Security Incident Origin Discovery (SIOD): IP Transaction Tracking for Centralized Cyber Defense

In many enterprise Internet Protocol networks, Network Address Translation and other traffic forwarding techniques protect interior assets from exterior threats by minimizing exposure to just a single, hardened point. Complex networks may incorporate several layers of such protection. However, this obfuscation also hinders legitimate cyber security functions, discovering the complete path of a suspicious traffic flow requires inspecting forwarders´ logs, unraveling one layer of concealment at a time. These challenges are compounded when centralized cyber-defense teams must pursue suspicious activity across numerous regional and individual site networks. Identifying a single host at the end of a dubious transaction may require coordination among central, regional, and local administrators, as well as human review of many intermediary devices´ activity logs. In this paper, we describe an approach to automate the investigation process by correlating details of alerts and forwarder records to iteratively discover the chain of forwarders implicated in a given transaction. By rapidly revealing a suspicious transaction´s true endpoints, incident response times can be dramatically reduced, allowing for rapid intervention and analysis. We present our prototype tracing algorithm in pseudo-code, describe the diverse lab environment in which it was developed, and detail specific trace scenarios for both web and Domain Name Service traffic. We address unique log formats and behaviors of different forwarders and recommend practices for specific units. Finally, we discuss means to integrate investigation triggers and results into existing Security Information and Event Management deployments, empowering cyber-defense analysts without further complicating their workflows.