Collect network traffic logs
Malicious activity almost always takes place over a network. This is most true for the following phases of the cyber kill chain: reconnaissance, delivery, command-and-control and possible exfiltration. Logging of network traffic helps the investigator determine activity from the attackers in the network and scope a data breach. Organisations often lack any form of network traffic logging, due to unawareness of the relevance or lack of retention capability for the logs.
A common use-case for network traffic is investigating C&C traffic to a certain (or multiple) known evil server. Having netflow, DNS and/or HTTP logs available, will help scope which hosts in the network are infected. Also, when pivoting the investigation on a host in the network, network logs will tell a lot about the malicious activity on that host: is it beaconing? Which other hosts did it attempt to connect to? Where did the compromise originate from?
Firewalls and routers are a typical source for network logs; netflow-like data, blocked/allowed TCP/IP packets and DNS traffic logs may be generated by your firewall. Next-generation firewalls may also allow logging of TLS session content and network traffic that is flagged as suspicious based on intrusion-detection signatures. Most organisations make use of a local HTTP proxy server. Proxy servers can be leveraged to produce (more extensive) HTTP logging.
Full packet capture provides the ultimate network traffic log for investigations. It will provide the investigator full insight into content of network streams. However, a permanent full packet capture facility often requires large storage and disk IO for the capture appliance. This often leads to the tradeoff between completeness of network traffic logs and costs.
Network security monitoring appliance can be used to provide a (more centralized) network logger. Such an appliance is independent of the network devices in place and can provide a wealth of metadata on network traffic. Bro* is a great example of free and open-source network security monitoring software.
The cost for deploying and maintaining a network logger depends on the size and distribution of an organisation’s network. Examining and leveraging the logging features of existing security and network devices in the networks is a good first step.