Back to all updates

almost 9 years ago

Need ideas to get started?

Need Ideas?

Here at LogRhythm, we're full of ideas for what we want to do with Network Monitor. If you are enjoying working with Network Monitor and want some inspiration for the contest, consider tackling one of the following challenges:

Novel Threat Detection

We recently released some simple query rules to look for the EternalBlue exploit vector. What else is out there?  We expect this category to require diving into the metadata that extract for each protocol and lifting out highly specific behaviors. 

  • Can you pick out Gh0st or Loki or BBSRat? They are all well-known protocols at this point, but they keep coming back in new variants.
  • Can you passively detect web based exploit kits? Is there a clear signature for Angler (or the flavor of the day) that is detectable in HTTP or HTTPS traffic?

Hunting Dashboard or Use Case

Hunting is all about quickly moving from odd to suspicious to malicious by way of generating real evidence to drive action. We already have two hunting dashboards built in to Network Monitor in the form of the Destination Ports dashboard and the Ingress/Egress dashboard. Using a combination of dashboard and possibly DPA rules, maybe you can:

  • Can you create a risk dashboard? We know from WannaCry that SMB v1 is a risky protocol. We also know that any encrypted traffic using an algorithm older than TLS 1.2 is risky. What other risky protocols are out there and can you make a dashboard that quickly identifies risky behavior?
  • Can you isolate beaconing activity? What protocols and behaviors indicate beaconing as opposed to normal automated behaviors?

IT Operations Use Case

There's a big blurry line between IT operations and security operations. If you are collecting data for one, you are also collecting data for the other. The default dashboard in Network Monitor is a pretty simple IT operations use case looking for top use of bandwidth. 

  • Which systems are top talkers? Can you leverage the analyze dashboard and make a dashboard identifying top sending systems and top receiving systems? Can you also filter out internal systems vs external systems?
  • Can you fingerprint a system? Which server(s) are primary web hosts? Which servers are primary DHCP or DNS or AD hosts? Can you use DPA rules and a dashboard to reverse engineer core service hosts?

These are just some starter ideas. Feel free to take on any of these or develop your own challenge!

Also, please keep an eye on our community site and LogRhythm Blog. We'll be posting some additional DPA guidance soon on how to extract specific bytes from a packet.