Finding Out What Users are Doing on Your Network
A few weeks ago I published a blog article which asked the question; are forensics tools the new IDS. It proved to be very popular as it’s closely connected to one of the most common questions in IT, how can you find out what users are doing on a network. The challenge is that the digital footprints of users are spread all over networks and include data sources like:
- Server and application log files
- Network traffic
- Profile information on computers and laptops
- Network device logs
When it comes to server and application logs, one of the most important pieces of data to capture is when users are logging onto a network. This data can be sourced from the directory services infrastructure; you just need to make sure you have logging enabled on services like Microsoft Active Directory. Logs like this will give you usernames, IP addresses, date and time of logon. The username and IP address combination is very important as many other network systems will log data based on IP address so you will need an inventory of what usernames are associated with these. Once you have stored user logon data in a central location you can then look at capturing other network and application data.
Once you start to log who is logging onto your network you then need to identify what applications are in use and track activity associated with Internet use and file shares. This is just a basic list and you may need to look at other data sources if you have compliance or regulatory standards to adhere to.
Monitoring Internet usage
Monitoring Internet usage can be a contentious issue. Some say it is an invasion of personal privacy while others say it is necessary to keep a network running in an efficient and secure manner. Most network managers that I speak to adopt a fair use policy, they implement systems which can detect the top consumers of bandwidth and alert if zombies are detected on the network. When systems are infected with malware, you need to monitor what sites they are trying to connect to. You can start monitoring Internet activity by setting up logging on your proxy, Internet filtering server or firewall. As with all logging, make sure you have enough system resources so it does not impact on performance.
This information can also be captured from network traffic; you just need to get a deep packet inspection system which can extract HTTP header content and DNS query data from network traffic. Finally, make sure you are also monitoring your Internet connection for any users who may have found a way to bypass your proxy or filtering system.
Application recognition by looking at network traffic
Application recognition is the art and science of identifying the applications that are in use on a network and understanding the impact of each application in terms of bandwidth usage, user behaviour, security, and compliance. It has become vitally important for several reasons:
- The growth in cloud computing and proliferation of OTT content has led to a huge increase in the number of applications that communicate over Layer 7 applications like HTTP. Effective monitoring of network activity requires looking deeper into Layer 7 traffic so that individual applications can be identified. The level of detail provided by NetFlow – source address, destination address, and port number – is no longer enough.
- System administrators and network engineers are increasingly turning to random and non-standard ports to counteract threats that assume applications and protocols use standard port assignments. Monitoring tools that rely solely on port numbers typically report traffic on non-standard ports as “unknown.”
- Many applications use more than one port. For example, web applications use port 80 for non-encrypted HTTP traffic and port 443 for encrypted HTTPS traffic.
- Application developers do not always adhere to standard port assignments, and in some cases deliberately evade conventional security by using techniques such as port-hopping, SSL encryption, and tunnelling within commonly authorized protocols. Cyber attackers attempting to infiltrate networks often use similar techniques.
The main thing you need for application recognition is a source of data and a SPAN or mirror port is ideal for this. Ideally you would set this up at your network core for maximum visibility.
Monitoring file shares
There are a number of ways you can monitor what files and folders users are accessing on shared drives:
- Install software agents on the file servers or client systems
- Enable auditing on servers which host file shares.
- Capture the information passively from network traffic.
The requirement to install software agents is the least popular option as it is troublesome to manage. Users may find ways to uninstall or disable the agent which will leave you without an audit trail. Logging on servers can also be problematic as logs fill very quickly so you need to be careful that you don’t overwrite the data you need when the logs reach capacity.The easiest way to capture file and folder activity is to use a deep packet inspection system to capture the activity from network traffic. A quick test for any system is to see how long it takes you to find out when a file was deleted.
When it comes to monitoring what users are doing on your network, start off with the simple things like keeping a log of who is logging on, and to what systems. You can then start to extend monitoring to include applications, file shares, and Internet activity.
Follow me on Twitter @darraghdelaney