Cyber Vault Discovery Part 3 — Difference Analysis
Before continuing with this video, please go over and of the video series to learn about the basics of Cyber Vault Discovery and the Dashboard and Explorer interfaces.
Difference Analysis can help IT administrators detect changes in the network hosts. It allows two network snapshots to be compared for differences. The differences are split into 3 categories:
We’ll go over the analysis to show you how to find anomalies across the network.
Think of the difference analysis as a magnifying glass that zooms in on the changes between two network snapshots and allows us to perform a very thorough investigation on them.
Subnet and Timeframe
The Difference Analysis interface works on an individual subnet level. It automatically selects the first subnet on the list. The timeframe dropdown is identical to the Dashboard and Explorer interfaces.
Source and Destination Selection
Next is the source and destination snapshot selection. Here you can select the source snapshot that will be used for the different analysis. You can select it by clicking on the network map. This is similar to how the Explorer interface works.
The destination snapshot can be selected in a similar way from the destination network map. Any snapshot can be compared with any other. Even the same snapshot can be used for source and destination. Choosing your source and destination snapshots matters in order to see the flow of changes in the correct order.
The source snapshot will always be considered the baseline for the comparison. The following logic will be applied to detect differences:
- All hosts that appear only in the destination snapshot will be considered as new hosts
- All hosts that are missing in the destination snapshot will be considered as down hosts
- All matching hosts between the two snapshots will be checked for open port changes
- If a port is open only in the destination snapshot it will be considered as a new open port
- If a port is closed in the destination snapshot it will be considered as a closed port
If you swap the source and destination selection the logic will be reversed.
Using this in mind we can see how the difference analysis can help us understand what exactly changed in the network between the two snapshots. This is in contrast to the Explorer interface which shows how the entire network looks at a particular point in time. Here, we can see what changed between two separate times. All the similarities will be hidden between the two snapshots and only the changes will be visible. This way anomalous activity can be detected with ease.
Main Pie Charts
The following pie charts help to summarize all of the detected changes:
- Total New/Resolved concerns display the total number of changed concerns
- New/down hosts display the number of new and the number of down hosts between the snapshots
- Total changed hosts show the number of hosts that appear on both snapshots but have different open ports
- Total new/closed ports show how many new ports are discovered and how many have been closed
- Total new/closed TCP and UDP ports show the same information for TCP and UDP ports respectively
This allows IT, administrators, to immediately see the breadth of changes between the two network snapshots.
Following down the interface is the New Hosts section. The concerns for all new hosts are displayed including the open TCP and UDP port numbers. The New TCP and UDP port tables show what ports were open on the new hosts. And the new hosts table gives detailed information about the discovered hosts. This allows IT administrators to quickly measure the concerns of the new hosts.
The ability to detect only the new hosts between two snapshots allows us to concentrate only on the newly found threats. This way an administrator can tune out all other information and focus on securing the new devices. In a forensics investigation, this can show when a host was live for the first time and what open ports and concerns it had.
Next is the down hosts section. Here we can see what hosts went down between the snapshots. The concerns, in this case, are marked as resolved as they no longer appear in the destination snapshot. The ports are considered closed. The TCP and UDP tables give more information on what ports were closed and the host table show what hosts went down.
The down hosts can also be used for device and network troubleshooting. An alert can be triggered if an important host is down or unreachable. This way an administrator will be immediately notified when this happens.
Changed Hosts
The final section of the interface is the changed hosts. It shows all hosts that exist on both source and destination snapshots but has different open ports. The pie charts display:
- New vs resolved concerns showing how many new and how many resolved concerns have been identified
- The new concerns pie chart gives a breakdown of all identified new concerns
- The resolved concerns give a breakdown of what concerns have been resolved
- The totally new and closed ports give statistics on how open ports were affected between the snapshots
The new TCP ports table shows all newly discovered ports while the closed TCP ports table shows all ports that were closed. The same logic applies to the new and closed UDP ports table.
The changed hosts section is more complex than the other sections because it has to keep track of more relationships between the snapshots. It allows IT administrators to quickly see only the relevant changes between the hosts and immediately discover all new concerns that need to be addressed. Also, the resolved concerns can confirm if a specific security action has worked or not. This way a before and after state can be observed to track how new security policies affect existing hosts. The more concerns that are resolved the better.
With Cyber Vault difference analysis we can have a complete record of how changes have been propagating through the network. It brings additional visibility of the network evolution over time. Armed with this new clarity an IT administrator can quickly uncover new concerns or confirm how new security controls have positively affected the network’s security.
Originally published at https://www.cybervault.app on March 18, 2022.
