Monitoring for Large-Scale Networks

UNX-OBP

How It Works

A Note on “Unexpected”

Our notion of unexpected is tied to our experience of what happens and what doesn’t happen, or the way that certain things happen. It is tied to our notions of what is common.

Common is what has precedent (what happens) and some level of regularity and/or consistency - some phenomenon which occurs within somewhat predictable bounds of frequency, volume, time, etc. It is generally expected that a phenomenon continues to occur within or around those bounds. It is generally unexpected when the phenomenon occurs too far outside of those bounds or when a sufficiently new phenomenon occurs. There’s a difference between “commonly occurring” and “commonly occurring this way.” “Commonly occurring this way” can also be thought of as consistency. Think about your expectations and level of surprise by the sun rising each day at around the same time or the cycles of the moon.

We apply these concepts to our outbound views of certain network traffic. We track how frequently we observe certain flow characteristics (as a percentage of days seen in the last X days of baseline network traffic), the volume at which they tend to occur (average flow count per day seen), and when they tend to occur (days of the week, hours of the day). Also, we track application, packets, bytes, and duration tendencies per those same flow characteristics.

Percent days seen is the best reflection of “commonly occurring.” All other measurements are more a reflection of “commonly occurring this way”/consistency.

Unexpected outbound protocol use occurs when certain flow characteristics are observed but which have never been seen before, or when certain flow characteristics are observed and have been seen before, but which have only rarely occurred or are sufficiently inconsistent with past occurrences.

So what are the flow characteristics?

The Anchor Flow Characteristics

A Quick Note on Levels of Specifity (from least to most specific)

Source: parent organization → organization → sensor → src-net-block → sip

Destination: ASN info (number, country code, registry, org) → dst-net-block → dip → dport → protocol/service

From left to right, each pair typically has a one-to-many relationship. For example:

An organization may have multiple associated sensors with different network vantage points, potentially representing different parts of the organization, with different egress rules, and so on (doesn’t change too often)
A sensor may be configured with multiple internal src-net-blocks (doesn’t change too often)
An ASN may own/originate multiple network prefixes (the ASN to network prefix association does change but not often enough to really impact our purposes here)
A destination IP may host multiple services on various ports (may change often at will of external service organization or an adversary)

Importantly, observed outbound dports ultimately depend on what is allowed to egress a network. The observed dports may or may not change often - this is more a reflection of the velocity, fluidity, or lack of egress controls of each source organization/enclave. Ideally, they will be tightly controlled, and you would expect certain outbound protocols to have more stringent rules regarding their use. Either way, we will know about it.

In order to balance efficacy and alert generation, we anchor/scope protocol baseline traffic measurements to different levels of specificity – the Full Anchor Tuple and the Partial Anchor Tuple, which essentially act as unique keys for the calculation and aggregation of other flow characteristics.

Full Anchor Tuple (FAT)

Consists of: src-org|sensor|sip|dip|dport|asn_info where asn_info → dst-netblk|asn|cc|rir|org

This is the most specific set of flow characteristics on which protocol baseline traffic measurements are calculated. It essentially accounts for unique source/destination IP pairs across any combination of src-org, sensor, dport, and asn_info. These baseline entries are used for consistency checks, if a matching tuple exists for an incoming flow, as well as to add context to generated alerts.

Partial Anchor Tuple (PAT)

Consists of: sensor|dport|asn_info where asn_info → dst-netblk|asn|cc|rir|org

This is the slightly abstracted and broadest set of flow characteristics on which protocol baseline traffic measurements are calculated. IP addresses are more variable for numerous reasons (e.g., unknown/complex source network architecture, CDNs, load balancers, routing policies, etc.). So we treat variations in sip and/or dip as less significant than variations in sensor|dport|asn_info combinations. These baseline entries ultimately determine whether an incoming flow for a given protocol was NEVER_SEEN_IN_BASELINE or SEEN_BUT_RARELY_OCCURRING (see below). By default, we allow PAT matches which are above set thresholds to pass, that is, not alert.

