Network Security Devices
Overview
Leveraging logs from security devices like IDS, IPS, and antivirus to detect and respond to intrusion attempts, vulnerability exploitation, malware traffic, and advanced persistent threats.
Sample products
- Snort (IDS/IPS)
- FireEye NX/IDS/IPS
- CoreLight
- ZScalar Cloud IDS/IPS
- Cisco IDS/IPS
- CheckPoint IDS/IPS
Use Case Categories
| Category | Description |
|---|---|
| Intrusion Detection | Monitors security device logs for signs of unauthorized access or malicious activities. Alerts triggered for detected intrusion attempts, suspicious behavior, or patterns indicative of potential security threats. |
| Vulnerability Exploitation Detection | Focuses on identifying attempts to exploit vulnerabilities in the network or systems. Monitors security device logs for activities indicative of exploitation, such as suspicious code execution or privilege escalation. |
| Malware Traffic Detection | Analyzes security device logs to identify network traffic associated with malware activities. Alerts triggered for communication with known malicious domains, suspicious file downloads, or anomalies in network behavior. |
| Advanced Persistent Threat (APT) Identification | Targets the detection of sophisticated and persistent cyber threats. Monitors security device logs for indicators of APTs, such as stealthy lateral movement, long-term presence, or coordinated attacks. |
Core Use Cases
| Alert Name | Description |
|---|---|
| Brute Force Attack Detection | Monitors security device logs for patterns indicative of brute force attacks. Alerts triggered for multiple failed login attempts within a specified time frame. |
| Unusual Outbound Traffic Analysis | Analyzes outbound network traffic logs for anomalies. Alerts triggered for unexpected patterns or unusual destinations indicating potential command and control activities. |
| Signature-based Attack Identification | Implements signature-based detection in security device logs to identify known threats. Alerts triggered for matches with predefined attack signatures. |
| Suspicious DNS Activity Monitoring | Monitors DNS logs for suspicious activities indicative of potential malicious behavior. Alerts triggered for unusual query patterns or connections to known malicious domains. |
| Zero-Day Exploit Detection | Focuses on identifying attempts to exploit zero-day vulnerabilities. Monitors security device logs for indicators of unknown or recently discovered vulnerabilities being exploited. |
| Privilege Escalation Attempt Monitoring | Monitors logs for indications of attempts to escalate privileges. Alerts triggered for suspicious activities suggesting unauthorized elevation of privileges. |
| Exploitation of Known Vulnerabilities | Analyzes security device logs for activities targeting known vulnerabilities. Alerts triggered for attempts to exploit vulnerabilities with known signatures. |
| Suspicious System Configuration Changes | Monitors logs for changes in system configurations that could indicate vulnerability exploitation. Alerts triggered for unexpected alterations to critical system settings. |
| Command and Control Traffic Analysis | Analyzes network traffic logs for patterns indicative of command and control (C2) activities. Alerts triggered for connections to known C2 servers or unusual communication patterns. |
| Malicious File Download Monitoring | Monitors logs for indications of malicious file downloads. Alerts triggered for downloads from suspicious URLs or files with known malicious signatures. |
| Anomalous Network Behavior Analysis | Analyzes network logs for anomalies indicative of potential malware presence. Alerts triggered for unusual communication patterns or deviations from normal network behavior. |
| Endpoint Anomaly Detection | Monitors logs for anomalies on endpoints that may suggest malware activities. Alerts triggered for unexpected behavior, unusual system calls, or file changes. |
| Lateral Movement Detection | Monitors logs for signs of lateral movement within the network. Alerts triggered for suspicious activities indicative of lateral traversal or privilege escalation. |
| Coordinated Attack Pattern Analysis | Analyzes security device logs for patterns indicative of coordinated attacks. Alerts triggered for simultaneous or sequential activities across multiple systems. |
| Data Exfiltration Detection | Monitors logs for indicators of data exfiltration attempts. Alerts triggered for unusual data transfers, unexpected outbound traffic, or large volume transfers. |
| Persistence Mechanism Identification | Focuses on identifying persistence mechanisms used by APTs. Alerts triggered for activities indicative of persistent access, such as registry modifications or scheduled tasks. |
MITRE ATT&CK
T1110, T1558, T1048, T1071, T1565, T1060, T1070, T1568, T1200, T1064, T1548, T1550, T1068, T1547, T1202, T1043, T1562, T1105, T1566, T1040, T1082, T1021, T1543, T1078, T1201, T1024, T1567, T1053