Network
Network Connection Analysis in Incident Response (Linux Systems)
In Linux systems, attackers often use network connections to establish control, exfiltrate data, or enable persistent access. Effective incident response requires a systematic approach to identify, analyze, and mitigate suspicious network activities.
Key Threats in Network Analysis
Reverse Shells:
Allow attackers to control a system by initiating a connection from the victim to their remote system.
Often bypass firewalls since the victim initiates the outbound connection.
Backdoors:
Persistent mechanisms enabling attackers to re-access the compromised system via specific ports or protocols.
Data Exfiltration:
Unauthorized transfer of sensitive data to external locations.
Tools and Commands for Network Analysis
1. Netstat
netstat is a foundational tool for examining active network connections and listening ports.
List All Active Connections:
List Active TCP Connections Only:
Faster Results Without DNS Lookup:
List Listening Ports:
List Listening Ports with Associated Processes:
Key Parameters:
-a: Displays all connections.-t: Shows only TCP connections.-n: Skips DNS resolution for faster output.-l: Lists listening ports.-p: Shows processes tied to connections.
2. SS (Socket Statistics)
ss is a faster alternative to netstat with more detailed output.
List All TCP Connections:
Show Listening Ports:
Include Process Information:
3. IPTables
Attackers might modify firewall rules to allow their connections. Examining these rules can reveal unauthorized changes.
List All IPTables Rules:
What to Look For:
Rules allowing traffic on non-standard ports.
Redirected traffic to suspicious external IPs.
4. Tcpdump
For real-time packet capture and analysis.
Capture All Network Traffic:
Filter Specific Ports or Protocols:
Analyze DNS Traffic:
Incident Response Steps
1. Identify Active Connections
Use netstat or ss to list all active connections.
Focus on:
External IPs: Identify connections to unknown or suspicious IP addresses.
Non-Standard Ports: Common services use standard ports (e.g., 22 for SSH, 80 for HTTP). Unusual ports could indicate malicious activity.
Processes: Investigate which processes are initiating the connections.
2. Investigate Listening Ports
Use netstat -nlpt or ss -ltnp to identify services listening on unusual ports.
Key Considerations:
Confirm the legitimacy of listening ports.
Investigate processes using ports outside typical ranges.
3. Analyze Reverse Shell Indicators
Reverse shells typically involve an outbound connection to the attacker's machine.
Detect Outbound Connections:
Next Steps:
Cross-reference the external IPs with threat intelligence sources.
Look for connections to uncommon ports like 4444, 1337, or high random ports.
4. Review and Remove Unauthorized IPTables Rules
Examine IPTables for any rules that attackers may have added.
Identify Suspicious Rules:
Remove Unauthorized Rules:
Post-Incident Actions
1. Terminate Suspicious Connections
Identify and terminate malicious processes associated with suspicious connections.
Find Process ID (PID):
Terminate the Process:
2. Block Malicious IPs
Update IPTables to block further communication with identified malicious IPs.
Add a Rule to Block an IP:
3. Monitor Network Traffic
Deploy tools like Wireshark or Suricata to monitor and analyze ongoing network activities for signs of further compromise.
4. Harden Network Configurations
Use a firewall to block unnecessary ports.
Enable IDS/IPS systems for real-time threat detection.
Configure logging and alerting to monitor future unauthorized connections.
Key Commands
Key Points
Network connection analysis is a crucial aspect of incident response. By leveraging tools like netstat, ss, and tcpdump, responders can quickly identify and investigate suspicious network activities. Proactive measures such as monitoring network traffic and hardening firewall configurations significantly enhance the system's security posture.
Last updated