Today I have been looking at my firewall logs through the lens of my security information and event management (SIEM) console. My staff usually does the day-to-day monitoring, and I have a third-party service that monitors the SIEM 24x7, but today I looked in on the situation with my own eyes, which I like to do every so often. I noticed some interesting things.
First of all, my network is constantly under attack. Every day, all day long, some kind of denial-of-service, port scanning, account/password guessing or direct exploit is being attempted. This seems to be the background noise of the Internet, most likely generated by automated systems under the control of malware, perhaps even large networks of botnets. Most of it doesn't seem to be directed at my network. It just seems to be crawling through the IP address spaces of the Internet in general.
I've noticed the same thing on my home network. I have a firewall at home that sits right behind my Internet router, and every once in a while I look at its logs, in much the same way I look at my company's firewall logs. At first I was surprised -- it was kind of a shock to see actual exploit attempts targeted at my home computers, game consoles, DVRs and other Internet-connected devices. Of course I realize that malicious traffic is ubiquitous on the Internet, but knowing it is not the same thing as seeing it face-to-face. It's like looking down the barrel of a gun.
On my company's network, the firewall blocks all these attacks. Literally. The only successful security breaches I've had on my network have been from the inside -- malware from email, malicious websites and tainted storage devices. Nothing has been able to hit me from outside through the firewall (knock on wood). I know this because I have sophisticated threat monitoring on my network and endpoint computers. So what I'm really looking at are firewall denies.
Still, despite the fact that none of the attacks are getting through, I wanted to do a deeper analysis. I started by separating the attacks into three categories.
The first category is the lowest level of concern, which is just information from the firewall logs about small amounts of bad traffic. Mostly this consists of a few bad connections or invalid network packets and connection timeouts. Nothing that can cause a lot of harm.
The second category is network traffic that is clearly malicious but doesn't pose an immediate threat. Obvious exploit attempts or vulnerability scans looking for security holes fall into this category, as long as my firewall is able to block it all.
The most severe category includes the attacks that are close to exhausting resources on my defensive perimeter. These are typically either DNS connection attempts trying to overwhelm my DNS server, or large amounts of regular network packets trying to flood my network, or excessive SSL connections to my Web servers. Fortunately, none of these have yet been successful, partially due to the fact that my Internet service provider filters out a lot of bad traffic before it gets to me.
The reason I split things into these three categories is so I can better manage the information I'm looking at. For now, I don't need to look at events in the first category, since they don't represent an immediate threat. The second category can also be ignored for now, although I want to keep an eye on things that may escalate into the third category. That's the one I want to look at more closely. I'll be keeping an eye on these "level three" events to make sure they don't threaten to escalate into an actual breach, either by exploiting services through the firewall or by exhausting resources on my firewall, network or systems.
It's also interesting to look at where these attacks are coming from. In the level three category, the No. 2 source of attacks is China. There's been a lot of talk lately about Chinese hackers, and I'm seeing some evidence of that. The No. 3 source is the Netherlands, which I can't explain other than the fact that a lot of computer talent, as well as exploits, come from there. The next source is Ukraine, which probably shouldn't surprise me given the current political climate. South Korea, the Russian Federation, India, Taiwan, France and Brazil are next in line, knocking on my door.
Who is No. 1? The U.S. I don't think we'll be bragging about that ranking anytime soon.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
To join in the discussions about security, go to blogs.computerworld.com/security.