How to Use Zeek to Catch Data Exfiltration With a Single Command – Video Blog
Video – Using Zeek to Catch Data Exfiltration
Command Used
cat conn.*log | bro-cut id.orig_h id.resp_h orig_bytes | sort | grep -v -e '^$' | grep -v '-' | datamash -g 1,2 sum 3 | sort -k 3 -rn | head -10
Video Transcript
(00:00)
Hey folks, I’m Chris Brenton and today I’m going to show you how you can use your Zeek data in a single command to identify which of your internal systems is sending the most amount of data to the internet. This could be useful if you’re worried about data exfiltration, an internal system that may have gotten whacked, or an internal user that’s gone rogue that’s sending a lot of information out to some IP address out on the internet. This assumes that you’ve got Zeek installed, just before the internal interface of your firewall so it can see all the traffic going out to the internet. Also assumes you’ve got Zeek running all the time. So you’ve got like 24 hours worth of data to work with. But with that said, we’re simply catting out the clown logs. We’re running it through bro-cut, and bro-cut is allowing us to go in and grab the internal IP, the IP address it’s talking to out in the internet, and how many bytes that internal IP address is sending out.
(00:52)
We go through, we sort the data, we remove any blank lines. We also go through and remove any times that the internal system tried to connect to somebody, but no payload information was transferred. Zeek will identify that with a dash. We want to pull those out. And then I’m simply running it through datamash to say, hey, anytime the source and destination IP address is the same, sum up that third column, sum up the total number of bytes that was sent from the internal system out to the internet. Sort it so that we now see highest to lowest. And I just want to look at my top 10. So now when I go in and I run this command, here is what we get. So when I want to identify which of my internal systems is sending the most amount of data out to the internet, hey, here it is right up at the top of the list.
(01:34)
That’s about it. Hope you found this useful. Thanks.
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.