Interesting Stuff

Utilizing “Proxy Logs” for Enhanced Security: Use Cases for SOC Teams #part-1

admin

A proxy server is an intermediary system that sits between end users and the websites or services they access online. It provides functions like web filtering, enhanced security, and data caching to improve network performance. Proxies also help in masking user IP addresses, enabling anonymous web browsing and managing internet usage within an organization.

Typical Proxy Log Parameters

  1. Start Time: The time when the request or transaction began.
  2. Elapsed Time: Duration of the transaction in milliseconds.
  3. Source IP: The IP address of the client making the request.
  4. Destination IP: The IP address of the server to which the request was made.
  5. Client Username: The username of the client, if authentication is used.
  6. Vendor: Identifies the vendor-specific information in the logs.
  7. URL: The URL that was requested.
  8. HTTP Method: The HTTP method used (GET, POST, etc.).
  9. HTTP Status Code: The status code returned by the server (200, 404, 503, etc.).
  10. Bytes Sent: Amount of data sent from the client to the server.
  11. Bytes Received: Amount of data received from the server by the client.
  12. User-Agent: The browser or client software making the request.
  13. Referrer: The referring URL, if any.
  14. Content Type: The MIME type of the content returned.
  15. Action: Action taken by the proxy, such as ALLOW or BLOCK.
  16. Categories: Classification of URLs based on content (e.g., social media, advertising).

SOC Use Cases for Proxy Logs

Malware Detection:

  • Objective: Detect and respond to malware downloads or connections to known malicious domains.
  • Method: Monitor URLs, file types, and destinations against known malicious indicators from threat intelligence feeds. Alerts can be generated for traffic to high-risk categories or to domains recently flagged as malicious.

Data Exfiltration:

  • Objective: Identify potential data leakage or exfiltration attempts.
  • Method: Look for unusual amounts of data being sent to external websites, especially to untrusted or rare destinations. Track file types associated with sensitive data (e.g., .pdf.docx) being uploaded outside the organization.
  • MITRE: T1041 (Exfiltration Over C2 Channel), T1020 (Automated Exfiltration)

Phishing Detection:

  • Objective: Identify access to phishing sites.
  • Method: Use URL and domain reputation scores along with categories to identify requests to known phishing sites. Track instances where users submit credentials to non-categorized or newly registered domains.
  • MITRE: T1566 (Phishing)

Anomaly Detection:

  • Objective: Detect anomalous web browsing behavior that could indicate compromised credentials or insider threats.
  • Method: Analyze trends in the frequency, timing, and volume of web requests. Alerts can be set for out-of-hours access, high volume of data transfers, or access to unusual geographical locations.
  • MITRE: T1078 (Valid Accounts), T1199 (Trusted Relationship)

Compliance Monitoring:

  • Objective: Ensure compliance with corporate web usage policies and regulatory requirements.
  • Method: Monitor and report on access to restricted categories such as adult content, gaming, or social media during work hours. This can involve real-time blocking of such sites or alerting for follow-up.
  • MITRE: T1550 (Use of Web Protocols), T1554 (Compromise Client Software Binary), T1200 (Hardware Additions)

Bandwidth Management:

  • Objective: Manage and optimize network bandwidth.
  • Method: Analyze traffic patterns to identify non-business related high bandwidth consumption. This can help in shaping traffic and prioritizing business-critical applications.
  • MITRE: T1498 (Network Denial of Service), T1560 (Archive Collected Data)

Secure Socket Layer (SSL) Inspection:

  • Objective: Detect unauthorized or harmful encrypted traffic.
  • Method: Monitor for an abnormal increase in encrypted traffic or certificate errors, which could indicate Man-In-The-Middle (MITM) attacks or traffic to compromised sites.
  • MITRE: T1557 (Man-in-the-Middle)

VPN and Remote Access Monitoring:

  • Objective: Monitor and secure VPN and remote access activity.
  • Method: Track all access through VPN gateways, identify geolocation anomalies, and verify the secure and appropriate use of remote access privileges.
  • MITRE: T1133 (External Remote Services), T1078 (Valid Accounts)

author: hendryadrian.com

Tags: MONITOR, EXFILTRATION, SSO, VPN, PROXY, CREDENTIAL, LEAK, PRIVILEGE