All successful cyber attacks share a common denominator in that criminals must interact with the network. Therefore, an organization’s unique network metadata acts as the single source of truth to continuously measure and understand compromise. By collecting, normalizing, and analyzing vast amounts of generated metadata such as DNS queries, network flows, firewall logs, proxy logs, and emails, organizations can gain deep visibility into enterprise network behavior and identify conclusive evidence of their unique compromise levels.
The video further explains the specific roles of different metadata sources in detecting threats. Analyzing DNS queries provides context into attempted connections to adversarial infrastructure, while firewall and proxy access logs reveal attacks using direct IP addresses. Furthermore, capturing network flows highlights lateral movement attempts, and analyzing email data uncovers targeting patterns. By correlating these diverse metadata sources and comparing them against known Indicators of Compromise (IoCs) in real-time, organizations can accurately assess their compromise posture and verify if their security stack is performing as expected.
Takeaways
- Network Metadata as the Truth: Unique network metadata is the primary source of truth used to continuously and intentionally measure and understand organizational compromise.
- DNS Query Significance: Analyzing DNS queries is a key detection method because a compromised device will first attempt to resolve a domain belonging to the adversary.
- Firewall and Proxy Log Utility: When attackers bypass domain infrastructure to use IP addresses, traces of adversarial contact are found specifically within firewall or proxy access logs.
- Lateral Movement Insights: Monitoring network flows is essential for understanding how an attacker moves within a network after the initial point of compromise.
- Correlation of Email Data: While blocking email is a standard practice, analyzing and correlating email metadata with other sources provides intelligence on who is being attacked and the specific patterns used.
