Egress Traffic Analysis

1. Need for visibility
   1. DLP (Data Loss Prevention) tools are great, but they're only helpful where they are applied
   2. Attackers bypass DLP/etc., so we need overlapping visibility
      1. Like Guarding the front door while leaving a window open
2. Things to looks for
   1. Outliers and anomalous activity
      1. What only happens on one machine?
   2. Beacons
      1. Tons of short connections from a single client to a remote server
   3. Long Tail
      1. On a histogram of connection events, there is a single column that stands out far above the rest
3. Traffic Monitoring Tools and NDR-adjacent solutions
   1. Network Detection and Response (NDR) tools are designed to analyze live traffic, detect anomalies, and respond to threats
      1. While there aren't many FOSS tools that are strictly NDR, tools like SIEMs, NIDS/IPS, and XDR have overlapping features
   2. Netflow
      1. Created by Cisco
      2. Quickly became a standard, but spawned a ton of other variations that are slightly different
   3. Zeek
      1. Fast
      2. Large user base, lots of support, free
      3. Consistency
   4. RITA - Real Intelligence Threat Analytics
      1. Free
      2. Finds patterns in network traffic
      3. Looks for beacons
      4. Analyzing traffic
      5. It aggregates connections together and identifies unusual activity
         1. e.g. IP X beaconed to IP Y X number of times
   5. Corelight: Evidence-Based NDR and Threat Hunting Platform
      1. Home Sense is free Corelight@Home: Who’s Your Fridge Talking to at Night? | Corelight
   6. Security Onion^[1]
      1. When I tried to deploy this at home, I ran into problems because my hypervisor had a faulty NIC and I didn't have enough ports; I need to try again
   7. Wazuh^[2]
      1. More of an EDR solution than a SIEM according to John Strand

LAB: BHIS-SOCC-lab-RITA-ACHunter