How to Monitor an Attack on Your Network?

Are there any tools for that? Does it have to be from the ASAs? Are there any commands you can use on there? We have an authorized penetration attack tomorrow on our network. I want to know how I can monitor it from my side. Please let me know if you've been through such an experience, or have any ideas. Thanks!

We have a closed network, so no open ports and such. No internet browsing either.

Find more posts tagged with

Comments

docrice

Network device logs, IDS alerts, host-based detection systems, flow-based abnormalities, irregular application detection patterns, server app logs, other triggers that may exist in your network.

Edificer

Thanks! That puts me on track! I have another question for you, do you think a remote attack on a closed network is possible/successful? Provided they know the IP address of our ASA outside interface. Although that is all. Again, our network is just for internal sharing, no internet access/browsing.

docrice

It'll be harder, but never impossible. All hardware and software is made by human beings which means there's always an undiscovered bug somewhere. Could there be a way to cause the firewall to fail open somehow? Likely not, but you should never assume appliances are perfect (especially with a vendor like Cisco who traditionally has not had a lot of security credibility). More likely however is potential misconfiguration or lax configuration standards.You also must consider additional bypass potentials on a supposed air-gapped network - social engineering, USB connections, wireless, and so on.

ramrunner800

Security Onion is a Linux distribution that provides a pretty good all in one package for lots of the things docrice mentioned. It's like the Kali of network security monitoring.