Espy – Network Monitoring Without a Network Sensor!
Network monitoring is relatively straightforward. I won’t say easy, because there are a lot of facets to learn, but straightforward:
- Find a point (or points) in your network that carries most of the traffic you want to watch.
- Set up a mirror port in a switch there that will generate copies of all those packets.
- Connect your sensor to that mirror point.
- Run your packet analysis software on the sensor.
- Profit! (apologies to South Park)
While there are all kinds of reasons why this can be tricky, I want to focus on the first; what if there is no chokepoint where you can see all the traffic?
The issues of a distributed workforce used to be handled by a relatively small number of organizations with a few traveling salespeople or work-from-homers. Now they exist in most technical organizations. It’s amazing to see just how many people can do their jobs from home if given the right tools and flexibility on how and when the job is done.
Unfortunately, this also means that network monitoring becomes impractical; there’s no single point where I can put a network sensor to see hundreds or thousands of employees’ network traffic and look for security issues. Even saying “let’s put a sensor in everyone’s home network” has significant privacy, performance, support, and cost issues.
OK, back to the drawing board…
If we are going to watch a relatively small number of company-owned systems, we want to avoid watching personal machines that are also on those home networks, and we want to keep the cost per site down, let’s consider watching the network traffic right on the company laptops. And this is where Espy comes in.
Espy is the flagship feature in the recently-released AC-Hunter version 5.0. Here’s how it works:
- The Espy server runs on or near the AC-Hunter system.
- I install a small piece of software on my remote Windows laptops that reports on the network connections taking place. These records are sent to the Espy server.
- Espy collates all this network connection information and hands it to AC-Hunter as one big virtual sensor (that may happen to span tens or hundreds of home networks).
- AC-Hunter searches for Threats on those Windows machines.
To make the magic happen, you’ll need an Espy server, which can be installed at the same time you’re upgrading to AC-Hunter 5.0. You’ll also need to install the Espy client on the WIndows machines you want to monitor; this can take some time but is a one-time setup.
There’s one limitation of which you should be aware. Because the network information sent to the Espy server is a very thin summary of the network connections – no payload is sent (*) – we can look for Beacons and Strobes but won’t be able to Threat Hunt for DNS, Client Signature, or Certificate issues. There’s more detail on this in AC-Hunter User Guide.
One more thing. We’re proud to share many of our developers’ projects with the world under an open-source license, allowing you to try them out and use them at no cost and with relatively few requirements (see the license for details). Espy is one of those projects; we want you to be able to download it and use it even if you’re not an AC-Hunter customer. To download it and see more details, please see our repository here.
* It’s like the record of a phone call that lists the calling number, the dialed number, and the start time, but has no record of the actual conversation.
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Bill has authored numerous articles and tools for client use. He also serves as a content author and faculty member at the SANS Institute, teaching the Linux System Administration, Perimeter Protection, Securing Linux and Unix, and Intrusion Detection tracks. Bill’s background is in network and operating system security; he was the chief architect of one commercial and two open source firewalls and is an active contributor to multiple projects in the Linux development effort. Bill’s articles and tools can be found in online journals and at http://github.com/activecm/ and http://www.stearns.org.