Building and operating a home network security sensor - Pt 1. The rationale
Conventional malware mitigation is not working to keep cybercriminals or advanced persistent threats out of systems and networks. Your home network may also be easy pickings for cyber criminals or APT's especially when many people are going remote-first with their jobs.
Crowdstrike's OverWatch Threat hunting team's 2021 annual report states that about 60% of all attacks are conducted without malware. Most of today's intrusions and attacks are perpetrated by cyber criminals who have gotten increasingly sophisticated, and armed with sophisticated tools, zero-days, and are armed with the funds to carry out persistent and stealthy operations.
There are many ways to secure ones' home network, and it is often advised to conduct a strategy of overlapping systems of competence or a 'defense-in-depth' model. At some point, we will dive deeper into the strategy of building broader defenses, but the most critical first step is to set up instrumentation for viewing or measuring what goes in and out of our pipes.
Why Network security monitoring?
The network does not lie. While the modern Internet has many layers of technologies on top of each other, the information has to still traverse the wires. A proactive seeking of suspicious, malicious activity, and being able to detect 'beaconing', C2 communications, or other such crucial malicious indicators of compromise are essential to catch these malicious activities before they achieve their objectives.
While previously, a Security operations center was 'reactive' to threat warnings, this system is a proactive validation of business need.
What should our network sensor be capable of?
This sensor should be able to perform full packet capture and save locally for retrieval. It should also be able to run additional software as necessary, such as Zeek logging for connection oriented logging. If need be, the computing power of this sensor should be sufficient to perform some analysis on this data to find patterns of interest. Finally, it should be easy to install, low on maintenance, and easy to patch and secure.
Turns out, the good folks at Active countermeasures have done a lot of the research for us. A huge thanks to Mr. Bill Stearns who patiently answered a lot of these questions. Please do watch this webcast when you get the time.
Taking this to the next level was the project 'Pi Hunter' on Github that ran a comprehensive set of tools.
I will cover more about the mechanics of the project in part 2, but for now let's just summarize the rationale. Modern cyber-crime and APT activity cannot be solely mitigated with conventional remediations like anti-virus, and a firewall.
Proactive seeking of suspicious malicious activity, and a validation of business need, or use-cases are essential new pillars in a multi-pronged strategy to combat cybercrime.