July 7, 2020 by Richard Bejtlich
Some critics claim that ever growing encryption renders network security monitoring useless. This opinion is based on a dated understanding of the types and values of data collected and analyzed by computer incident response teams (CIRTs) that conduct NSM operations. This blog post will explain three levels of analysis and how encryption has affected NSM, demonstrating that NSM remains relevant and increasingly necessary, despite encryption.
The key to understanding the value of network security monitoring in any environment is that NSM directly helps answer the number one question posed by a CEO or CIO to any CIRT: are we compromised? Given that prevention eventually fails, the answer is “yes,” for any organization of a certain size and of a certain interest to threat actors. Failure to concentrate on this question is the reason many security teams waste time on unproductive programs and methodologies.
NSM provides three types of analysis that help answer the “are we compromised” question:
Type I NSM, properly implemented and conducted, helps a CIRT identify systems within its constituency that exhibit suspicious or malicious behavior. This is a simple sentence to write but a difficult goal to achieve. The point is that an NSM operation can help identify the handful of potentially compromised systems, among the thousands, or millions, for which a CIRT is responsible. Type I NSM is usually accomplished via some sort of alert or notice mechanism, whether driven by software or manual (“hunting”) solutions.
Type II NSM can describe the general patterns of activity conducted by an actor against the potentially compromised asset. For example, the CIRT can identify 1) when the system was active; 2) how active the system was; 3) the general nature of that activity; and 4) the internal and external systems that communicated with the potentially compromised asset. This information can reveal other assets which may be compromised, or shed light on the intruder and his or her goals. Type II NSM is usually accomplished via a policy-neutral transaction logging approach, where the NSM platform records what it sees for use by investigators.
Type III NSM can possibly describe the specific nature of the activity conducted by an actor interacting with a potentially compromised asset. Having a record of the specific activity requires that the actor use protocols that are not encrypted and that are understood by the CIRT and its tools. This information tells the analyst exactly what happened, in addition to answering the questions posed in type two above. Type III NSM builds on the data available in Type II operations, and may add packet captures or extracted file content for extra levels of detail.
With these three levels described, it becomes clear where the critics of NSM fail. Even in an encrypted world, properly and cleverly designed solutions can still perform type I and II NSM operations. CIRT investigators still identify systems that exhibit suspicious or malicious behavior and can describe the general patterns of activity conducted by an actor against the potentially compromised asset. Encryption hampers type III analysis, because it obscures the details of the actor’s activities.
When one considers the widespread use of endpoint detection and response (EDR) agents, it becomes clear how NSM solutions can work with them to mitigate type III NSM limitations in an age of encryption. The analyst uses his or her NSM solution for type I and II work, and then directs their EDR solution to pull forensic or other investigative data from the endpoints identified via NSM. If the endpoint does not happen to have EDR installed, then the investigation is likely to take an old-fashioned turn, with the analyst implementing short term incident containment to digitally isolate the suspected compromised system via access control list or other mechanism. Physical seizure of the asset is always a possibility as well.
The network remains the least common denominator in the age of the Internet. Just about any asset that has any potential value to a threat actor is connected to a network. By virtue of instrumenting that network with proper NSM solutions, CIRTs have access to type I, II, and III data to help them answer the “are we compromised” question. When paired with EDR, NSM acts as a network detection and response (NDR) option that is very effective, despite network encryption.