Why cook eggs on a glass stove instead of using the non-stick pans in the cupboard? Sure it’ll cook the eggs, but it is not the proper tool for the job. So, why is the SOC using endpoint logs to gain the visibility the network provides? Clearly someone forgot about what’s in the kitchen. Why has the SOC spent the last decade forcing the SIEM to do the job of network tools? To get technical, why are my Linux guru’s using auditd to monitor sockets? (Talk about not using the right tools!)
The formal Kill Chain model as described by Lockheed Martin consists of 7 stages. Different vendors butcher each of the stages to their benefit, but let’s start with the Kill Chain as Lockheed described (and ultimately has the copyright for). Recon, Weaponization, Delivery, Exploitation, Installation, Command & Control, and finally Stage 7 – Actions on Objectives. Analyzing the seven stages, we find that only TWO (2!) stages do not traverse the network.
Don’t believe me? Well here is your proof:
Stage 1- Active Reconnaissance. This is when a remote attacker MUST cross the internet. It’s as simple as that, this isn’t a log event, this is network communication. If this were monitored the way many organizations attempt to leverage their SIEM and Log environment using endpoints, that knowledge would be replicated by every host that was involved in the reconnaissance event. Why deploy agents and monitor logs on an entire /21 [AS1] to capture a port scan when a network based sensor could monitor at one point in the network and see the entire Reconnaissance phase?
Stage 2 – Weaponization. That’s the weakness of every solution, endpoint based or network. It’s also the stage that most vendor’s cut out of their solutions messaging because it’s what happens in the attacker’s basement. It’s the stage where the cyber-criminal builds an exploit based on evidence found in the Recon phase before sending it to your devices. Moving quickly to
Stage 3 – Delivery. Guess what? In order to deliver a package to grandma the UPS truck has to drive on the highway. Similarly, the cyber-criminals exploit must pass the information super-highway, also known as the network. So why in the world is the SOC monitoring endpoint logs to gain second hand information that’s the networks first-hand knowledge? I’m befuddled by the complexity the SIEM vendors have bestowed upon our poor SOCs, aren’t you?
Stage 4 – Exploitation. Show me some endpoint love! Finally, we find a proper location for end-point monitoring. When the magic package lands on the endpoint and is executed, there is no better place to monitor the outcome than the endpoint itself. Thank the syslog-ng lord [AS2] for endpoint forensics and logs. Are you ready for another perfect task for endpoint monitoring?
Stage 5 – Installation. When it’s time to install malware, it’s time to touch the endpoint again. That’s two stages out of five so far that logs are actually the correct tool for the job.
Stage 6 – Command and Control. Getting back to the network; When an attacker in Guangdong, China wants to control his botnet in San Francisco, California, there’s a solid guarantee it’s going to be over the internet, that is unless the attacker plans on taking a cargo ship to the Port of Oakland and has a BART train pass to get to my office, walks up the stairs to my computer, and left clicks my mouse. Monitoring for Command and Controls with endpoint logs? Are you kidding? Are you really going to get on that cargo ship? It’s like eating spaghetti with a spoon. Sure it gets noodles into your mouth, but most slip back into the data lake of logs.
Stage 7 – Actions on Objectives. Finally, let the network come back to light! Guess what? Unless your cyber-criminal once again plans on taking PTO time to board that cargo ship and visit you to steal your documents, data exfiltration almost certainly will cross the network. For what bloody reason are we monitoring sockets with auditd for this? My brain hurts watching 90% of SOCs around the world leveraging logs in the SIEM to detect everything and then wonder why everything is failing!
We get the point, more logs isn’t going to cover the gaps that network sensors were built from birth to cover. Now please, stop using logs to do the networks job. [End Soapbox.]