The Measurements

Each flow of the baseline traffic is first lightly enriched with source org and destination ASN information.

The following measurements are calculated for each unique FAT and PAT:

Total Days Seen - the number of unique days this tuple was seen in the baseline
Percent Days Seen - total days seen divided by the total number of days in the baseline (typically 90 days) * 100
Spread Days Seen - the number of days inclusive between the first seen and last seen instance of this tuple
First Seen - the sTime of the first instance of this tuple
Last Seen - the sTime of the last instance of this tuple
Days of Week Seen - a string array of unique days of the week seen; if this tuple was seen on all seven days of the week, then ‘all’ is the only element
Hours Seen - an integer array of unique hours seen; if this tuple was seen during all hours (0-23), then 24 is the only element
Applications Seen - an integer array of unique application labels seen for this tuple
Average and Standard Deviation Flow Count Per Day Seen
Average, Standard Deviation, Min, Max, Median, Mode, and Mode Percent Packets
Average, Standard Deviation, Min, Max, Median, Mode, and Mode Percent Bytes
Average and Standard Deviation Duration

The following additional measurements are calculated for each unique PAT:

Source IP Count - the number of unique source IP addresses seen associated with this tuple
Destination IP Count - the number of unique destination IP addresses seen associated with this tuple
FAT Count - the number of unique Full Anchor Tuples associated with this tuple
Highest FAT Percent Days Seen - the percent days seen of the most frequently occurring FAT associated with this tuple
Highest FAT Average and Standard Deviation Flow Count - flow count calculations of the most frequently occurring FAT associated with this tuple

Thresholds and Baseline Checks

There is a set of configurable thresholds for each protocol. Those include the following:

perc_days_seen - the minimum percentage of days that the PAT of an incoming flow must have been seen in the baseline (typically the last 90 days) in order to be considered “commonly occurring”
consistency_score - the lowest acceptable consistency score (explained below)
standard_deviations - the number of standard deviations away from the baseline average that certain values of an incoming flow (packets, bytes, duration) may be in order to be considered consistent

Global sane defaults for the thresholds are already set, but you may adjust as necessary or add protocol-specific thresholds via the protcol_thresholds dictionary defined in scripts/lambda_functions/check_xdeny_baseline_sal.py.

protcol_thresholds = {
  'global' : { 'perc_days_seen': 15.0, 'consistency_score': 85, 'standard_deviations': 3.0 },
  '<protocol-specific>' : { ... }
}

The Consistency Score

The consistency score starts at 100 and various deviation checks are performed. For each deviation, some number of points is deducted from the consistency score. Since this is an outbound analytic, for packets, bytes, and duration, we only care about deviations which are higher than usual - we neither check nor deduct any points for deviations which are lower than usual. We weigh deviations in applications seen and bytes more than other deviations.

These checks are not performed at all if no matching baseline entry exists for the PAT of an incoming flow. If a matching baseline entry exists for the FAT of an incoming flow and the FAT was seen on at least 2 days and total_days_seen * avg_flow_count >= 10, then the measurements associated with the FAT entry are used for these checks; otherwise, the measurements associated with the PAT entry are used.

The deviation checks are as follows:

If the incoming flow occurred on a day of the week that was never seen before, deduct 5 points.
If the incoming flow occurred during an hour of the day that was never seen before, deduct 5 points.
If the incoming flow’s duration is greater than the avg_duration + (std_duration * standard_deviations), deduct 5 points.
If the incoming flow’s packets is greater than the avg_packets + (std_packets * standard_deviations), deduct 5 points.
The bytes check allows for more variation in flows with lower average volumes. After ~10K average, if the incoming flow’s bytes is greater than the avg_bytes + (std_bytes * standard_deviations), deduct 20 points.
If the incoming flow’s application was never seen before, deduct 20 points. Note, there is no deduction for going from a history of unknown application to the expected application.

