Unauthorized Connection Through Firewall

Description

Any communication through the firewall not explicitly granted by policy could indicate either a misconfiguration or even malicious actions, putting your security and compliance at risk.


Use Case

Security Monitoring, Compliance

Category

GDPR, Data Exfiltration, Scanning

Security Impact

In addition to the general security benefits, this detection will help the data privacy officer of an organization in their GDPR requirements to detect if any new applications or service providers have been connected to push or pull personal data without the proper documentation. This helps to trigger the update of the documentation and engage the DPO, enabling continuous monitoring to detect unauthorized and undocumented new applications that do not follow corporate processes. In addition, GDPR Article 32 requires that you regularly test, assess and evaluate the effectiveness of your implemented technical and organizational security controls. If the Authority executes their powers and your Organization is in the scope of a Privacy Audit you need to demonstrate compliance (Article 58). Also in case you face a breach and individuals are impacted they have the right to compensation of the damage - if an organization can prove that they have done everything appropriate to the risk and deployed proper countermeasures, they shouldn't be liable (Article 82).

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 1

MITRE ATT&CK Tactics

Exfiltration
Discovery
Command and Control

MITRE ATT&CK Techniques

Exfiltration Over Command and Control Channel
Exfiltration Over Alternative Protocol
Custom Command and Control Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer Protocol
Network Service Scanning

MITRE Threat Groups

APT29
APT3
APT32
APT33
APT37
APT39
APT41
BRONZE BUTLER
Cobalt Group
FIN6
FIN8
Gamaredon Group
Ke3chang
Kimsuky
Lazarus Group
Leafminer
Machete
OilRig
PLATINUM
Soft Cell
Stealth Falcon
Suckfly
Taidoor
Threat Group-3390
Thrip
Tropic Trooper
Turla
menuPass

Kill Chain Phases

Command and Control

Data Sources

Network Communication

   How to Implement

This search should work out of the box with Palo Alto Networks firewalls, and with any other device that uses the Splunk common information model. Just make sure you use a Splunk Add-on that maps them to the Common Information Model (search on Splunkbase!)

   Known False Positives

No known false positives.

   How To Respond

A default allow firewall rule should never be used. If the connection should be allowed, go document it and then add a specific allow rule.

   Help

Unauthorized Connection Through Firewall Help

This example leverages the Simple Search search assistant. Our example dataset is a collection of anonymized Firewall logs (onboarded in accordance with our Data Onboarding Guides), during which someone does something bad. Our live search looks for the same behavior using the standardized sourcetypes for Firewall or the Common Information Model.

SPL for Unauthorized Connection Through Firewall

Demo Data

First we bring in our basic demo dataset. In this case, DNS logs. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
Next we filter for connections using the default rule.
Next we look up the host in the GDPR categorization lookup. Because we only care about GDPR hosts for this example, we filter for only the hosts that are in scope for GDPR.

Live Data

First we bring in our basic dataset. In this case, firewall logs. We filter for connections using the default rule.
Next we look up the host in the GDPR categorization lookup. Because we only care about GDPR hosts for this example, we filter for only the hosts that are in scope for GDPR.

Screenshot of Demo Data