Zeek is a proven open-source network visibility and analytics tool that you can leverage to increase your agency’s Network Visibility and Analytics Capability maturity under CISA’s Zero Trust Maturity Model Version 2.
Zeek (https://zeek.org, formerly named Bro) is a network sensor deployable on physical, virtual, and container technologies. Recording network traffic is a fundamental capability allowing analysis independent of network and host capabilities and enabling passive capture of network traffic.
Zeek uses its recorded or real time feed to create protocol (and higher level) records that make up a transaction for analysis. The table Prioritized Zeek Logs is a subset of supported log types that can be considered for your Zero Trust Visibility and Analytics approach.
These prioritized logs are my suggested top five logs to consider—if your Zero Trust maturity has these covered, Zeek supports another 20 log types, as well as a dozen frameworks to expand and mature analytics stacks. The Zeek logs are presented below, ordered based on least effort to deploy, but should be prioritized to your organization’s needs.
Prioritized Zeek Logs
| Zeek Log | Effort*(1=LOW) | Description | Comments | Zero Trust Maturity Lift |
|---|---|---|---|---|
| dns.log | 1 | Domain Name System (DNS) transactions | Zeek can use live DNS logging or recorded traffic | Initial: Network Monitoring Advanced: Automated processes for robust threat hunting activities. Optimal: Enterprise-wide situational Awareness. |
| ntp.log | 2 | Network Time Protocol (NTP)
| Depending on the environment’s NTP, may require a phased approach, especially extremely compartmentalized solutions. | Initial: Monitoring and telemetry correlation. |
| ssh.log | 3 | Secure Shell | Lateral, inbound, and outbound capabilities. | Initial: Network monitoring and micro-segmentation validation, validation of policy on user access rules |
| traceroute.log | 4 | Traceroute | Traceroute is a common troubleshooting tool but is also used for discovery and mapping of networks. | Initial: Basic network monitoring Advanced: Indicator of threat when validated |
| conn.log | 5 | Connections Logs | This is a global connection analysis log that provides a broad breakdown of network traffic. | Initial: Basic network monitoring Optimal: With an investment in distributed Zeek sensors, you can establish a solid coverage of enterprise-wide visibility. |
Common Zeek Use Cases
Zeek’s stack is adaptable to any capability requiring a network sensor. Three easily adapted use cases can provide immediate value:
- Troubleshooting Network Sensor
- Forensics Capture
- SIEM (Security Information and Event Manager) integrated network sensor
1. Troubleshooting Sensor
As a network troubleshooting sensor, Zeek can be adapted to quick deployments using the type of deployment you need. For example, a hardware-based sensor lends itself to distribution and core network areas of the network for multi-discipline, Tier III troubleshooting. Zeek also supports virtual machine and container deployments.
2. Forensics Capture
Zeek captures raw network data, allowing it to be a source of record for network-based captures. The analyst can place the Zeek sensor in a persistent location or the analyst can move the sensor in parallel with local port mirroring to capture for an active investigation.
3. SIEM Integrated Sensor (Threat Hunting and Incident Management)
Zeek’s logs integrate easily into most SIEMs (Security Information and Event Manager). For example, Zeek App for Hunting is a Splunk plugin that provides visual dashboards, fed by Zeek’s capabilities. The plugin also enriches the Splunk platform through its enhanced reporting capabilities.
Zeek can be leveraged for much more, increasing visibility while maturing your agency’s Zero Trust levels. Zeek integration provides opportunities across all network pillar maturity levels as shown in Zeek’s Network Pillar Maturity Level Integration Lift table.
Zeek’s Network Pillar Maturity Level Integration Lift
| Maturity Level | Zeek’s Integration Capabilities | Integration Targets |
|---|---|---|
| Traditional |
| SIEM, Service Desk (auto service requests). |
| Initial |
| Agency, commercial, and open threat feeds. Lateral movement and surface analysis. |
| Advanced |
| Network devices, SIEM. (Would require additional integration for pure software defined networking) |
| Optimal |
| Distributed Zeek nodes can help report compliancy with items such as valid SSL/TLS certificates, hidden IT (Information Technology) assets (DNS, SMTP, proxies, etc.) Can leverage all maturity level capabilities to advance enterprise visibility. |
Zeek Installation
Before installation, the Zeek Sensor’s hardware, virtual machine, or container will need to be placed in line with a network tap as shown in the Figure Network Tap. The network tap can be a hardware tap, or you can use your network switch’s capability to port mirror the traffic to the Zeek Sensor.
