Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Network Traffic Analysis in Reverse

Published: 2010-02-13
Last Updated: 2010-02-14 06:32:40 UTC
by Lorna Hutcheson (Version: 1)
1 comment(s)

Most of the time, people focus on what is coming inbound toward their networks.  This is quite understandable as the threat is usually considered outside of our perimeter and trying to come into our networks.  However, looking at traffic in this fashion is sometimes very tedious. There is alot that can get lost in the noise, especially if the analysis is done at the network edge.  There is just so much "background noise" on the internet such as port scans, old malware lingering around, network probes, etc.  There is alot to filter through.

An interesting exercise is do an analysis on your outbound traffic.  Many organizations do not do good egress filtering.  If you have never done this, then do some trend analysis on your egress traffic only.  In all that noise of traffic destined toward your network, what you really want to know is did a system answer?  Do you really know where your internal systems connecting to?  On what ports?  Why?  

I am not saying that you shouldn't watch traffic destined for your network, but you should spend some quality time analyzing the traffic leaving your network.  I would expand this to include traffic flows between your internal systems.  If you have never done this, you might be surprised at what you find.  


1 comment(s)
Diary Archives