So, with a default consistency_score of 85, the following sets of deviations are the minimum needed to generate an alert:

Each of the first four bullets (dow, hour, duration, packets)
Higher than usual number of bytes
Never before seen application

The Baseline Checks

Each incoming flow’s PAT is derived and looked up in the baseline database. If no matching entry exists, it is marked as an unexpected record and the alert reason is NEVER_SEEN_IN_BASELINE.

If a matching entry does exist, then the PAT entry’s perc_days_seen is compared against the perc_days_seen threshold. If the entry’s perc_days_seen is less than the set threshold, it is marked as an unexpected record and the alert reason is SEEN_BUT_RARELY_OCCURRING.

Lastly, if a matching entry exists, the consistency score is calculated according to the above section. If the calculated consistency score is less than the set threshold, the alert reason will be SEEN_BUT_INCONSISTENT, but only if the incoming flow is not considered “rarely occurring.” Either way, the consistency score is calculated and included in all SEEN_BUT_RARELY_OCCURRING and SEEN_BUT_INCONSISTENT alerts.

Explicit Deny and Allow Lists

You can add entries containing one or more rules to match on incoming flows and select metadata to one of two types of lists.

The Explicit Deny List applies prior to the baseline checks and allows you to match on flow characteristics that you want to alert on immediately. Sort of like a watchlist.

The Allow List applies after the baseline checks and only on flows marked as an unexpected record. This allows you to suppress certain flow characteristics for which you no longer wish to receive alerts for any number of reasons.

To help make the most efficient use of enrichment data sources and APIs, there are two versions of Allow List.

The Simple Allow List (SAL) is checked prior to enrichments being added to the record. If a record matches on the SAL, it gets written directly to the unx-obp-allowlisted-* index, bypassing any further enrichments or checks. Otherwise, enrichments will be added to the record.

The Enhanced Allow List (EAL) is checked after enrichments are added to the record, and as such has additional fields available with which to define rules.

Entries and rules in both types of lists follow the same basic format.

Entries

Entries may be defined on a global level (applies to all flows/protocol traffic incoming to UNX-OBP) or per protocol (applies to incoming flows for a single protocol/dataset). Each entry has the following fields:

protocol - the lowercase name of the protocol/dataset this entry applies to
entry_id - the unique identifier for this entry; a URL-safe base64 encoded hash of the concatenation of certain fields; only exists in DynamoDB
enabled - whether or not this entry is used in checks; true or false
description - a brief explanation of what the entry is and why it exists; provide some context; this must not be empty
refs - a string array of references (e.g., links, ticket number/id, etc.); there must be at least one reference
author - the email of the user creating this entry; doesn’t change
created - the RFC3339 timestamp when this entry is first created; doesn’t change
last_modified - the RFC3339 timestamp when this entry was last modified; should change any time the entry is updated
last_modified_by - the email of the user who last modified this entry
match_rules - a string array of one or more rules to match on incoming flows (see below); there must be at least one rule with at least one field/value pair
exception_rules - a string array of one or more rules; only checked if there is a positive hit on one of this entry’s match rules; this field may be empty or absent
disabled_rules - a string array of one or more rules that are no longer checked for matches; this field may be empty or absent

Rules

There may be one or more rules defined in each entry. Each rule is a single string with fields/values defined as field=value separated by semicolons.

Only positive hits on all fields in a rule against the incoming flow is considered a match. No field should be present in a rule more than once. Rules can be any order/combination of one or more of the following fields:

org - a single or comma-separated list of source org acronyms (same as defined in the annotated silk.conf, in the org_name field)
sensor - a single or comma-separated list of integer sensor-ids; supports ranges
sip - a single or comma-separated list of IPv4 or IPv6 addresses or CIDR netblocks
dip - a single or comma-separated list of IPv4 or IPv6 addresses or CIDR netblocks
sport - a single or comma-separated list of source port numbers; supports ranges
dport - a single or comma-separated list of destination port numbers; supports ranges
application - a single or comma-separated list of application labels (integers); supports ranges
packets - a single or comma-separated list for the number of packets in the flow; supports ranges
bpp - a single or comma-separated list of bytes per packet (bpp) in the flow; only generated for ICMP-based datasets; supports ranges
bytes - a single or comma-separated list for the number of bytes in the flow; supports ranges
attributes - a single or comma-separated list of SiLK attributes (e.g. S → flow packets all the same size, T → flow reached active timeout)
asn - a single or comma-separated list of autonomous system numbers; supports ranges (be careful if you’re considering allowlisting an entire ASN without other specific criteria)
major_csp - true or false; true means the destination IP of the flow falls within one of the published public IP ranges for AWS (Amazon), Azure (Microsoft), GCP (Google), or OCI (Oracle), including any CSP Gov ranges
csp_provider - a single or comma-separated list of cloud providers; valid values are those populated in the “cloud.provider” field (aws, azure, azuregov, gcp, oci)
csp_region - a single or comma-separated list of cloud regions; each CSP has a different syntax; valid values are those populated in the “cloud.region” field (e.g. us-east-2)
csp_service - a single or comma-separated list of cloud services; each CSP has a different syntax; valid values are those populated in the “cloud.service.name” field (e.g. AzureStorage, EC2); supports modifiers
tags - a single or comma-separated list of tags; valid values are exactly those populated in the “event.tags” field; supports modifiers (note that most tags are added during/after baseline checks)

In addition to the above fields and applicable to Allow List rules only:

alert_type - a single or comma-separated list of alert types; valid values are: NEVER_SEEN_IN_BASELINE, SEEN_BUT_RARELY_OCCURRING, SEEN_BUT_INCONSISTENT

In addition to the above fields and applicable to Enhanced Allow List rules only:

dport_in_dip_services - true or false; true means the destination port of the flow was seen hosting a service in the latest service scans by Censys.io
num_dip_services - a single or comma-separated list for the number of services seen on the destination host by Censys.io; supports ranges
censys_service_names - a single or comma-separated list of strings that must be contained in at least one of the services seen by Censys.io; supports modifiers
forward_dns - a single or comma-separated list of strings that must be contained in at least one of the forward DNS resolutions associated with the destination host as seen by Censys.io; supports modifiers
reverse_dns - a single or comma-separated list of strings that must be contained in at least one of the reverse DNS resolutions associated with the destination host as seen by Censys.io; supports modifiers
cert_issuer_dn - a single or comma-separated list of strings that must be contained in at least one certificate Issuer Distinguished Name (DN); order of DN prefixes based on order given by Censys.io
cert_subject_dn - a single or comma-separated list of strings that must be contained in at least one certificate Subject Distinguished Name (DN); order of DN prefixes based on order given by Censys.io
software - a single or comma-separated list of software seen in the latest service scans by Censys.io; valid values are exactly those populated in the “enrichments.censys.services.software” field

Ranges

For fields that support ranges, checks are always inclusive and you must specify at least one limit (lower or upper) with a hyphen. Ranges may be included in a comma-separated list of values. See the following examples with ranges:

sensor=1,3,8,423-427 → will match a flow with a sensor-id of 1, 3, 8, 423, 424, 425, 426, or 427
org=FAKE1,FAKE2; application=22; bytes=-10000 → will match a flow with an org name of FAKE1 or FAKE2 and application label of 22 and number of bytes less than or equal to 10000
bytes=2000000000- → will match a flow with number of bytes greater than or equal to 2GB

Modifiers

For fields that support modifiers, you can add an “&” (and) and/or an “!” (only) to the end of the final value in order to employ some additional logic beyond simple OR logic. For example:

censys_service_names=http,ssh → “http” or “ssh” must be contained in at least one service seen by Censys.io
censys_service_names=http! → “http” must be contained in each service seen by Censys.io
censys_service_names=http,ssh& → both “http” and “ssh” must be present among the services seen by Censys.io, but other services may also be present
censys_service_names=http,ssh! → either “http” or “ssh” must be contained in each service seen by Censys.io, but no other services
censys_service_names=http,ssh&! → either “http” or “ssh” must be contained in each service, and both “http” and “ssh” must be present among the services seen by Censys.io