Figure Network Tap
Zeek is not delivered with Linux distributions, but it can be installed from packages or from source code. This example provides an installation example on Ubuntu 22.04:
# Update package list
sudo apt-get update
# Prerequisites
sudo apt-get install -y software-properties-common wget
# Add Zeek repository to your OS
sudosh -c "echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_$(lsb_release -rs)/ /' > /etc/apt/sources.list.d/security:zeek.list"
wget -nv https://download.opensuse.org/repositories/security:zeek/xUbuntu_$(lsb_release -rs)/Release.key -O Release.key
sudo apt-key add - <Release.key
# Update your package list again
sudo apt-get update
# Install Zeek
sudo apt-get install zeek
If your server is not configured for email, the installation will walk you through the Postfix mail server configuration on Ubuntu.
Zeek Usage – startup
The analyst can start Zeek in two modes: interface (shown below) or Packet Capture (PCAP) file. Use the parameter –r to read a PCAP file. In our example here, we will use the interface mode to have it read real time traffic. As root execute the following to start Zeek on the enp0s1 interface:
/opt/zeek/bin/zeek -i enp0s1 interface
Zeek DNS Example
As a DNS analysis example, let us consider an advanced persistent threat malware without a known signature which has been downloaded. It does not seem to have spread beyond the three users that downloaded as it appears to try to connect to domains and IP addresses we prohibit; however, spot checking is labor intensive, so we want to identify indicators of comprise at the edge of the network where a Zeek sensor is located.
The following command gives us a list of queries that should be prohibited by domain name. In this example we are using “block” to trace and understand the example closer.
awk '{cmd="date -d @"$1" +\"%Y-%m-%d %H:%M:%S\""; cmd | getline d; close(cmd); print d, $3, $10}' /opt/zeek/logs/dns.log | grep "block"
2024-03-01 15:02:36 192.168.65.3 gogle.block
2024-03-01 15:02:36 192.168.65.16 gogle.block
2024-03-01 15:03:51 192.168.2.1 yhoo.block
2024-03-01 15:03:53 192.168.3.1 yhoo.block
The awk ‘cmd=’ command makes the logic more difficult to read, but it is simply converting the time to human readable format. The important part of the command is looking for “block” in the dns.log output, and that fields 1, 3, and 10 ($1, $3, $10 in awk specification) are the fields containing the date, time, source IP address, and the domain queried.
The conclusion from the generated list would indicate that a control for blocking domains is not working correctly and/or some hosts have an exception to the domain blocking policies. Incident response would continue from there.
Additional Capabilities
Your agency’s architecture, maturity, and use cases may need additional capabilities. Here are several worth considering:
- Geolocation: Mapping of IP addresses to geographic locations. This capability uses additional libraries; however, the current containers from the Zeek repo have the capability built in.
- Kafka Log Writer: Built in capability to stream to Kafka based services.
- Zeek Scripting: Advanced tailored solutions to support playbook developments for common responses within the Security Operations Center.
Summary
In seeking innovative ways to mature the agency Zero Trust posture, T-Rex cyber engineers take a complete cyber approach, applying Zero Trust principals. This article has focused on improving network visibility within the Network pillar. Building out diagnostics, threat hunting, and incident management are fundamental to pillar maturity.
Cybersecurity and Infrastructure Security Agency (CISA) supports 10+ tools and plugins for Zeek. The source code for the tools and plugins is located on it is open-source repository at: https://github.com/cisagov/
T-Rex’s cybersecurity engineers and architects work with Federal agencies to speed their Zero Trust endeavors through T-Rex’s Zero Trust Architecture Accelerator 2.0 and innovative tooling as shown here. Contact us at cybersecurity@trexsolutionsllc.com to discuss how we can assist in your Zero Trust program.
Zero Trust Articles
Looking for additional articles on Zero Trust? Check out our ZT articles:
- T-Rex Solutions, LLC Protecting Government Apps and Workloads from Zero-Day Cyber Threats – T-Rex Solutions, LLC (trexsolutionsllc.com)
- T-Rex Solutions, LLC Dr. Allen Harper on How T-Rex Helps Federal Agencies Meet the Zero Trust Challenge – T-Rex Solutions, LLC (trexsolutionsllc.com)
- T-Rex Solutions, LLC Secure by Design and Zero Trust: Integrating Supply Chain Risk Management with DevSecOps – T-Rex Solutions, LLC (trexsolutionsllc.com)
twitter
