Device Discovery and Asset Monitoring

“If you know the enemy and know yourself, you need not fear the result of a hundred battles." - Sun Tzu

The first step in protecting your network from attackers is understanding it. You cannot defend what you do not know exists. CIS Controls list of 20 controls recommended for securing your network, has #1 and #2 all about inventorying devices and software within your environment. "If an organization does not know what each asset is for, then it is not a fair expectation that a managed security service provider (MSSP) will know. If the MSSP cannot know the business context of an asset, then monitoring and protection become more and more difficult. This is an area where end users of managed services can try to better integrate with their MSSP." - SANS SEC555

There are 2 asset layers we need to focus on for proper auditing within an environment. Below are the two layers and their minimum associated data points. (These are not exhaustive but should be the minimum known data points)

  • Devices

    • Mac Address

    • IP address

    • Hostname

    • Operating System

    • Installed Software

    • Processes

    • Scripting frameworks

    • Associated User

  • Users

    • Name

    • Username

    • Email

    • Groups

    • Authentication status

    • Permissions

    • Privileges

    • Geo-locations.

    • Associated workstation

The methodology for collecting these will come from both active and passive network detection abilities. The following sections will detail the tools and techniques used for these.

Active Network Detection

Active network detection is where there is an actual interaction with the device. This can happen with port scanning or any process that has authentication to the device in order to enumerate data about the device.

Active Network Detection Sources

  • Network Scanners

    • NMAP scanning is popular, easy, and can return a wealth of data including hostname, open ports, operating system and more. Uses a fingerprint database to identify device types, services, and the host operating system.

  • Vulnerability Scanners

    • Can be unauthenticated which works similar to an NMAP scan

    • Can be authenticated which allows direct querying of the device and return significantly more data.

    • Typically will support SNMP, SSH, and SMB by default.

    • VulnWhisperer - A handy script for exporting vuln scan data and importing it into Elastic Stack

    • PoshNessus - Powershell module for automating Nessus functions.

  • Inventory Systems

Passive Network detection

Passive network detection is where there is no interaction with the device, and the data is collected from passive logs or traffic seen within the network. Much of this will require detailed internal East-West Activity.

Passive Network Detection Sources

  • Active Directory requests

  • Zeek

    • software.log file maps IP to software usage without repetitive logging.

  • DHCP

  • NetFlow

  • Firewall

  • Switch CAM Tables

  • Wireless IDS

  • NTP

    • All corporate assets should be using an internal NTP server

    • Can identify personal devices by how they request NTP from internet time servers

    • time.windows.com, time.apple.com, ntp.ubuntu.com, etc.

Software Monitoring

Inventory of both software installed as well as running as a process, is critical to determining what is allowed in your environment. Especially processes. "Malware can hide, but it must run" - SANS. Once the applications and software has been inventoried, you can create a highly effective strategy for detecting anomalies by creating a process for application whitelisting. NIST 800-167 gives a great guide on this.

Determining what is installed can be done by leveraging the data from a few different sources.

  • Client Management Tools

  • Patch Management

  • Application Control

    • AppLocker - Free app control solution for Windows.

      • Can perform blocking by Path, Hash, or Publisher.

  • Process Monitoring

For using this software inventory as a basis for detections, we can perform long tail analysis on the inventory by looking at software by count, and looking for those with the lowest count. In a large environment, installed software and running processes shouldn't differ too much between devices.

Asset Tagging

A detailed asset inventory can be more than a simple lookup for enrichment. You can built simple detections around assets that have been tagged into groups. Powershell.exe use by the system admins group? Totally expected. Powershell.exe used by an accountant? Might want to look in to that.

Device Baseline Monitoring

Device baselines are handy for defining "normal" configurations and acitivty, and then being able to compare them against future snapshots, looking for any significant discrepancies.

Creating baselines starts with collection of various data points from your devices. This can come in the form of a script or a log agent that can forward the data on to your SIEM.

Baseline Data to capture

  • Active Processes

    • Long Tail analysis on running processes accross the environment is very effective here.

  • ARP Cache

    • Simple arp -a with long tail analysis can identify strange devices. Investigate one-off entries

  • Certificates

    • Filter on trusted certificates and authorities

    • Alert on new entries

    • Powershell - Get-ChildItem in the certificate store

  • Drivers

  • Host Files

    • Local files take precendence over DNS

    • Should not change except by IT or developers

    • Typically has 0 entries

  • Registry Keys

  • Route Table

    • Check for number of gateways. There should typically one be one. There might be two if using a VPN, but no more than that. Investigate what you cannot account for.

  • Scheduled Tasks

  • Security Status

    • Check that your Host firewalls, AV, and App control is all enabled. When should this ever be disabled?

    • Get-WMIObject -namespace root\Microsoft\SecurityClient -list

      • Shows AV info and status

    • netsh.exe advfirewall show all profiles

      • Shows Windows firewall status per profile

  • Services

  • Shares

  • Software inventory

  • USB devices

  • Users and Groups

    • Most systems are AD integrated. Local accoutns should be disabled, or at the very least be given random passwords.

    • Get-WMIObject -Class Win32_UserAccount -Filter "LocalAccount='True'"

    • Can also extract the last password change to check for proper password rotation.

Baseline Tools

  • Log Campaign - A powershell script framework for automatically creating a device baseline.

    • Logs to Windows Channel or Syslog

    • Comes with built in baseline modules

    • Includes a module for checking Autoruns, and areas of persistence.

      • This works very well with Long Tail analysis.

  • Kansa - Designed for incident response, this tool can be used to easily create a baseline.

    • Does not easily export to SIEM

PreviousLogging - CloudNextLog Source Evaluation

Last updated