Posted on by Network Situational Awarenessin
What does it mean to say that an indicator is exhibiting persistent behavior? This is a question that Timur, Angela, and I have been asking each other for the past couple of months. In this blog post, we show you the analytics that we believe identify persistent behavior and how that identification can be used to identify potential threats as well as help with network profiling.
Defining persistent IP traffic has to start with frequency and time. We believe that an IP can be called persistent if it is seen in consecutive intervals over a duration of time. I know that definition seems a bit vague, but let's start there and work our way to more detail.
If we break traffic into groups based on consecutive-hour intervals and TCP/IP flags, then persistence has tangible analytics--that can be applied to each IP. We chose the following consecutive-hour intervals because we believe different persistence intervals can help differentiate between manual and automated activity.
Having established a series of hour-interval groups, we can now look at the type of TCP/IP flags and packet sizes across all the time-series groups to classify the persistence. The idea behind this classification is that an IP that has been sending only SYN packets for the past 24 hours is not as interesting as an IP that has been transferring megabytes of data out of the network for the past 24 hours.
The three pairings that are of interest to us are: SYN-ONLY, PSH-ACK, and 50 MB. The direction of the traffic associated with each group could mean different things.
This grouping captures all failed connections.
This grouping captures the traffic that has sent data across the socket that was created by the three-way handshake.
This grouping captures the IPs that sent at least 50 megabytes across the established socket.
By having all IPs fall into one of these three groups, we can "tease out" what's not only persistent but also a threat.
As I said before, seeing an external IP sending nothing but SYN packets all day, every day is not all that interesting considering it is probably just a scanner. However, seeing an internal host generating traffic that is either continuous for more than 24 hours or exists for more than 4 days in a row definitely warrants investigation.
Observing potential threats is a major focus for our work with persistence, but not the only one.
We on the Network Analysis Team believe that measuring persistent activity is another layer that can be applied to network profiling.
Persistent behavior from both internal and external IPs should be noted and closely examined to get the ground truth on any network. For example, seeing a web server active for days is normal. In a way, seeing this persistent behavior confirms the legitimacy of the web server. Angela, Timur, and I are excited about the potential of the expansion of this topic.