Have you ever wondered who is trying to connect to your home network? Or from your home network to the internet? Few internet users consider either of these questions (and the ones that do usually work in the security industry). Many believe the router their internet service provider issued to them is more than sufficient to protect them from threats. Time-after-time even the most basic steps to improve security - changing the default router password - is ignored by consumers. Coincidentally my ISP, Virgin Media, recently told 800,000 of their customers using default passwords to change them immediately.
"You Will Be Breached"
This ethos holds true as much in the commercial world as it does for your home network. But has my home network already been breached? I decided to use Anomali Match to identify any potential malicious activity.
Introducing Anomali Match
Anomali Match (AE) is a powerful Threat Hunting engine that compares millions of IOCs against your network traffic to identify active threats. AE can analyze millions of Indicators of Compromise (IOCs) against billions of events every day. In the case of my home network, currently generating an average of 2 million log lines per day, AE is more than sufficient (to put it lightly!).
Topology (and shopping list)
The network topology of my home network is fairly simple. Most devices connect wirelessly to my router, an Asus RT-AC68U. Some network switches are plugged directly into the router. In either scenario all data in and out of the network flows through the router. Anomali Match can accept raw syslog feeds from any network device. Given the simplicity of my network I decided to stream syslogs from my router to AE. One other thing to note, not all routers support streaming of router logs via syslog, especially the cheap ones provided by ISPs.
Once I figured out how to configure syslog streaming I then needed to setup a machine to run Anomali Match and Anomali Universal Link, a client that sits in-front of AE to parse the incoming raw syslog feeds. The machine needed to be both powerful enough for AE to analyse my network traffic against millions of IOCs and have enough storage to handle all of the information being thrown at it. For this, I used a spare Mac Mini I had lying around that met the hardware specifications required. I then installed VMFusion on the Mac Mini to run an OS supported by AE - I chose CentOS - and proceeded to setup and configure both Anomali Match and Anomali Universal Link on it.
What I Found
Lots of inbound threats from China
And Russia. And the Untied States. And Ukraine. You get the idea.
That were predominantly scanning IPs
Most IOC matches, totaling hundreds per day, were known scanning IPs. My router reports all information including blocked requests by its firewall so this was unsurprising.
And generally benign
Anomali ThreatStream Threat Intelligence ranks the severity and confidence of an IOC match. I can use AE's powerful search interface to filter and pivot quickly on the threats detected. This made it easy to identify that most matches were fairly benign with low severity and low confidence scores.
Though some were more serious
Not only were scanning IPs identified by Anomali Match, some outbound connections were being made to a recently identified malware IP. As Anomali Match allowed me to see the detailed analysis and context for the malware IOC in question and view the raw log of the event, I was able to easily identify the potentially comprised machine. Thankfully (for me) in this case it was just one machine and it belonged to a friend who had connected his laptop to the WiFi at my house whilst visiting.
Being extra cautious, I was also able to retrospectively compare this recent malware IOC against all my historic network logs stored in Anomali Match. Thankfully, no matches this time.
Whilst their were some known threats observed by Anomali Match on my network most were nothing to worry about. I was able to triage matches and come to this conclusion quickly because Anomali Match provided:
- A detailed analysis and context of every IOC matched to my network data
- The ability to view the raw log of an event that matched a known IOC
- The option to run a forensic search to discover if an IOC had ever been seen in my network data previously
Clearly in a larger corporate network, the amount of data being generated will be significantly greater than on my home network. Corporate networks are more likely to be the subject of targeted and sustained attacks with many more points of weakness (generally employees).