (e.g. hacker computer, infected botnet device) and the compromised web server. For this phase, the incident responder is further reducing the network traffic by segmenting within each zone the specific source and destination IP addresses interacting with the compromised server’s IP address.

The final phase, Point Analysis, identifies the compromised device’s ports (e.g. 80, 443, 22) and protocols (e.g., TCP, HTTP, HTTPS) to assist in determining the specific application(s) or malicious software residing on the vulnerable system (see below). Once the host ports and protocols have been identified and reviewed, the incident responder will have the needle and the logical thread leading to the attacking host. For further analysis, please review the stages presented in my previous blog post 'What application is connecting to the internet?'.

In summary, this blog post provides four phases to assist the incident responder to reduce the amount of network traffic for finding the proverbial needle in the haystack. While it represents a simple example, the ability of an incident responder to reduce network traffic is critical for any intrusion investigation. If any malicious inbound or outbound connections to the compromised web server were identified, the incident responder would be able to identify the specific IP addresses, protocols, and ports used by the nefarious attacker and could block the traffic at the network perimeter via ingress/egress firewall and/or proxy rules.

References

  1. Romig, H. (2015, September 24). Investigators: Does your search pattern fit the crime scene? Retrieved from https://www.policeone.com/investigations/articles/9508297-Investigators-Does-your-search-pattern-fit-the-crime-scene/
  2. Oppenheimer, P. (2010). Top-Down Network Design; Third Edition. Cisco Press.
  3. Muniz, J., & Lakhani, A. (2018). Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer. Cisco Press.