September 11, 2019 by Richard Bejtlich
When we think about using Corelight data, our mental models often fixate on finding evidence of suspicious and malicious activity. This makes sense, as network security monitoring data generated by Corelight and Zeek combines the granularity of high-fidelity traffic evidence with the compact features of storage-friendly data. However, how often do we think about using Corelight data to realize activity is not suspicious or malicious, but is in fact normal? The following true story illustrates how Corelight could have assisted with this very scenario.
In April 2018, an Internet service provider (ISP) in Australia named Optus was busy providing connectivity and sponsorship for the Commonwealth Games, an Olympics-like sporting event held every four years. Just one month earlier, in March 2018, GitHub had suffered a 1.35 terabits per second (Tbps) DDoS attack, and an American ISP had survived a 1.7 Tbps attack. Optus network engineers were anxious, as they considered themselves a high-profile target for anyone seeking to harass the Commonwealth Games and its patrons. Furthermore, they were providing bandwidth for all aspects of the games, such as viewer-facing content and internal event tracking.
According to this recent story by ZDNet reporter Stilgherrian, one hour before the games were scheduled to begin, Optus detected a massive surge in bandwidth utilization. The operators feared it was a distributed denial of service attack, similar to the ones suffered earlier by GitHub and an American ISP. The ZDNet article says that Optus relied on understanding their network and data flows, primarily via network diagrams, to determine what was happening. Based on the movement of the traffic, Optus determined that the bandwidth surge was caused by Playstation devices updating their Fortnite video game content.
What isn’t stated in the article is that the Optus engineers needed more than network diagrams to identify what was happening. A diagram tells operators how the network is constructed, but not how it is used. I propose that Optus had to have used some type of network monitoring software to identify the clients and servers exchanging data.
Corelight and Zeek transaction logs are perfect for this sort of diagnostic activity. A quick search for the string “fortnite” at the traffic repository PacketTotal.com reveals several examples of traffic generated by this video game. The HTTP logs provided by PacketTotal were generated by Zeek, and offer enough details to help an analyst realize that the traffic is associated with gaming operations. An ISP like Optus providing connectivity for a high-profile event would find a high-performance Corelight appliance to be a powerful diagnostic and troubleshooting device, in addition to a security investigation platform.
This story reminds me of the power of a “neutral” traffic analysis system like Corelight. By providing access to high-fidelity Zeek data, we give network engineers the evidence they need to differentiate among normal, suspicious and malicious activity. Thankfully, this story provides an example of benign activity that was diagnosed and de-escalated based on understanding the network.