The focus of this presentation is to describe ways to automate the discovery of different asset classes and behavioral profiles within an enterprise network. We will describe data driven techniques to derive fingerprints for specific types of individual and subgroup behaviors. The goal of these methods is to add context to communications taking place within an enterprise as well as being able to identify when certain asset profiles change there behavioral fingerprint in such a way as to indicate compromise. The type of profiles we want to discover can be tied to human behavior (User Fingerprinting) or particular asset classes like WebServers or Databases (Hardware/Software Fingerprinting). Finally enriching these profiles with a small amount of network context lets us break down the behaviors across different parts of the network topology.
These techniques become important when we want to passively monitor for certain attacks against server hardware even without visibility into the local logs running on the server. For example we will cover the automated discovery and enrichment of DMZ assets and how we use these techniques to profile when a server has been planted with a Webshell or when an asset has been used to covertly exfil data. The methods we propose should be generic to apply to a wide variety of any kind of Layer 4/ Layer 7 traffic or just PCAP data alone.